[E-Lang] Java 2 "Security" (was: Re: Welcome Chris Skalkaand
ScottSmith of Johns Hopkins)
Mon, 22 Jan 2001 22:39:13 -0800
At 11:25 AM -0500 1/20/01, Scott Smith wrote:
>I take issue with "no security whatsoever". My opinion is security
>should not be defined as an idealized concept. Security "works" if the
>tax of the break-ins plus the hassle of the security policy is
>tolerable. Too much security is just as bad as too little. So, in this
>sense the cross-checks do work today because they statistically cut out
>a lot of fraud. ANY security system ultimately boils down to statistics
>on how many violations happen and their cost, NOT to some proof of
>correctness, because every security system lives in this universe with
>real people and computers, not in a mathematical universe.
When a program tries to store at some address the MMU really allows
it or disallows it. There is no middle ground. Keykos and Eros try to
extend this "idealized" degree of security to abstraction levels
where applications too can provide the kind of security that you call
idealized. "Too much security is bad ..." is a tautology. Perfect
security may sometimes be easy, but not if it is burdensome. (that's
a tautology too.) Perhaps it need not be burdensome.
>When users are directly manipulating capabilities the same problems will
>arise. My guess is a good chunk of stolen credit cards were first
>misplaced by their owner. "Oops, attached the wrong capability to
You have an important point here. You can hope to debug simple
trusted programs so they need not say "OOps". People are another
thing. Ka-Ping Ye is working on a term paper addressing these issues.
I hope his paper will be online soon. I don't expect to attain
perfect security when people are involved. Good interface design
based on simple sound concepts will help mightily.
Norman Hardy <http://cap-lore.com/>