[cap-talk] Horton at HotSec '07: How broadly object/capability?
Sandro Magi
smagi at higherlogics.com
Mon Jul 9 09:25:51 EDT 2007
Ivan Krstić wrote:
>> The argument will of course be made that certifying
>> software is a viable alternative.
>
> That position is pretty stupid, I think, and amounts to sticking
> one's head in the sand. We're already seeing certified malware for
> mobile platforms in the wild. Right now.
"Certification" has many meanings. The certification you refer to is
indeed flawed. The kind of certification I had thought Jed was referring
to when I first read the above was a form of proof-carrying code where
the safety properties of a program are verified by a proof that
accompanies the binary, ie. certified binaries [1].
Of course, I think memory safety plus one additional property which I
don't have good name for (full external reification?) are the only
properties required for capability security.
Sandro
[1] http://flint.cs.yale.edu/flint/publications/tscb.html
More information about the cap-talk
mailing list