[e-lang] Invited talk: Tradeoffs in Retrofitting Security: An Experience Report
kosik at fiit.stuba.sk
Thu Aug 16 03:56:12 EDT 2007
-----BEGIN PGP SIGNED MESSAGE-----
Marc Stiegler wrote:
>> Object granularity, static verification, library import taming, new
>> library wrappers
>> Joe-E, Emily, Backwater?
> Backwater fits an even lighter-weight category than this. Backwater
> needs no static verification to eliminate usage of non-obj features.
There are also other (simple) things that has to be done in order to
be sure that a given (untrusted) code has minimal authority.
I have just completed an amendment to the Pict tutorial related to
If you are interested, look at
Chapter 7: Security Concerned Programming :)
It is just a rough draft but there I have tried to summarize basic
notions such as:
- - maximal authority
- - minimal authority
(and what we in case of Pict modules have to do to reach it)
(what does it mean in this case)
- - powerbox
(that enables us to "lift" modules with minimal authority
to the least necessary level)
Some non-trivial example is missing. I am thinking about
implementing classical `ping' program that will be split into
- - small trusted part
- - and (as large as necessary) untrusted part
where the authority of an untrusted part would be lifted by the
trusted part to the necessary degree so that it can do its job.
> It only requires taming of the library. It is only static verification
> in the sense of compiling only with the right libraries; there is
> nothing like the joeE or Emily verifier that must analyze the program.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
More information about the e-lang