[E-Lang] defense in depth

Bill Frantz frantz@communities.com
Thu, 25 Jan 2001 11:33:55 -0800


At 11:07 AM 1/25/01 -0800, hal@finney.org wrote:
>Would this be an example of defense in depth:
>
>I receive signed, mobile code from a remote system.  I compare the
>signature against a list of key holders I trust in order to decide to run
>the code.  As a further assurance, I only give the code capabilities to
>use those files which should be necessary for its operation.
>
>More concretely, suppose the company I work for authorizes only certain
>programs to be run on workers' machines, and it does so by issuing a
>signature by a company-controlled key on those programs.  Only if I see
>this signature will I allow the program to run on my machine.
>
>Now, if the capability system fails, I'm probably still OK because the
>mobile code is unlikely to be hostile since it was signed by someone
>I trust.  Or if the signature system fails (perhaps the signature key
>was stolen), the damage a malicious applet can inflict is limited because
>it only has capabilities appropriate to its task.  We have two defenses
>and both have to fail for catastrophe to occur.
>
>Would this form of defense in depth be appropriate for use in conjunction
>with a capability system?

This sounds like a fine example of "making a system where it is safe to run
Javascript".  (I can see the handwriting on the wall.  I'm going to have to
turn Javascript on in my browser to do simple things, like check air flight
arrival times.)  Javascript is supposed to be "safe"  (Safe for whom?)  I
expect that Javascript in EROS would still have all the privacy risks of
user tracking that seem part and parcel of modern web technology.  However,
EROS should be able to keep it from installing Trojan horses,
counterfeiting windows, and stealing data.