[cap-talk] Software certification (was: Horton at HotSec, how broad?)
Jed Donnelley
capability at webstart.com
Mon Jul 9 13:14:34 EDT 2007
At 06:25 AM 7/9/2007, Sandro Magi wrote:
>Ivan Krsti wrote:
> >> The argument will of course be made that certifying
> >> software is a viable alternative.
> >
> > That position is pretty stupid, I think, and amounts to sticking
> > one's head in the sand. We're already seeing certified malware for
> > mobile platforms in the wild. Right now.
>
>"Certification" has many meanings. The certification you refer to is
>indeed flawed. The kind of certification I had thought Jed was referring
>to when I first read the above was a form of proof-carrying code where
>the safety properties of a program are verified by a proof that
>accompanies the binary, ie. certified binaries [1].
>
>Of course, I think memory safety plus one additional property which I
>don't have good name for (full external reification?) are the only
>properties required for capability security.
>
>Sandro
>
>[1]
><http://flint.cs.yale.edu/flint/publications/tscb.html>http://flint.cs.yale.edu/flint/publications/tscb.html
I believe from the above discussion and reference my intended
meaning was more along the lines of Ivan Krstic's interpretation.
For me the primary difficulty isn't in finding ways to insure
that any block (segment, routine, object, whatever) of
code is safe (effective, not dangerous, etc.), but rather
the difficulty of insuring that code blocks that we wish
to utilize are among the most safe such blocks (e.g. code
received in email, downloaded from the Web, received on
optical media, etc., etc.).
--Jed http://www.webstart.com/jed-signature.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.eros-os.org/pipermail/cap-talk/attachments/20070709/8cbbfe26/attachment.html
More information about the cap-talk
mailing list