[cap-talk] Language-based safety - notes and meat)

Stiegler, Marc D marc.d.stiegler at hp.com
Mon Nov 15 22:21:31 EST 2004

> A third "reasonable" test, though not a test of E:
> E assumes that the local platform has been adequately secured 
> by the user (and that doing so is the responsibility of the 
> user). It is implicitly asserted that this is feasible, and 
> MarcS has made arguments that you can strip a Linux system 
> down far enough to succeed. To my knowledge this is untested. 
> Testing this is obviously not an attack on "E The Language", 
> but it *would* be a reasonable attack on "E The Trust Model"
> So should we try to nail down what we mean by model here? And 
> if we want to allow attacks on the OS platform, surely it is 
> reasonable to have someone specify a notionally defensible OS 
> platform that actually exists? Regrettably, I don't think 
> it's reasonable to require EROS at this time...

Darn, Jonathan, I was counting on you to surprise us with an
announcement that you had CapDesk running on EROS so we could run this
exercise for real :-)

Just to be clear, even I think there's a bagful of qualifiers on the
security guarantees you could make for CapDesk on stripped-Linux (which
we actually built and delivered to DARPA, by the way; the DarpaBrowser
Final Report includes an Appendix that describes how to build an E
Language Machine of your own :-). CapDesk on stripped-Linux would be an
incredible leap forward from the usability/security/functionality
integration of both Windows and Linux...and still wouldn't be good
enough to protect us if the cyberwar division of the Chinese army got
the go-ahead to destroy Western civilization. But at least we wouldn't
be patching every day :-)


More information about the cap-talk mailing list