[E-Lang] Java 2 "Security" (was: Re: Welcome
ChrisSkalkaand ScottSmith of Johns Hopkins)
Mark S. Miller
Sat, 20 Jan 2001 20:36:34 -0800
At 06:39 PM Saturday 1/20/01, David Wagner wrote:
>Mark S. Miller wrote:
>> [...] any effort spent building redundant
>> wall would have been better spent debugging.
>An interesting claim, but it seems to go against a classic,
>long-held principle of computer security: defense in depth.
>It seems like an interesting topic. Can you elaborate
>a bit more on your position?
I endorse Tyler's elaboration. See also my response to Tyler.
>What makes you come to this
>conclusion? If you have any evidence, I'd love to hear it!
The KeyKOS / EROS systems are the ones that inspire the greatest confidence
in me, and in various others I respect. When I look at these systems, the
phrases "defense in depth" or "redundant walls" seem to apply much less than
"minimal perfect mechanism". Their minimalism is clearly related to the
high confidence they inspire.
I would make similar statements regarding secure languages, but there's much
less shared understanding of security in this domain. (Obviously, I'd like
to see this change.)
Note that I've explicitly exempted cryptanalysis, physical attacks,
electrical attacks (microwave, power analysis), and such as being attacks on
the integrity of (what we model as) the primitive security abstractions. At
this level, defense in depth does apply. KeyKOS & EROS make no claims to
security at this level, nor could they. They are, as Tyler puts it,
mathematical objects built out of these primitives.
A crucial, neglected, and hard to classify area is secure user interface
design. As you know, I have a great interest in seeing research progress in
in this area. This area may not fall neatly either above or below the line,
because the user does not.