[E-Lang] defense in depth

Jonathan S. Shapiro shap@eros-os.org
Wed, 24 Jan 2001 13:58:00 -0500

> --With languages like E, the rate at which programmers will introduce
> security breaches will go down. And the frequency with which they will
> introduce security breach closures will go up.

I share with you the hope that this is true, and also the expectation/belief
that it will prove to be true, but it is important to take note of which
beliefs we need to come back and test later. That is: this is an assertion,
not a fact.

A bit of good news: several studies have suggested that over 50% of security
bugs prove on examination to be buffer overrun bugs, and another large
percentage are fencepost errors. Both of these types of bugs should be
impossible in E.

> ...though we cannot build huge software systems with no security breaches
> at all (there's just too much stuff in such a system), we can indeed build
> huge software systems in which the security breaches are narrow, generally
> unimportant, and non-multiplicative..

I agree. I would add to your list that we vary likely will be able to build
systems out of components, and that it appears that we may be able to arrive
at a programming style in which (a) use of components is commonplace and (b)
it is possible to verify that the components satisfy certain initial
security properties (I'm thinking of confinement). I believe (without
evidence) that there is a deceptive amount of power placed in the hands of
the programmer by the following change in programming paradigm:

1. here is a brand spanking new baby object (picture object in fuzzy pink or
blue romper, to taste :-)
2. at this moment when the object is born, it is safe to speak to it without
3. All you gotta do now is treat it with appropriate respect as you hook it
up to things.

Simply getting programmers to *conceive* the problem as compositional in
this way should (I think) be a major step forward quite above and beyond the
question of capabilities and the merits of OOP.

> ... though the only testers of this belief so far have been a
> series of older and wiser marc stieglers, who have been unable to find
> in the designs created by younger and more foolish marc stieglers :-)

See! Checkpointing *is* useful! :-)