[E-Lang] Java 2 "Security" (was: Re: WelcomeChrisSkalkaandScottSmith of Johns Hopkins)
2 Feb 2001 00:40:59 GMT
Marc Stiegler wrote:
>David Wagner wrote:
>> I don't tend to find that I need access control on such a fine level
>> of granularity as pointers.
>This intrigues me simply because I have found it so convenient when writing
>secure distributed software. I never have to invent a security boundary, the
>security boundary is simply there whenever I pass an object. It makes my
>coding life and my security analysis life much easier.
Hmm, that's an interesting hypothesis. I'll have to keep my eye open
for this phenomenom next time I write some security-critical code.
To be honest, I hadn't thought about it very carefully.
Till now, I've tended to find the most useful abstraction to be a
"protection domain". What I've wanted in the way of a protection domain
has rarely been as fine-grained as one domain per object or data value
(but maybe only because it's too hard to think about); instead, I've
wanted a way to draw a line and say that "module X distrusts module Y".
It may be that the possibility of even finer-grained protection domains
than that can't hurt, and can only help -- it sounds likely. I suspect my
reaction is partially affected by my distrust in the ability of type-safe
languages to provide a high enough level of assurance. The lesson I
draw from the Java experience is that, with today's technology, type-safe
languages just don't provide the same level of assurance of isolation that
is achievable with more traditional techniques (separate address spaces,
MMU chips, RPC for communication between distrusting processes, etc.).
But I want to say this: if I had a mechanism for imposing super-fine-grain
security boundaries that I could trust, I would almost certainly feel
very differently about the matter.
Meanwhile, I'm dissatisfied with the Unix process-based philosophy of
structuring systems. It's just too coarse-grained and heavyweight --
where by heavyweight I refer not to the performance overhead (which
I don't care about very much, as long as it is not dramatically
unreasonable), but rather to the amount of effort I have to go to if I
want to divide my system up in this way.
Given this, I'm a big supporter of research that tries to push hard on
finding mechanisms for structuring systems with finer-grained security
boundaries and with high levels of assurance. Progress on this front
seems likely to translate directly into extra flexibility in structuring
programs and following the Principle of Least Privilege, and as you say,
that's a good thing.
This is one reason I'd like to better understand what it is about
capabilities that make life better, and whether it is possible to achieve
some of those benefits without needing to buy into a whole new programming
language, operating system, libraries, and programming environment.