[e-lang] Draft of Joe-E, a Capability-security subset of Java
tyler.close at gmail.com
Thu Sep 1 16:45:30 EDT 2005
On 8/31/05, David Wagner <daw at cs.berkeley.edu> wrote:
> John Carlson <john.carlson3 at sbcglobal.net> writes:
> >How will you give authority to a Joe-E
> >program? What can a Joe-E program do without
> >access to native libraries?
> Those are parts we'll work on soon; they are intimately tied in with
> taming, and taming is next on our plate for later this fall. (The answer
> to the second question is "compute side-effect-free functions" -- but
> our next step will be to work on taming the Java standard libraries,
> so that Joe-E programs can do more, including I/O.) But we wanted to
> try to start nailing down the language first.
A slightly different question has a much more satisfying answer: "What
can a program do with Joe-E code?". Answer: "Vastly reduce the
per-application code review work."
For example, most of the Java applications I write are written to the
Waterken Server. The architecture of this server has the feature that
the server links to the application code, not the other way around.
(Some fancy introspection code in the server makes this work) This
design results in application code that is just plain Java code, with
no links to _any_ standard libraries. Each new application means
writing more of this plain Java code and reusing the existing server
application. I am hopeful that the Joe-E project will produce a
verifier that I can run on this application-level plain Java code to
automate parts of the code review process and, more importantly, put
some teeth into the assumptions that are made about the flow of
authority within a capability-based design.
Essentially, an answer to your first question: "How will you give
authority to a Joe-E program?", is "By using an application server
that first reifies all authority as java objects, so that by the time
the Joe-E code sees it, it's just another application-level object
reference." The magic of going from bits to capabilities, and vice
versa, happens entirely within the app server.
The web-calculus is the union of REST and capability-based security:
Name your trusted sites to distinguish them from phishing sites.
More information about the e-lang