[E-Lang] Java 2 "Security" (was: Re: WelcomeChrisSkalkaandScottSmith of Johns Hopkins)

Mark S. Miller markm@caplet.com
Fri, 02 Feb 2001 14:39:57 -0800 

At 02:04 PM Friday 2/2/01, Bill Frantz wrote:
>To some extent, the level of assurance you need depends on the threat.
>Capability languages, such as E, provide enough assurance to protect a
>programmers against their own mistakes; even while they aren't strong
>enough to protect against hostile programmers.  Even running under a system
>like Windows, they can make a real contribution.
>
>The system I really like is a capability language running in a capability
>OS.  E in EROS comes immediately to mind.

While I also look forward to E on EROS, I'll go ahead a much stronger claim 
than yours.  If I'm running E on my MSWindows machine (or Unix or Mac) on 
which I use only E to interact with those outside my machine (eg, you and I 
are eChatting), and if I've turned off all other network services, then my 
only vulnerabilities to outside programmers is through their ability to 
corrupt my MSWindows platform (eg, physical access), take advantage of ways 
it was already corrupted than I might not have known about (eg, a Microsoft 
or Intel trapdoor), or get me to make an authorization decision that I 
shouldn't have.  I make this claim even when E fully supports mobile code, 
as with PassByCopy objects.

If true, this would be a non-trivial level of assurance, but at a price that 
few will realistically pay.  Nevertheless, if this claim holds water, then 
it makes clear what E-on-MSWindows users need and don't need to worry about.


>I think a lot of real world benefit would come from a Principle of Least
>Authority (POLA), capability based, Unix system.  In this kind of system,
>the shell would automatically give each command access to all the files
>mentioned in the (expanded) command.  This functionality would make
>something like:
>  grep createAvatar `find . -name '*.java'`
>run in a POLA environment.

The E command line, simply by using lambda-calculus lexical scoping rules, 
already provides this functionality, not just for E objects, but also for 
authorities from the underlying OS that's been presented into the E world as 
rationalized into capabilities.  In particular, E already provides this 
functionality for files.  No need to fix MSWindows, Mac, or Unix to get this 
benefit.  Of course, you'd have to rewrite "grep" in E.


        Cheers,
        --MarkM