[E-Lang] defense in depth

Ben Laurie ben@algroup.co.uk
Wed, 24 Jan 2001 23:25:24 +0000


Nikita Borisov wrote:
> Of course, this additional layer does not come without cost.  But the
> question is to trade off this cost of defense in depth against the
> potential benefits.  It seems that a lot of people in this thread are
> asserting that the additional benefit is zero, which I find hard to
> believe.  Am I misunderstanding what people are saying?

If I remember where we came in, the question was "what does stack
inspection give us that capabilities do not?" - and the motivation (on
reflection) for the question was that the kind of programming model that
makes stack inspection possible is exactly the kind that you would never
see in a capability system. So, whilst defence in depth is a good thing,
I, at least, doubt that stack inspection is compatible with capabilities
in a way that makes it possible to layer the two.

In other words, I claim that in a stack inspection system the moment you
would inspect the stack is precisely the moment that, in a capability
system, you would cross a process boundary, and thus change your
capability set appropriately. If you inspect the stack on the calling
side, you will find that you did indeed, have the appropriate capability
and authority to use it (to call the new process with its, as yet,
unknown capabilities), and on the called side, there's no stack to
inspect. Thus, stack inspection only gives a superficial impression of
depth, without real substance.

On other kinds of defence in depth, I have no comment, coz I don't
remember any other kinds being discussed.

OTOH, I may think something completely different tomorrow (seven
impossible things before breakfast, and all that).

Cheers,

Ben.

--
http://www.apache-ssl.org/ben.html

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff