[cap-talk] Security by safe language processing

Ben Kloosterman bklooste at gmail.com
Sat Sep 5 23:24:34 PDT 2009 

>
>I intended also to mention that this difference due to performance, is
>also reinforced by the fact that method calls in a programming language
>have a much lower syntactic overhead than typical IPC calls (including
>necessary error checking, type conversion etc.)

>Even if the IPC system has a well-designed language binding that
>minimises
>this overhead, any extra work needed for separation into multiple
>security
>domains will make programmers and designers loath to consider that except
>in cases where they can see a clear and immediate benefit. In the
>language
>case, OTOH, software engineering and maintenance concerns can lead them
>to
>introduce encapsulation boundaries that incidentally help with security.

Exactly some language based OS use the lower task switch time to have a strongly typed message parsing IPC( including kernel calls) layer , while still "method calls" it uses a Asynch and queued Message style instead of RPC style.   

This allows all system calls and IPC to be of the right type and as services have a single entry point for the API allows all messages to be checked for security and sensible values ( by just calling Validate on the type).   Systems like Mach3/Minix/L3-4 used similar schemes but messages are small fixed size and very limited due to trying to overcome performance issues and are not strongly typed  ; hence since the entry point of the service doesn’t know what the fields mean they typically just check that the sender is valid. 

The lack of research and experience in language based systems  ( when used as an OS)  means we don’t really have a strong idea of the performance/reliability/security  tradeoffs for RPC vs Synch Messages vs Asynch Messages or even about the encapsulation boundaries. Even how strong the type definition is unknown modern apps tend to have standard value types as security or invalid values are not a big deal  but for an OS it is different Eg is it worth creating value types like interger10to1000 or string5-50 if so you don’t even need to validate types. Also will larger messages lead to less IPC/kernel calls ( which is the case with distributed systems)  ? 

Regards, 

Ben

More information about the cap-talk mailing list