[e-lang] A broken brand?
Karp, Alan H
alan.karp at hp.com
Thu Mar 6 11:06:03 EST 2008
David Wagner wrote:
> I'm ignorant about distributed systems, so perhaps I'm talking
> nonsense, but I don't quite follow this comment yet. In a distributed
> system, transparent forwarders/proxies have to be implemented as part
> of the TCB (not at the application layer), and they have to have the
> ability to "forge" types (i.e., to pretend to be of any desired type).
> So I don't see why type-checking would prevent using these objects in
> a distributed system.
In Client Utility, the forwarders that converted between local and network references ran at the application level and were not part of the TCB. That was an important part of the design. It meant that an adversary who subverted its proxy on another machine got no additional privileges.
Virus Safe Computing Initiative
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
More information about the e-lang