[E-Lang] defense in depth

Jonathan S. Shapiro shap@cs.jhu.edu
Thu, 25 Jan 2001 08:34:47 -0500

David Wagner wrote:
> A better test, in my mind, is whether one can support similar
> functionality as Apache, but with a higher level of assurance...

This is not a good test. Some of the functions in apache are inherently
insecure. These should not be supported in a high-assurance environment,
and compatibility be damned.

It is fine to have low-assurance programs, so long as you know what they
are. My objection to your proposed criteria is that they embed
fundamentally incompatible objectives: high assurance and perfect

A better test might be to explore the tradeoffs between high assurance
and compatibility, in order to better understand what features are
securable and what features are not.