holes and vulnerabilities

[Mark S. Miller]

At 05:15 AM 12/22/98 , shapj@us.ibm.com wrote:
>I'ld note that garbage collection is feasible in KeyKOS/EROS, given a
>suitably trusted agent.  It woudl have to be very trusted indeed,
>however...

This reminds me of my favorite perverse o-o-security result, and my
favorite evidence for the existence of intelligent life forms beyond my
comprehension.  I became concerned that we (Agorics at the time, but also
applies Vulcan, Trusty Scheme, EC, and now erights.org) were mixing
object-language concepts and capability-secure-OS concepts *assuming* they
were equivalent.  I saw two areas of concern where the assumption might
lead us astray.  

1) Inheritance, which I felt we had a handle on (and has now been
adequately addressed in a synchronous context by
http://www.erights.org/doc/elang/blocks/inheritance.html ), and

2) Garbage collection.

Not knowing how to think about the latter, I of course asked Norm.  (The
ambitious reader should ponder the question now, before reading on.)  At
first, Norm couldn't get a handle on it either, so I asked instead "What if
we added GC to KeyKOS?".  After a fifteen minute informative lecture on why
that would be a bad idea, I asked "Never mind all that, what if we did add
GC to KeyKOS?  What security implications would there be?"  Norm closed his
eyes for about two seconds, opened them, and said "Sensory keys would have
to be weak pointers."

This is absolutely correct.  When a strong pointer retains an object by
pointing at it, ie, by causing the garbage collector not to collect the
object, the pointer leaks information to those who can sense whether the
object has been collected (including those who can only test whether the
storage had been deallocated).  Therefore, strong pointers are not discreet.

It could have taken me another decade to notice something like that.


Btw, E ignores this issue for reasons I will try to justify.  What's
Joule's take?