[E-Lang] defense in depth

David Wagner daw@mozart.cs.berkeley.edu
25 Jan 2001 08:27:10 GMT

Marc Stiegler wrote:
>Totally off the topic you were pursuing, with E it is amusingly possible to
>do better than this if you're willing to forsake Apache. I actually wrote an
>itty-bitty Web Server in E with one special feature: [...]

I'm glad you are willing to test the hypothesis that E allows
you to build more secure systems (and test it on applications
of considerable practical interest).

However, I'm not convinced that this test tells us very much.
No matter what language you use (capability-based or not), it
is very easy to write a webserver that is probably very secure,
if you're willing to give up all the features that you'd find
a deployed webserver like Apache.  Those features are perceived
as fairly critical for widespread adoption, but they are also
what adds complexity and makes it hard to build a high-assurance
webserver, so comparing a stripped-down webserver with Apache
is comparing apples and oranges.

A better test, in my mind, is whether one can support similar
functionality as Apache, but with a higher level of assurance,
by implementing appropriately in a capability-based programming
environment.  Has anyone carried out such a test?