[E-Lang] E FAQ

David Wagner daw@cs.berkeley.edu
Sun, 14 Oct 2001 23:45:38 -0700 

[Forwarded with permission.  --MarkM]

Thanks.  I enjoyed reading that article.

However, I had a hard time following one statement there:
: Principal-oriented 
: architectures generally assume that when A invokes B, that B's actions 
: honestly represent A's intentions.

To me, Java stack introspection seems explicitly designed with powerful
features for addressing exactly this sort of issue.  If A invokes B, by
default B's actions gets only the privileges common to both A and B; thus,
by default, we assume that B's actions do *not* represent A's intentions
(at least, B doesn't get any extra permissions as a result of A's request).
If B tries to cause trouble and do something B wouldn't have wanted, B
can't use the fact that A called B to do anything B wouldn't already be
able to do on its own.

The real issue seems to be least privilege.  Many Java apps do not
run with least privilege.  However, the possibility is there in the
architecture to do much better in this regard.  If apps normally ran
with all privileges disabled, and bracketed only those areas where they
need privilege P with enablePrivilege(P); ...; disablePrivileged(P),
this would be a big step towards least privilege, wouldn't it?

A bigger difference seems to be that E-style capabilities systems are
intended to (1) make it easier to get least privilege ("it comes for
free"), and (2) potentially provide finer- grained privileges ("each
object ref is a privilege").  Thus, E seems to be intended to make it
easier to do the right thing.

I'd love to hear whether you would agree with this characterization,
or whether I'm missing something important.

-- David



In article <5.1.0.14.2.20011010230632.03546bf8@shell9.ba.best.com> you write:
>At 09:56 PM 10/10/2001 Wednesday, Chris Hibbert wrote:
>>Anyone have a different recollection or reconstruction of the history?
>
>My sense of the early phase is about the same as yours.  For the history of 
>the next phase, based on my personal experiences, see 
>http://www.eros-os.org/pipermail/e-lang/2001-January/004030.html .  I hope 
>this tale succeeds at being somewhat sympathetic to Eric Schmidt.  He 
>arguably made the best of a difficult situation.  Best, that is, from a 
>business perspective, which was what he was supposed to do.
>
>
>        Cheers,
>        --MarkM
>
>_______________________________________________
>e-lang mailing list
>e-lang@mail.eros-os.org
>http://www.eros-os.org/mailman/listinfo/e-lang