[cap-talk] Language and/or multi process/IPC security (prev: Windows Vista: security by admonition)

[Ben Laurie]

On 6/7/06, Rob <rmeijer at xs4all.nl> wrote:
> > The reason that memory safety makes it easier to reason about program
> > behavior is that it enables modular reasoning.  Modular reasoning means
> > that can look at part of the program (e.g., the implementation of one
> > module, along with the specification and types for the modules it calls or
> > is called by) and draw some conclusions about how that module will behave,
> > without having to look at the rest of the program.  Modular reasoning is
> > not possible in a non-memory-language, because it is always possible that
> > the part of the code you didn't look at could tamper with the private
> > state (or even modify the running code) of the part you did look at.
>
> As long as OS overhead is within acceptable bounds, modular reasoning
> can easily be moved out of the single process confines imho. If you are
> able to put each module in its own process you will end up with the same
> level of modular confinement as with language based security, the module
> itself could be broken even broken badly, but the modular confinement
> remains exactly the same.
>
> I believe both multi process and language based methods have their
> advantages and their price:
>
> * Language based security limits the number of (often very expresive)
>   languages that can be used and limits the reuse of old proven codebases.
>   It also limits the posibilities of getting critical (and static) modules
>   formaly certified and keeping them certified across multiple incarnations
>   of the overall system.
> * multi process/ipc based security ads high OS overhead when modularity
>   is caried to its full extend, or ads the described integrity validation
>   problems when modules (processes) are allowed to have a relative high
>   level of complexity.
>
> I am not claiming that multi process/ipc based security is better than
> language based security. but even if I would agree that language based
> security would always be superiour, I believe that it is and remains in
> any case a second to the point of capability security of either IPC or
> language.

This seems to me to neglect the programmer. It seems to me that
language based security is far more likely to make the programmer's
life easy, and therefore makes it far more likely that the security
mechanisms will actually be used.