[cap-talk] Midori in The Register
Jonathan S. Shapiro
shap at eros-os.com
Wed Aug 6 08:57:02 CDT 2008
On Wed, 2008-08-06 at 13:57 +1000, James A. Donald wrote:
> Jonathan S. Shapiro wrote:
> > That is: managed code cannot guarantee security, but
> > type-unsafe code (which is not quite the same as
> > unmanaged code) does guarantee the absence of
> > security.
>
> Type unsafe code may well run in an environment where it
> has no access to things that would enable it to pursue
> the interests of its writer at the expense of the person
> who owns the hardware on which it runs. In this sense,
> type unsafe code can be made secure.
>
> Everything running above ring zero is already in a VM.
> Why not make it a secure VM?
What you are saying is that safety can be applied at multiple levels of
abstraction, and that a VM can be viewed as a form of very coarse safety
system.
But the proper term for what you describe is "safety", not "security".
Security is certainly a safety property, but it entails a correctness
criteria that is far beyond what can be achieved from the semantic level
of a language virtual machine. Indeed, as many discussions here have
established, security ultimately relies on the application code that
implements the semantics of an object to be well behaved w.r.t. the
security policy.
shap
More information about the cap-talk
mailing list