[E-Lang] Contract Award: Securing the Future of Capabilities
Thu, 28 Jun 2001 09:31:32 -0700
I am pleased to announce that Mark Miller and I recently won a DARPA
contract to deliver a capability based demonstration application in one
year. Actually, to be accurate, the DARPA contract was won by Combex, a
corporate entity for which I am COO and markm is CTO; Henry Boreen, with
extensive experience as CEO of integrated circuit firms, is the Chairman of
The application DARPA requires is itself is not very interesting--a Web
browser which can use pluggable untrusted rendering engines, such that the
rendering engine must be confined to having authority over only a single
pane in a browser window. But as is often the case in DARPA, the goal is
development of the core infrastructure in pursuit of a proof of principle.
So in pursuit of this goal, we will build out a stripped-down Linux kernel
so that Linux does nothing but launch Java, which does nothing but launch E,
which does nothing but launch eDesk, which in turn launches applications
that have been built as properly formed as caplets. By masking out the
underlying pieces of software, the whole system will in effect become a
Pretty Pure E Language Machine, and as such a Pretty Pure Capability Based
System ("pretty pure" because there are still opportunities for trouble in
the over-large TCB formed by Linux+device drivers+XWindows+Java). This
system, with eDesk as the File Manager/Launcher, will be alluringly close to
being a fully minimally functional capability secure desktop...but not
quite, not without a little help from our friends.
Even in a not-quite-complete stage, it will be, I believe, a visually
striking demo. I intend to fit it out with the Love Bug Caplet: a
downloadable E port of the Love Bug. This should serve nicely as a sample of
why viruses just can't spread epidemiologically through a capability
desktop. I am hopeful that this demo can do for capabilities what HTML and
the Mosaic browser did for hypertext--you could talk about hypertext till
you were blue and most people would still look at you like you were a
lunatic, but let them click three highlighted sections of text, and they'd
say it was always obvious. So I hope it will be for capabilities once people
have seen the
Love Bug Caplet, and visually see why it is no longer a threat.
Anyway, the upshot is as follows:
-- Mark Miller and I will be working on E full time, flat out, full bore.
-- I will once again be in a position to keep markm totally focused on his
mission. "Stay on target", so often my mantra in the past, will become the
central guiding principle for E. We already have a draft PERT chart, though
it is not good enough yet to announce publicly :-) This much I can say,
however: I am giving everyone my personal guarantee that there will be a
version 1.0 release of E before the contract ends. For those of you who do
not know me, let me say that I have never failed to fulfill such a
commitment on a project as straightforward as E's remaining development
One consequence of this is that, if you were thinking of making a
contribution to the development of E but, because of the slow rate of
progress you were afraid that such effort would be
a waste of time, please reconsider. There will be an E 1.0, and I am
convinced your efforts will make a difference to the future of computing. It
would be fantastic if we had a complete community of developers, tools, and
products to announce to the world on the day that E is ready for launch.
Markm and I have several times identified handsfuls of things that other
people could develop that would move the whole project forward. We plan to
list, and when such consolidation is done, we will post it.
Thank you everyone.