[cap-talk] Midori in The Register

Jonathan S. Shapiro shap at eros-os.com
Wed Aug 6 14:46:21 CDT 2008


On Wed, 2008-08-06 at 20:34 +0100, Ben Laurie wrote:
> OK. So you agree that
> 
> "That is: managed code cannot guarantee security, but type-unsafe code
> (which is not quite the same as unmanaged code) does guarantee the
> absence of security."
> 
> is incorrect.

While the idiom you favor is useful, Apache is type-unsafe, because it
lacks any automated means of checking and its mechanisms can therefore
be bypassed.

While "guarantee" was value laden, we can reasonably infer from the
absence of strictly safe practices in Apache that it can still be
compromised. This inference has confidence as near to unit as makes no
difference. The gap between unit and this confidence is so small that
the word "guarantee" is probably appropriate. I would have very little
hesitation betting my entire personal wealth at high leverage that some
security flaw resulting from a memory safety failure somewhere in Apache
still exists to be discovered -- or at least, I wouldn't hesitate if
there were any payoff.


shap



More information about the cap-talk mailing list