[cap-talk] C vs. Safety
Jonathan S. Shapiro
shap at eros-os.com
Thu Aug 7 16:03:20 CDT 2008
On Thu, 2008-08-07 at 18:44 +0000, Baldur Johannsson wrote:
> On Wed, 2008-08-06, Jonathan Shapiro wrote:
> > A program that can violate the type system can compromise the
> > virtual machine, and can therefore violate any other safety property
> > we might care to name.
> >
> Depends if the virtual machine runs the program directly on the same substrate
> as itself runs or if it runs the program by interpreting each
> instruction of the program.
No it doesn't. Violating the type system is still violating the type
system, and what I said remains true. Interpreting the instructions does
not preclude an interpreter that fails to enforce the type system
properly. Conversely, if a program is permitted to run, and the VM is
correctly implemented, then the program did not, in fact, violate the
type system. A detected attempt at violation is a fatal error. The only
question that interpretation introduces is whether we can detect it
statically or at runtime.
It is true that a *second* virtual machine running beneath the first one
might not be compromised, but the one that is relying on the violated
type system for its safety is toast.
shap
More information about the cap-talk
mailing list