[E-Lang] Java 2 "Security" (was: Re: WelcomeChrisSkalkaandScottSmith of Johns Hopkins)

David Wagner daw@mozart.cs.berkeley.edu
3 Feb 2001 02:21:40 GMT


Bill Frantz  wrote:
>To some extent, the level of assurance you need depends on the threat.
>Capability languages, such as E, provide enough assurance to protect a
>programmers against their own mistakes; even while they aren't strong
>enough to protect against hostile programmers.

I'm almost ready to accept your argument, but there's an important
barrier: In the dominant attack scenario today, the attacker obtains
the ability to modify the code of the application.

Consequently, it seems to me that one of the greatest roles for the
Principle of Least Privilege and the ability to confine applications
within a limited domain of execution is that this will prevent the spread
of intrusion.  In case the application is compromised and the attacker
gets to run malicious code from the application's address space, the
harm to the rest of the system can still be contained.  Thus, I'm looking
for a form of "watertight compartments", so that we can avoid Titanic-like
security disasters.

Given this threat model, it's not clear to me that type-safe languages
will be secure enough.

(You could argue that vulnerabilities that let the attacker execute
malicious won't occur in E-based systems; however, this seems hard to
prove.  Given the history of subtle ways that this failure mode can
occur, and given my generally paranoid nature, I'm not sure that it
is a good idea to ignore this risk.)