[E-Lang] ERTP-aware MintMaker
Jonathan S. Shapiro
Wed, 14 Feb 2001 21:22:00 -0500
I really don't want to rain on MarkM's parade, but I really cannot let
his note go uncritiqued.
I think that MintMaker has gotten a lot of scrutiny here. I think the
scrutiny in this very small case has been nearly exhaustive. I think
this is wonderful, and I think that it's a significant achievement.
To say, however, that this is the first time a capability system has
received serious scrutiny, however, is simply untrue, and it does a
great and gross disservice to the many people who have been involved in
trusted system evaluations since before most of us were born. Wile
MintMaker has received a lot of attention, it has not received
*rigorous* attention in a systematic way. There are many many systems,
capability-based and otherwise, that *have* been subjected to rigorous
and systematic examination.
Within the high assurance community, one of the very serious concerns
about open source review as a basis for security claims is that it does
not in general appear to lead to systematic, rigorous examination. I
believe that we have a chance of altering this by altering the behavior
of the open source community, but not by overselling our
Let's celebrate the well-deserved achievements that we have. Certainly
including this one! But in the process, let us resist the temptation to
short-change the very important efforts of others who have gone before
us, or to make overstated claims about the degree of our success. As
MarkM says: "we have *started* down this path" (emphasis mine). My
question is: what can we do to make this path common rather than
exceptional practice, and to make it more systematic in the future?
"Mark S. Miller" wrote:
> To my knowledge no capability-based security program has ever been subjected
> to the kind of open public scrutiny Hal and Tyler have brought to this
> MintMaker. Yes, just these few days has exceeded the entire history to
> date of open public scrutiny of capability programs, whether expressed in a
> capability language or built to run a capability OS. Such scrutiny has
> often been applied to crypto systems, with great success, or with the
> security of established open source systems, like Linux, which happen to be
> ACLish. Till today I could only look over at that and gnash my teeth with
> envy. This is the only process that can ever give real confidence in the
> security of a system, if it is applied to a system that can be made secure.
> I feel like today we have entered into that new world. Besides making these
> particular programs secure, we will come to understand, though a publicly
> archived and re-reviewable process, what programming practices, patterns,
> and processes lead towards or away from danger. It is often said that taste
> is a compiled form of a large bag of heuristics. In general, our experience
> and the shared experiences of others shapes our tastes of what makes a good
> program. It is a form of deep look-ahead. "If you do it this way, it will
> remain modular and smooth." Modern programming taste has evolved over
> generations of time as ever more such lessons are compiled in.
> We have now started down this path for capability programs. This wouldn't
> have been possible without the open source process, which is to say as well,
> it wouldn't have been possible without y'all -- the participants of this
> list. I am deeply grateful.
> e-lang mailing list