[4771] in WWW Security List Archive
Re: Latest Java hole is Netscape/Sun only
daemon@ATHENA.MIT.EDU (Adam Shostack)
Tue Mar 11 17:37:15 1997
From: Adam Shostack <adam@homeport.org>
In-Reply-To: <01BC2D53.C3146340@crecy.ai.mit.edu> from "Phillip M. Hallam-Baker" at "Mar 10, 97 12:57:31 pm"
To: hallam@ai.mit.edu (Phillip M. Hallam-Baker)
Date: Tue, 11 Mar 1997 15:52:22 -0500 (EST)
Cc: thomasre@microsoft.com, taz@kensico.com, schemers@stanford.edu,
rdenny@dc3.com, WWW-SECURITY@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
Phillip M. Hallam-Baker wrote:
[Much other stuff, I'm disagreeing on a point of philosophy.]
The language should not provide security, the system it runs
on should. C is a marvelously insecure language, since it has *no*
security constructs in it. However, putting it on a UNIX kernel,
where the security of the system is handled by other tools (that
happen to be written in C), allows us to write reasonably secure
systems.
(Reasonably secure means far better than the 'security in the
language' camp has done. Good enough? When you have an expert test
the system, C code on UNIX can be pretty secure.)
Take the security out of the language, and the language
doesn't need security. Put the security in a kernel, and you can make
it small enough to be made trustworthy.
Adam
| To do the What and make it work the only credible approach in my
| view is to use formal methods to prove the scurity properties of the
| system. A computer language is simply too complex to be considered
| without some powerful tool. Mathematics is that tool.
--
"It is seldom that liberty of any kind is lost all at once."
-Hume
