[E-Lang] Java 2 "Security" (was: Re: WelcomeChrisSkalkaandScottSmith of Johns Hopkins)

David Wagner daw@mozart.cs.berkeley.edu
2 Feb 2001 16:28:06 GMT 

Tyler Close wrote:
>The ACL model requires that the invokee check access.

That's not correct.  There's a reference monitor (often part of the OS)
whose job it is to check access.  Of course we can't leave it up to the
subject to check access; it is the subject we are trying to restrain, so
we can't trust the subject to do the checking.

>> I don't understand.  It seems to me that it is about access control
>> at the level of *accounts*.  That's different.
>
>How do you distinguish an account from a pointer to an account object?

Sounds like you just did!  It's the difference between a value and a
reference to a value.  Is that what you meant?

Maybe the following will help you: All pointers to account objects are
pointers, but the reverse is not true.  If it is true that we only need
access control at the level of accounts, we only need any access control
on account objects; we don't need access control on pointers to other
types of objects, for instance.

>If programmers in an ACL system stuck with the policy that every
>distinct authority be given its own seperate delegation supporting
>ACL,

Can you help me parse this sentence?  What's a "authority"?  Do you just
mean a type of access (e.g., `read', `write', ...)?  What's a "delegation
supporting ACL"?  Why are you assigning an ACL to each authority, rather
than to each object?

Have you read Butler Lampson's paper, "Protection"?  I think it is
very valuable reading on these points.  See
  http://research.microsoft.com/lampson/09-Protection/Abstract.html
You said, e.g., "the ACL model encourages incomplete modelling of
the application access table", but I don't understand: Lampson's paper
describes both ACL's and capabilities as just two different ways of
representing the same concept (i.e., the access control matrix)
efficiently in memory.

As for the rest, I understand the purpose and value of combining
designation and authority, and I agree that it seems to be a nice
benefit.  I'd like to understand, though, whether I can obtain some
of this benefit without requiring a radical change to a new type-safe
programming language, operating system, and so on ... especially the
language part, because I'm a little skeptical on whether type-safe
languages can provide the level of assurance I'd like.  That's why
I'm asking these questions: Not because I have a special aversion
to E or to capabilities, but because I'd to understand what the
benefits are, where they're coming from, and whether it's possible
to reap partial benefits with a less radical change to the way I
program.  In other words, can I pay only some of the cost and get
some of the benefits back?