[E-Lang] ERTP-aware MintMaker

Jonathan S. Shapiro shap@cs.jhu.edu
Wed, 14 Feb 2001 21:22:00 -0500

Mark, all:

I really don't want to rain on MarkM's parade, but I really cannot let
his note go uncritiqued.

I think that MintMaker has gotten a lot of scrutiny here. I think the
scrutiny in this very small case has been nearly exhaustive. I think
this is wonderful, and I think that it's a significant achievement.

To say, however, that this is the first time a capability system has
received serious scrutiny, however, is simply untrue, and it does a
great and gross disservice to the many people who have been involved in
trusted system evaluations since before most of us were born. Wile
MintMaker has received a lot of attention, it has not received
*rigorous* attention in a systematic way. There are many many systems,
capability-based and otherwise, that *have* been subjected to rigorous
and systematic examination.

Within the high assurance community, one of the very serious concerns
about open source review as a basis for security claims is that it does
not in general appear to lead to systematic, rigorous examination. I
believe that we have a chance of altering this by altering the behavior
of the open source community, but not by overselling our

Let's celebrate the well-deserved achievements that we have. Certainly
including this one! But in the process, let us resist the temptation to
short-change the very important efforts of others who have gone before
us, or to make overstated claims about the degree of our success.  As
MarkM says: "we have *started* down this path" (emphasis mine). My
question is: what can we do to make this path common rather than
exceptional practice, and to make it more systematic in the future?


"Mark S. Miller" wrote:
> To my knowledge no capability-based security program has ever been subjected
> to the kind of open public scrutiny Hal and Tyler have brought to this
> MintMaker.    Yes, just these few days has exceeded the entire history to
> date of open public scrutiny of capability programs, whether expressed in a
> capability language or built to run a capability OS.  Such scrutiny has
> often been applied to crypto systems, with great success, or with the
> security of established open source systems, like Linux, which happen to be
> ACLish.  Till today I could only look over at that and gnash my teeth with
> envy.  This is the only process that can ever give real confidence in the
> security of a system, if it is applied to a system that can be made secure.
> I feel like today we have entered into that new world.  Besides making these
> particular programs secure, we will come to understand, though a publicly
> archived and re-reviewable process, what programming practices, patterns,
> and processes lead towards or away from danger.  It is often said that taste
> is a compiled form of a large bag of heuristics.  In general, our experience
> and the shared experiences of others shapes our tastes of what makes a good
> program.  It is a form of deep look-ahead.  "If you do it this way, it will
> remain modular and smooth."  Modern programming taste has evolved over
> generations of time as ever more such lessons are compiled in.
> We have now started down this path for capability programs.  This wouldn't
> have been possible without the open source process, which is to say as well,
> it wouldn't have been possible without y'all -- the participants of this
> list.  I am deeply grateful.
>         Cheers,
>         --MarkM
> _______________________________________________
> e-lang mailing list
> e-lang@mail.eros-os.org
> http://www.eros-os.org/mailman/listinfo/e-lang