[E-Lang] Other languages with secure capabilities

[Pericles Akritides]

Marc Stiegler wrote:

> > Sorry I am not able to answer right now. But the implementation of
> > Secure Mozart and the design for the first version is almost ready. The
> > implementation is interesting in fact. At the language level security
> > overrides distribution behavior to guarantee language security. The
> > language itself is secure. This means for example that an object that
> > have migratory behavior becomes stationary if an attemp to access the
> > object comes from untrusted site.
> 
> I know this was a quick response you made, and not as well crafted as
> I'd guess you'll make make when you get back from your trip, but let me
> point out a couple of things I look forward to hearing clarified.

We will try to help clarifying as much as we can, too.

> 
> The phrase "untrusted site", while it is a phrase that feels comfortable,
> is almost always a false description. When using English, most of the
> populace (including myself) tends to use the phrase "untrusted" quite
> often--but when speaking in non-computerese situations, the real truth is
> always implied by the context of the conversation. When I say "I don't
> trust Joe", what I really mean is, "I don't trust Joe with my car keys"
> if borrowing the car was the context. In fact, I might have lent Joe my
> newest Java book the day before--if the context of the conversation had
> been borrowing a book, I would have said, "of course I trust him."

The context is the enforcement of the language rules and the ``real truth''
of Seif's statement is whether you trust a remote site's virtual
machine to enforce the language rules or not. All other notions of trust are
handled by the rules of the language, such as controlled visibility,
unforgeable references and Oz-names/chunks (the latter is an Oz specific
idiom for rights amplification).

> 
> In fact, human beings almost never totally trust or totally distrust
> anyone.  I would trust mark miller with my bank account or my life,

In the context of virtual machines enforcing language rules, you
either trust another site or not. Perhaps we should be more careful
with our terminology:)

Of course in E, sites are always mutually untrusted in this sense.
We certainly agree that from E's point of view, introducing the special
case is not compelling.

In Mozart as it is now, the case is always the exact opposite, sites
assume that other sites will enforce the rules of the language. From
a security point of view this is, well, bad. From a performance
point of view however, this assumption has (non-negligible?) effects
on the performance of the system. From the Oz transparent distributed
programming point of view, performance is important too because we don't
want people to be forced occasionally to go back to using explicit
message passing for performance reasons (neither for security reasons
of course... that's what we are trying to improve now).

A considerable amount of engineering has gone into Mozart based on this
assumption. It is our opinion that security* does not require
incompatible modifications in Mozart. Limiting the current eager copying
strategies is enough and is always possible to do. Of course, other issues
such as secure communication and unforgeable references, are completely
orthogonal to distribution semantics.


* We are referring to implementation security, the language is already
secure as long as the adversary stays within the boundaries of the
language. Implementation security is an inevitable step towards becoming
less academic:) the features you find contradictory in the current
(insecure) implementation can be simply suppressed when implementation
security is required by the application.


> On a more detailed level, if a site is truly untrusted, it should never
> have acquired the authority to talk to the object in the first place,
> much less cause it to move to another machine. For the truly untrusted
> site to talk to the object means a security breach has already occurred.

Of course this is true, we hope we have identified what was meant by
untrusted in that context:)

> 
> --marcs
> 

Excuse us for the clumsy reply, but we were not subscribed to the list
at the time of your posting.


Periklis Akritidis (akritid@vtrip-ltd.com)
Georgia Chalivelaki (chaliv@csd.uoc.gr)
--
``It just happened by a kind of natural selection.'' -- Linus Torvalds