[E-Lang] Java 2 "Security" (was: Re: Welcome Chris Skalkaand ScottSmith of Johns Hopkins)

Norman Hardy norm@cap-lore.com
Mon, 22 Jan 2001 22:39:13 -0800


At 11:25 AM -0500 1/20/01, Scott Smith wrote:

....

>I take issue with "no security whatsoever".  My opinion is security
>should not be defined as an idealized concept.  Security "works" if the
>tax of the break-ins plus the hassle of the security policy is
>tolerable.  Too much security is just as bad as too little.  So, in this
>sense the cross-checks do work today because they statistically cut out
>a lot of fraud.  ANY security system ultimately boils down to statistics
>on how many violations happen and their cost, NOT to some proof of
>correctness, because every security system lives in this universe with
>real people and computers, not in a mathematical universe.

When a program tries to store at some address the MMU really allows 
it or disallows it. There is no middle ground. Keykos and Eros try to 
extend this "idealized" degree of security to abstraction levels 
where applications too can provide the kind of security that you call 
idealized. "Too much security is bad ..." is a tautology. Perfect 
security may sometimes be easy, but not if it is burdensome. (that's 
a tautology too.) Perhaps it need not be burdensome.

....

>When users are directly manipulating capabilities the same problems will
>arise.  My guess is a good chunk of stolen credit cards were first
>misplaced by their owner.  "Oops, attached the wrong capability to 
>that email!"

...
You have an important point here. You can hope to debug simple 
trusted programs so they need not say "OOps". People are another 
thing. Ka-Ping Ye is working on a term paper addressing these issues. 
I hope his paper will be online soon. I don't expect to attain 
perfect security when people are involved. Good interface design 
based on simple sound concepts will help mightily.

...
-- 
Norman Hardy  <http://cap-lore.com/>