[cap-talk] David Wagner's Google techtalk is now up!
David Wagner
daw at cs.berkeley.edu
Wed Dec 12 12:22:57 EST 2007
Mth writes:
>I am a bit new to security model so sorry if my question seems stupid.
>In his talk David Wagner say that strongly type system like Java
>ensure some security.
>But why?
>In what dynamically type system is weaker?
The important thing for security is that Java is strongly typed.
Whether it is statically typed or dynamically typed is less important
for the security objectives under discussion here.
(Strong typechecking can be implemented statically or dynamically.)
In Java, the strong typechecking is what provides encapsulation
(clients can't peek at or tamper with the private data of other
objects) and unforgeability of capabilities (strong typechecking means
that you can't forge a reference out of whole cloth, and since in
our system a capability is just a reference, that's what we need).
There are some second-order reasons why one might prefer static
typing or dynamic typing but to my mind they are secondary compared
to the above considerations. The object capability paradigm is
compatible with both statically checked and dynamically checked
languages. Joe-E is an example of the former; E is an example of
the latter.
More information about the cap-talk
mailing list