[E-Lang] E FAQ
Jonathan S. Shapiro
shap@eros-os.org
Thu, 11 Oct 2001 23:10:37 -0400
> A simple design could also satisfy perimeter
> security by itself: the OS without system calls. By its simplicity, it
> would not facilitate flawed embeddings. We could have a level of
confidence
> in its security vastly greater than the confidence we'd ever achieve in an
> OS in which processes can do anything...
I agree entirely with the point you are making. Now I shall pick a wording
nit (hopefully, to a purpose).
While we might have a greater degree of confidence in (e.g.) the
*nondisclosure* properties of such an operating system, but we would not
have greater assurance of security, because security as a term includes
considerations such as "availability" -- the ability of subjects to access
the information that they are authorized to access.
MarkM and I have a very sloppy habit. We often (though not always) use the
term "security" when we mean "nondisclosure". There are other attributes of
security, and as with any other design discussion it is undesirable to focus
on one consideration when others are intertwined. I am trying to correct
this imprecision in my own speaking.
For example, a secure system is not useful if guarantees of progress, or at
least of the preconditions for progress, cannot be made. This is also a
security requirement.
Jonathan