[5999] in www-talk@info.cern.ch
Re: How about a Safe Virtual Machine?
daemon@ATHENA.MIT.EDU (Nathaniel Borenstein)
Mon Oct 3 13:54:47 1994
Date: Mon, 3 Oct 1994 18:47:48 +0100
Errors-To: listmaster@www0.cern.ch
Errors-To: listmaster@www0.cern.ch
Reply-To: nsb@nsb.fv.com
From: Nathaniel Borenstein <nsb@nsb.fv.com>
To: Multiple recipients of list <www-talk@www0.cern.ch>
Excerpts from www-talk: 3-Oct-94 Re: How about a Safe Virtua.. Karl
Auerbach@cavebear.c (1037)
> Agreed. And I would like to go further -- in some contexts there are
> requirements that after a program has touched a certain class of file
> it is henceforth not allowed to write into another class of file.
> I.e. the program isn't going to be allowed to reclassify sensitive
> data from one level to another.
Makes sense. I don't think it would be hard to implement in the current
Safe-Tcl, either -- the extension environment is pretty much arbitrarily
powerful, so policies like this can be implemented by the extension
writer. The trickiest part would be if there were multiple
independently-developed extensions, in which case they might need a
shared mechanism for making note of what kinds of capabilities had been
previously used. But one extension writer can do all this easily enough
for a set of related capabilities. Is that good enough, do you think,
or do we need a standardized interface by which multiple
*independently-implemented* extensions can inform each other about
whether or not they've been used? -- Nathaniel
