[E-Lang] defense in depth
Jonathan S. Shapiro
Thu, 25 Jan 2001 08:34:47 -0500
David Wagner wrote:
> A better test, in my mind, is whether one can support similar
> functionality as Apache, but with a higher level of assurance...
This is not a good test. Some of the functions in apache are inherently
insecure. These should not be supported in a high-assurance environment,
and compatibility be damned.
It is fine to have low-assurance programs, so long as you know what they
are. My objection to your proposed criteria is that they embed
fundamentally incompatible objectives: high assurance and perfect
A better test might be to explore the tradeoffs between high assurance
and compatibility, in order to better understand what features are
securable and what features are not.