[E-Lang] Java 2 "Security" (was: Re: WelcomeChrisSkalkaandScottSmith
of Johns Hopkins)
Thu, 01 Feb 2001 20:27:32 +0000
Marc Stiegler wrote:
> > I don't tend to find that I need access control on such a fine level
> > of granularity as pointers.
> This intrigues me simply because I have found it so convenient when writing
> secure distributed software. I never have to invent a security boundary, the
> security boundary is simply there whenever I pass an object. It makes my
> coding life and my security analysis life much easier.
Right - and, on the other side of the coin, in my daily life trying to
secure a variety of ordinary, non-capability stuff, I find I spend large
amounts of time trying to figure out how to give away exactly _this_
right without also giving away _that_ one (or, worse, not being sure
which other ones I've given away). Capabilities seem to me to offer the
promise of solving that particular piece of anxiety induction at a
I'm particularly attuned to this problem right now having spent the
whole day wrestling with a 5 network firewall. TCP is fundamentally
screwed from this POV. At least, it is without some serious stuff
layered on top. And a classic example of _that_ is where I get to use
ssh to control access to something, and suddenly it becomes trivial
instead of being a nightmare. OK, an ssh key isn't quite a capability
(though it could be used like one if you had the energy), its one of the
nearest things I can get to a distributed capability in current systems.
> Without such fine grain security, you cannot use the Principle of Least
> Authority. Completely aside from the discussion of ACLs and capabilities,
> does not POLA seem like a logical, even necessary, best-practice for humans
> to follow when trying to write secure software? It seems like a crucial part
> of our inventory of weapons for dealing with our own fallibility.
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff