[E-Lang] Reliance & Static Security Checking

Karp, Alan alan_karp@hp.com
Fri, 5 Jan 2001 13:34:24 -0800


> -----Original Message-----
> From: Mark S. Miller [mailto:markm@caplet.com]
> Sent: Friday, January 05, 2001 10:11 AM
> To: Karp, Alan
> Cc: E Language Discussions
> Subject: RE: [E-Lang] Reliance & Static Security Checking

An example of a possible static reliance check failure:

    define foo : rely(Foo) := ... # where Foo is a delicate type
    define bar : suspect(Bar) := ...

    bar snorgle(foo)    # static reliance check failure

If the containing object relies on foo and foo is delicate, then it would 
seem to be a mistake to give bar access to foo, since bar is suspect.  bar 
might damage foo in a way that damages the containing object's correctness 
as well.

>I had thought that "suspect" propagated the way
>taint does in Perl, but I don't see that in your example.  Is that your

I don't know "taint".  Could you explain?  (Please don't assume much 
knowledge of Perl.  I have learned it on occasion, but it doesn't stick to 
my brain.)


What you've described is a generalization of Perl's taint.  The problem is
that many scripts have to run with differing real and effective user ids,
often root.  Taint checking prevents any data from outside your program
affecting anything else outside your program.  For example, you can't write
a file if the filename came in over the network.  (Actually, Perl will just
tell you that you shouldn't; you can always do it anyway.)  Any variable
derived from a tainted variable becomes tainted as well.  There's an
excellent description on pages 336-337 in the second edition of Programming

Alan Karp
Principal Scientist
Decision Technology Department
Hewlett-Packard Laboratories MS 1U-2
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-6278