• PDF / 499,617 Bytes
• 12 Pages / 430 x 660 pts Page_size
• 99 Downloads / 158 Views

DOWNLOAD

REPORT

bstract. This article presents additional necessary measures that enable us to use Pict as an object-capability programing language. It is desirable to be able to assess the worst possible threat that we—users— risk if we run a given program. If we know the threat, we are able to decide whether or not we are willing to risk running the program. The cost of a security audit that reveals such an assessment will be non-zero but it need not to be directly dependent on the size of the whole original program. It is possible to write programs in such a way that this analysis can be reliably performed on a fraction of the original program—on the trusted computing base. This technique does not always give the most accurate assessment but it gives sound and interesting assessment relatively cheaply. It does not prevent usage of other techniques that can further refine the initial assessment.

1

Introduction

There are two different points of view of a computer system. We can view it from an administrator’s point of view and from a user’s point of view. Users should be regarded as primary because the purpose of computers is not to be administered but to be used. The goal of the administrator is to ensure that none of the users is given excess authority. The goal of the user is (should be) to ensure that each of the processes runs with appropriate authority. Security mechanisms provided by operating system are practical for administrator but they do not help users with their security goals. Microsoft “Immutable” Law #1 states: If a bad guy can persuade you to run his program on your computer, it’s not your computer anymore. The problem is, how to decide who is a good guy and who is a bad guy. More importantly, even good guys can make mistakes and their programs can cause damage. The purpose of the computer is that we—users—can run programs on it. This rule basically says that we are safe as long as we do not run any program on it. Let us stop here and think how ridiculous it is. Noticeable progress has been made in the area of designing programming languages with respect to security. Outstanding example is the E programming language [1]. From the security point of view1 , it is interesting because it enables 1

The E programming language addresses also other important problems.

V. Geffert et al. (Eds.): SOFSEM 2008, LNCS 4910, pp. 610–621, 2008. c Springer-Verlag Berlin Heidelberg 2008 

Taming of Pict

611

programmers to follow the principle of the least authority (POLA). Multiple aspects of the language contribute to this fact: – the authority to invoke methods of a particular object is an unforgeable capability – when some subsystem decides to keep some capabilities as private, there are no language constructs that would enable other untrusted subsystems to “steal” them – the reference graph can evolve only according to rules of allowed reference graph dynamics presented in Section 9.2 of [1] The contribution of this paper is that it shows how, through a refactorization of the libraries of the Pict programming language [2],

Recommend Documents

Taming the Many EdDSAs

159 50 5MB

Taming Spatial Complexity

158 99 16MB

Taming the Land: A Historical Perspective

176 98 14MB

Taming the Dark Side of the New Globalization

175 85 12MB

The Taming of Education Evaluating Contemporary Approaches to Learni

150 3 2MB

Taming Real World Flow Control Experiments with MLC

145 64 1MB

Taming the Big Green Elephant Setting in Motion the Transformati

152 30 5MB

Taming the Wild Grape Botany and Horticulture in the Vitaceae

100 83 22MB

The Electric Century How the Taming of Lightning Shaped the Modern W

137 43 6MB

Taming Capital Flows: Capital Account Management in an Era of Globalization

155 90 10MB

The (Im)Possibilities of Translating Literary Nonsense: Attempts at Taming Iconotextual Monstrosity in Hungarian Domesti

129 110 8MB

Class Divisions on the Broadway Stage The Staging and Taming of the

134 4 2MB