[e-lang] Invited talk: Tradeoffs in Retrofitting Security: An Experience Report

[Matej Kosik]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Mark

Marc Stiegler wrote:
>> Object granularity, static verification, library import taming, new
>> library wrappers
>>     Joe-E, Emily, Backwater?
>
> Backwater fits an even lighter-weight category than this. Backwater
> needs no static verification to eliminate usage of non-obj features.

There are also other (simple) things that has to be done in order to
be sure that a given (untrusted) code has minimal authority.

I have just completed an amendment to the Pict tutorial related to
security issues.
http://altair.dcs.elf.stuba.sk:60001/mediawiki/upload/2/21/Tutorial.pdf
If you are interested, look at
Chapter 7: Security Concerned Programming  :)
It is just a rough draft but there I have tried to summarize basic
notions such as:
- - maximal authority
- - minimal authority
  (and what we in case of Pict modules have to do to reach it)
  (what does it mean in this case)
- - powerbox
  (that enables us to "lift" modules with minimal authority
   to the least necessary level)

Some non-trivial example is missing. I am thinking about
implementing classical `ping' program that will be split into
- - small trusted part
- - and (as large as necessary) untrusted part
where the authority of an untrusted part would be lifted by the
trusted part to the necessary degree so that it can do its job.

> It only requires taming of the library. It is only static verification
> in the sense of compiling only with the right libraries; there is
> nothing like the joeE or Emily verifier that must analyze the program.

- --
Matej Kosik
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGxAMcL+CaXfJI/hgRAophAKCKNTyUsAxqusyJBE7AGz1SYP5QZACfXpAp
WAzlVqIybMWG0ofJ7cjSDIY=
=wqNm
-----END PGP SIGNATURE-----