[E-Lang] Re: there is no security without a threat model (was: Re: [p2p-hackers] Reputation System: "Dimensions of Trust")

[zooko@zooko.com]

I've thinking a little about "developing a threat model for E".  The first
thing that comes to mind is that E isn't really an application -- it is a tool
with which to build applications, so it would be better to think about the
kinds of threat models that might be applied to E applications and how the E
abstractions interact with them.

For example, if I were to build a distributed filesystem on top of E, I would
be concerned with a denial-of-service executed by an attacker with the power to
kill or to subvert a large but resource-bounded number of nodes.  (I.e., they
can spend X of their resources to kill a node or Y to subvert it, for as many
nodes as they want.)  Does this threat need to be considered when designing the
infrastructure for E itself?  No.  But, "Yes.", if I am going to rely on E's
built-in routing/location service, since an insufficiently robust
routing/location service could provide a "chokepoint" where such an attacker
could gain increased DoS results from their resource expenditure (for example,
bifurcating the network costs only as much as killing or subverting K nodes,
but it deprives every node of *half* of its peers -- an asymptotic improvement
in Denial per Dollar.)


Anyway, generating a threat model for a specific application, while already
difficult, seems much easier than generating a set of possible threat models,
or some kind of meta-threat model, for all possible E apps.  But maybe it is
more straightforward than I think.

I'm sorry if this seems obvious, but that's as far as I've gotten.

Regards,

Zooko