[cap-talk] Memory access based OS security

[Bill Frantz]

bklooste at gmail.com (Ben Kloosterman) on Monday, August 3, 2009 wrote:

>Hardware-level security through address management was introduced as a way to work around failures of 
>the application languages (:shudder:, remembering early implementations of Windows). But if you force 
>applications to compile to a particular language (or bytecode), you can enforce security at the 
>software level and achieve security without the sacrifices to performance that come from partitioning 
>the address space. 

The idea of depending on the compiler or byte code verifier in a "language
based system" (LBS) is quite attractive since it might result in a higher
performance system. However it does impact the assurance aspect of secure
systems.

With systems like KeyKOS, EROS, CapROS, Coyotos, VM/370, etc. the security
assertion is that no sequence of machine language instructions is able to
subvert the security of the system. The only compiler that needs
verification is the one used to compile the system, and it only needs to be
verified for the features used by the source code of the system. Since only
a limited amount of programming needs to be verified, auditing the output
of the compiler is a feasible, if tedious, possibility.

In contrast, LBS system compilers and/or byte code verifiers must be
verified against all possible inputs, which seems to me to be a harder
problem.

Cheers - Bill

-----------------------------------------------------------------------
Bill Frantz        | gets() remains as a monument | Periwinkle
(408)356-8506      | to C's continuing support of | 16345 Englewood Ave
www.pwpconsult.com | buffer overruns.             | Los Gatos, CA 95032