[cap-talk] C vs. Safety
Baldur Johannsson
zarutian+cap-talk at gmail.com
Sun Aug 10 19:26:49 CDT 2008
On 07/08/2008, Jonathan S. Shapiro <shap at eros-os.com> wrote:
> On Thu, 2008-08-07 at 18:44 +0000, Baldur Johannsson wrote:
>> On Wed, 2008-08-06, Jonathan Shapiro wrote:
>> > A program that can violate the type system can compromise the
>> > virtual machine, and can therefore violate any other safety property
>> > we might care to name.
>> >
>> Depends if the virtual machine runs the program directly on the same
>> substrate
>> as itself runs or if it runs the program by interpreting each
>> instruction of the program.
>
> No it doesn't. Violating the type system is still violating the type
> system, and what I said remains true. Interpreting the instructions does
> not preclude an interpreter that fails to enforce the type system
> properly. Conversely, if a program is permitted to run, and the VM is
> correctly implemented, then the program did not, in fact, violate the
> type system. A detected attempt at violation is a fatal error. The only
> question that interpretation introduces is whether we can detect it
> statically or at runtime.
>
> It is true that a *second* virtual machine running beneath the first one
> might not be compromised, but the one that is relying on the violated
> type system for its safety is toast.
>
so is an KeyKos domain (the 2nd vm in your example)
running an staticly type checked program more safe and secure than an
domain that is just running an program that hasnt been subjected to
static type checking?
If yes then why?
More information about the cap-talk
mailing list