[e-lang] Joe-E 2.0 Release

David Wagner daw at cs.berkeley.edu
Sun Mar 9 03:29:07 EDT 2008

Tyler Close writes:
>On Sat, Mar 8, 2008 at 6:10 PM, David Wagner <daw at cs.berkeley.edu> wrote:
>>  Should we be concerned about the possibility that code could add an
>>  @org.joe_e.verified annotation to itself without having been run through
>>  the Joe-E verifier?  Or do you see a way to prevent that from happening?
>How would this be different from Java code delivering itself with fake
>safej files, other than being less voluminous?

Ahh.  I see.  You're right.

Here's what I was initially thinking:

1) One way to prevent untrusted code from delivering itself with
fake .safej files is to control what directory you install untrusted
files into.  (In other words, you configure the system to only look
in specific directories for the .safej files, and you ensure that
untrusted code cannot install itself into those directories.)

2) One way to prevent untrusted code from delivering itself with
fake @org.joe_e.verified annotations is to parse all the untrusted
.java files and check for the presence of that annotation.

I was thinking that controlling the location in which untrusted
files are installed might be easier than parsing the contents of
those files.

But what I overlooked is that there is an easier way to prevent
untrusted code from delivering itself with fake @org.joe_e.verified

2') You can install all the untrusted code into a specific directory
(or set of directories), and then ensure that you run the Joe-E verifier
on all files underneath that directory (or directories).

So I think you're right -- it's a wash.

There's a part of me that thinks this'd feel safer if the Joe-E
verifier added the @org.joe_e.verified annotation itself after verifying
the .java file, rather than having the programmer place that in the
.java file beforehand.  But that doesn't seem like it'd fit very well
with the current architecture for the Joe-E verifier (e.g., it'd require
modifying .class files or .java files, either of which would be a
substantial change).  So nevermind that.

Anyway, I withdraw my concern.  Thanks for helping me to think this
through more carefully.

More information about the e-lang mailing list