[E-Lang] Fw: E questions partial answers

Marc Stiegler marcs@skyhunter.com
Fri, 6 Jul 2001 16:39:10 -0700

as I originally sent to Jonathan.


----- Original Message -----
From: "Marc Stiegler" <marcs@skyhunter.com>
To: <jar1@mumble.net>
Cc: "mark miller" <markm@caplet.com>
Sent: Thursday, July 05, 2001 4:48 PM
Subject: Re: E questions

> Jonathan,
> Sorry it took me so long to reply, some of your questions are hard :-)
> First of all, my email address is marcs@skyhunter.com, not
> marks@skyhunter.com. It's an easy mistake to make, and one I should fix in
> our server by routing "marks" to me as well (as it is, it gets routed to
> wife, and normally she would forward it, but she has been gone for 6 weeks
> on vacation).
> I have put markm in a closet and am not allowing him out of the closet
> until he has made progress on CapTP, which is critical to progress on our
> contract. So I will do my poor best to answer your questions.
> >To fill in the gap between jobs (still don't have a permanent
> >position) I'm consulting on a scripting language.  I won't go into the
> >reasons why this project needs a new language - I'm not sure I believe
> >them myself - but I'm advising them to steal as much as they can.
> >Since they say they want distributed and secure, I'm obviously
> >telling them to at least use E ideas, if not Elib itself.  This has
> >led me into questions I can't answer easily.
> Well...I have to say, they can get onto the raw bleeding edge of
> just by using E, either off the shelf or customizing it to their needs,
> it will save them $10M in R&D costs, which is probably a worthwhile
> to avoid--indeed, I should think they'd be so grateful that they'd think
> was swell to give you a 10% finder's fee on the $10M you saved 'em :-)
> >1. What is the current position on debugging?  That is -- is it
> >anticipated that there will be anything beyond explicit user-written
> >methods and insertion of "print statements" to help track what's going
> >on in a vat, set of objects, or other arena?  I could imagine, for
> >example, a special super-user capability that allowed the debugging
> >entity to get back-door access to internals of all objects in a vat.
> >It sounds horribly wrong, but is there an alternative?
> We hope to enable simple debugging by hijacking Java debuggers, once we
> an E to Java compiler. Markm has a scheme in mind to make that arrangement
> work very well. E explicitly acknowledges that "if the code is on your
> machine, you own it", which is the real life truth anyway, so mucking
> through your own entire vat is not considered a security breach :-) Markm
> has some thoughts about how a secure distributed system debugger would
> without access to all the vats for all the parties, which would of course
> a whopping big breach; markm will have to tell you his thoughts when he is
> again allowed to see daylight :-). We have identified a volunteer with a
> history of writing debuggers who is excited about writing the distributed
> capability secure debugger. So it is possible we will see the distributed
> debugger before the hijacked debuggers (though the distributed debugger
> well enter the world as a commercial product, not open sourceware).
> >2. How does one answer someone who says that they *really* want
> >something like a Java 2 security policy, or set of "business rules"
> >that specifies who can do what when?  This is basically an extension
> >of ACL's, and what these people are really saying might be: how can I
> >communicate intended policies (e.g. "only the personnel office should
> >be able to access employee reviews") to the system, assuming the
> >system is capable of understanding and respecting them?  Yes, tons of
> >assumptions here, but I hope you understand the heart of the question.
> >I see this as being a pre-capability thing, something you worry about
> >when an identifier is dereferenced to obtain a capability, so it's
> >probably outside the scope of E, but surely people who want to do apps
> >in E that involve persistent objects have thought about this issue?
> When faced with questions like this, I have a mantra that starts with, "if
> you want a better answer, one must begin with a better question"; I may
> actually say that, or not,depending on the quality of the audience. The
> correct answer lies in the direction of thinking about computer security
> much the same way we think about physical security using locks and keys.
> do employees get assigned physical keys to the different parts of a
> building?
> This is guided by policy quite nicely, and the basic guide is based on the
> use of default "roles" (though we rarely really think about roles
> when we are doing physical security). Is the person an employee? Then he
> when he joins up, he gets a key to the main door, a key to his own office,
> and a key to his own filing cabinet. Is he a part of SysAdmin? Then he
> a key to the server room. Is he a part of the salary processing team? Then
> he gets a key to the salary database...probably read-only (in physical
> terms, he gets paper printouts). These roles, and the keys associated with
> each role, are all revokable, so if someone moves from SysAdmin to
> the keys to the server room can be revoked at the same time the read
> to the salaries is granted (though in real life organizations, only the
> serious actually bother with revocation as you move around the company).
> When the employee departs, all roles and keys are revoked. All this stuff
> can be very nicely supported for capability systems by computer software,
> indeed, I was involved in the design of such a roles system a year or two
> ago, so if you need help building a roles administration system, you may
> want to subcontract to Combex :-)
> >3. How secure are the Miranda methods?  Has it been determined that
> >it's safe to give out type information, etc. to anyone possessing a
> >capability?
> The Miranda methods convey no authority beyond what you got in getting the
> original reference to the object. The example of handing out type
> information is a good example of this: it hands out information, but not
> power. If  you figure out a security breach that seems to be a consequence
> of a Miranda method, let me know, one of my pet areas of research is the
> technical identification of the moment when a "breach" occurs, and which
> part of the system is at "fault" (though one may decide for various
> to fix the problem in another location). If you convince me that the
> method is truly at fault, it will be a very interesting piece of stuff,
> we'll have to get GrandFather of Capabilities Norm Hardy to look at it if
> that happens.
> >4. What's "poE" (mentioned in MirandaMethods.java)?
> markm will have to answer when he's out of the closet.
> >It would be awfully nice if the E site and list archive were indexed,
> >by the way, so that I could easily tap into materials on various
> >subjects (such as the above)
> Yes. We all dream of better organized Web sites. An extremely high
> priority...
> as soon as v1.0 of E is in the can. So it will be several months before
> is improved.
> --marcs