[E-Lang] E FAQ
Mark S. Miller
markm@caplet.com
Thu, 11 Oct 2001 20:40:51 -0700
At 08:10 PM 10/11/2001 Thursday, Jonathan S. Shapiro wrote:
>While we might have a greater degree of confidence in (e.g.) the
>*nondisclosure* properties of such an operating system, but we would not
>have greater assurance of security, because security as a term includes
>considerations such as "availability" -- the ability of subjects to access
>the information that they are authorized to access.
In the spirit of picking nits hopefully to a purpose, I claim this
no-system-call OS includes this other consideration as well. Since no
subject is authorized to access any information, all subjects have the
ability to access exactly that information to which they are authorized, and
no more.
Besides non-disclosure and non-access of information, this OS also provides
for the non-disclosure and non-access of authority. And all processes are
already confined, with nothing like factory logic to worry about. This OS
is truly a wonder of inabilities!
But what about access to resources and guarantees of progress? Could a
process hog the CPU, starving other processes? If we never turn the
computer on, no process can engage in this attack. Since all computation
was output-free anyway, we can show this is a correctness preserving
optimization.
All this silliness has a point. One must include in one's objectives kinds
of interactions between mutually suspicious parties that must be able to
happen safely (ie, patterns of cooperation without vulnerability). Until
then, the objectives may be met by safe but almost useless systems, like
applets. Once others start to include these other issues, then we can
debate both "how useful" as well as "how safe".
Cheers,
--MarkM