[E-Lang] Java 2 "Security" (was: Re: WelcomeChrisSkalkaandSco ttSmith of Johns Hopkins)

Karp, Alan alan_karp@hp.com
Fri, 2 Feb 2001 14:58:09 -0800

It's not quite as safe as you say.  I don't think you can do anything about
vulnerabilities in the TCP/IP stack.  Still, it's pretty darn good.

Also, you may not need to rewrite grep.  Our early e-speak prototype had a
secure file system on both Unix and (almost because we couldn't get "dir" to
work right) on NT.  We used a redirector on NT, and chrooted e-speak users
into an NFS mounted directory on Unix.  Both the redirector and version of
NFS were e-speak aware.  That way we didn't have to rewrite every app that
accessed the file system.  We also knew how to go even further on some OSes
and get to see every call to the kernel, e.g., /proc on Solaris.
Unfortunately, NT wasn't on the list.

Alan Karp
Principal Scientist
Decision Technology Department
Hewlett-Packard Laboratories MS 1U-2
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-6278

> -----Original Message-----
> From: Mark S. Miller [mailto:markm@caplet.com]
> Sent: Friday, February 02, 2001 2:40 PM
> To: Bill Frantz
> Cc: daw@cs.berkeley.edu; e-lang@eros-os.org
> Subject: Re: [E-Lang] Java 2 "Security" (was: Re:
> WelcomeChrisSkalkaandScottSmith of Johns Hopkins)
> At 02:04 PM Friday 2/2/01, Bill Frantz wrote:
> >To some extent, the level of assurance you need depends on 
> the threat.
> >Capability languages, such as E, provide enough assurance to 
> protect a
> >programmers against their own mistakes; even while they aren't strong
> >enough to protect against hostile programmers.  Even running 
> under a system
> >like Windows, they can make a real contribution.
> >
> >The system I really like is a capability language running in 
> a capability
> >OS.  E in EROS comes immediately to mind.
> While I also look forward to E on EROS, I'll go ahead a much 
> stronger claim 
> than yours.  If I'm running E on my MSWindows machine (or 
> Unix or Mac) on 
> which I use only E to interact with those outside my machine 
> (eg, you and I 
> are eChatting), and if I've turned off all other network 
> services, then my 
> only vulnerabilities to outside programmers is through their 
> ability to 
> corrupt my MSWindows platform (eg, physical access), take 
> advantage of ways 
> it was already corrupted than I might not have known about 
> (eg, a Microsoft 
> or Intel trapdoor), or get me to make an authorization 
> decision that I 
> shouldn't have.  I make this claim even when E fully supports 
> mobile code, 
> as with PassByCopy objects.
> If true, this would be a non-trivial level of assurance, but 
> at a price that 
> few will realistically pay.  Nevertheless, if this claim 
> holds water, then 
> it makes clear what E-on-MSWindows users need and don't need 
> to worry about.
> >I think a lot of real world benefit would come from a 
> Principle of Least
> >Authority (POLA), capability based, Unix system.  In this 
> kind of system,
> >the shell would automatically give each command access to 
> all the files
> >mentioned in the (expanded) command.  This functionality would make
> >something like:
> >  grep createAvatar `find . -name '*.java'`
> >run in a POLA environment.
> The E command line, simply by using lambda-calculus lexical 
> scoping rules, 
> already provides this functionality, not just for E objects, 
> but also for 
> authorities from the underlying OS that's been presented into 
> the E world as 
> rationalized into capabilities.  In particular, E already 
> provides this 
> functionality for files.  No need to fix MSWindows, Mac, or 
> Unix to get this 
> benefit.  Of course, you'd have to rewrite "grep" in E.
>         Cheers,
>         --MarkM
> _______________________________________________
> e-lang mailing list
> e-lang@mail.eros-os.org
> http://www.eros-os.org/mailman/listinfo/e-lang