[cap-talk] Security by safe language processing

[David-Sarah Hopwood]

David-Sarah Hopwood wrote:
> Jed Donnelley wrote:
>> At 05:43 PM 9/3/2009, Bill Frantz wrote:
>>> The idea of depending on the compiler or byte code verifier in a "language
>>> based system" (LBS) is quite attractive since it might result in a higher
>>> performance system.
>>
>> Higher performance in that it can avoid hardware context switches that
>> are typically rather expensive?  I'm sure we all know of many ways that this
>> issue has been addressed (with whatever success or not).
> 
> Despite such attempts, there is still a very significant gap between the
> performance of IPC involving context switches, and the performance of an
> method call between objects. This makes it possible in a language-based
> system to consider designs involving security boundaries between extremely
> fine-grained objects, that would be totally impractical in a system based
> on hardware memory protection.

I intended also to mention that this difference due to performance, is
also reinforced by the fact that method calls in a programming language
have a much lower syntactic overhead than typical IPC calls (including
necessary error checking, type conversion etc.)

Even if the IPC system has a well-designed language binding that minimises
this overhead, any extra work needed for separation into multiple security
domains will make programmers and designers loath to consider that except
in cases where they can see a clear and immediate benefit. In the language
case, OTOH, software engineering and maintenance concerns can lead them to
introduce encapsulation boundaries that incidentally help with security.

-- 
David-Sarah Hopwood  ⚥  http://davidsarah.livejournal.com