[E-Lang] defense in depth

Jonathan S. Shapiro shap@cs.jhu.edu
Thu, 25 Jan 2001 08:32:23 -0500


David Wagner wrote:
> >A bit of good news: several studies have suggested that over 50% of security
> >bugs prove on examination to be buffer overrun bugs, and another large
> >percentage are fencepost errors. Both of these types of bugs should be
> >impossible in E.
> 
> But you don't need capabilities for this.  Buffer overruns really
> come from a poorly-defined strings API in the standard library...

Actually, they come from a poorly designed string type in the underlying
runtime, which the library must then support badly.

In any case, my point was that there are many factors in building more
secure systems. E combines two of them: a careful runtime and
capabilities. One of my real disappointments in the way that Sun has
(mis)handled licensing for Java is that it appears impossible to write
the majority of the EROS code in a popular pointer-safe language. This
is one of the reasons that MarkM is working so hard on E-Native at the
moment. Also, of course, his current client is paying him to do so. :-)

Come to that (and apologies for straying to an EROS question on the
e-lang list), does anyone know of a compiled safe language that we might
want to consider?

Jonathan