[cap-talk] Language-based safety - notes and meat)

[Jed Donnelley]

At 06:21 PM 11/15/2004, Jonathan S. Shapiro wrote:
>Hmm. The part about "breaking the model" seems elusive.

I agree.

>The difficulty I see is that we have to clearly articulate what the
>model actually is. For example, are we talking about breaking the local
>E implementation or are we talking about breaking the distributed trust
>properties?

Well, the part that's clear to me is the focus on the language issues.
That is, as was stated earlier, breaking out of the language imposed
restrictions on rights.  E.g. reading in data and executing it as native
code on the base machine within the process that E is interpreting
would definitely qualify as "breaking E", though whether model or
implementation is unclear to me.

>Depending on the objective of interest, I can see that either might be
>fair game.

For me it's the local implementation that's of interest.  I know the issues 
with the distributed model.  I believe they've been well known for 
years.  Of course one might argue that the issues with E are not that 
different from those with Java and have had comparable work on them.  Is 
that true?  Is there an equivalent "contest" for breaking Java?

>...if we want to allow attacks on the OS platform,

Definitely not.

>So should we try to nail down what we mean by model here?

Yes.  I see that as the part of this exercise that has the most meaning.