[cap-talk] Security and Full Abstraction (was: Cap OS question)

[David Wagner]

Ben Kloosterman wrote:
> Why not just convert to a safer Intermediate Language and if it doesn't
> convert consider it invalid and don't support the app.  At least it will be
> simple code. 
>
> Im currently considering 
>
> Java ->CIL -> x86  but am also considering   

This proposal is not detailed enough for me to comment on in any
detail, but your use of the word "just" makes me wonder if you are
being unduly optimistic.

Do you have a specific, detailed proposal for an intermediate language
that you believe meets the following two requirements?
  (a) is simple enough to make it easy to build a Joe-E-like verifier,
  (b) is rich and expressive enough that you can easily translate
      arbitrary, complex Java apps to that language.

(CIL probably fails those two requirements: writing a verifier sounds
like it may take a bit of thought and work, and writing a general-purpose
Java->CIL translator that has good performance may be a non-trivial
challenge.)

To me, this approach smells like a Hard Research Problem.  Advice: avoid
biting off hard problems whenever you don't have to, particularly when
dealing with a modern language in all of its complexity.

In my experience, these things are easy to talk about, but coming up
with something that you can feasibly implement *and* actually doing the
grunt work of implementing it is not quite as easy.  How committed are
you to shipping a working system with running code?  How many developers
are on your team, and what's your budget to build it?