[E-Lang] Java 2 "Security" (was: Re: Welcome ChrisSkalkaand ScottSmith of Johns Hopkins)

Mark S. Miller markm@caplet.com
Sat, 20 Jan 2001 20:36:34 -0800

At 06:39 PM Saturday 1/20/01, David Wagner wrote:
>Mark S. Miller wrote:
>> [...] any effort spent building redundant 
>> wall would have been better spent debugging.
>An interesting claim, but it seems to go against a classic,
>long-held principle of computer security: defense in depth.
>It seems like an interesting topic.  Can you elaborate
>a bit more on your position?  

I endorse Tyler's elaboration.  See also my response to Tyler.

>What makes you come to this
>conclusion?  If you have any evidence, I'd love to hear it!

The KeyKOS / EROS systems are the ones that inspire the greatest confidence 
in me, and in various others I respect.  When I look at these systems, the 
phrases "defense in depth" or "redundant walls" seem to apply much less than 
"minimal perfect mechanism".  Their minimalism is clearly related to the 
high confidence they inspire.

I would make similar statements regarding secure languages, but there's much 
less shared understanding of security in this domain.  (Obviously, I'd like 
to see this change.)

Note that I've explicitly exempted cryptanalysis, physical attacks, 
electrical attacks (microwave, power analysis), and such as being attacks on 
the integrity of (what we model as) the primitive security abstractions.  At 
this level, defense in depth does apply.  KeyKOS & EROS make no claims to 
security at this level, nor could they.  They are, as Tyler puts it, 
mathematical objects built out of these primitives.

A crucial, neglected, and hard to classify area is secure user interface 
design.  As you know, I have a great interest in seeing research progress in 
in this area.  This area may not fall neatly either above or below the line, 
because the user does not.