[E-Lang] Java 2 "Security" (was: Re: WelcomeChrisSkalkaand ScottSmith of Johns Hopkins)

Jonathan S. Shapiro shap@cs.jhu.edu
Sun, 21 Jan 2001 02:32:54 -0500

"Mark S. Miller" wrote:
> The KeyKOS / EROS systems are the ones that inspire the greatest confidence
> in me, and in various others I respect.  When I look at these systems, the
> phrases "defense in depth" or "redundant walls" seem to apply much less than
> "minimal perfect mechanism".  Their minimalism is clearly related to the
> high confidence they inspire.

Actually, the absence of defense in depth was by far the most severe
criticism brought against KeyKOS during the informal evaluation process
that was done at NSA.

Having "minimal mechanism" is indeed a good thing. It maximizes the
likelihood that the programmer can get the program right and/or that the
user can restrict the behavior of the program. These are good things.
Defense in depth here is not called for -- if the programmer intends to
use the mechanism and is able to understand it they will use it if it is
simple enough to do so. In my opinion, the goal here is to have a small
pool of simple tools that are easily composed. Ideally, you would also
like automated means to learn whether these goals have been met in a
given implementation.

Above the abstraction line, defense in depth becomes appropriate when we
speak of mandatory controls: a system administrator is trying to
restrict a broad class of behavior without reference to specifics of
implementation. As a practical matter, this is often done with filtering
statements, and usually these filtering statements reflect experience
with prior ways in which programs have been compromised (i.e. the
programs are no longer obeying the intent of either the user or the
programmer). This process is necessarily ad hoc and imperfect.

Defense in depth also becomes appropriate for "second chance" security.
A major problem with capability systems is: "What do I do *after* I make
a mistake?" In the real world, we often know that the recipient does not
act immediately. It is desirable to be able to undo an erroneous
transmission. This, by the way, is where ACLs come in to play.