TITLE: Building a Virus-Safe Computing Platform: Don't Add Security, Remove Insecurity
SPEAKER: Mark S. Miller [HP Labs]
DATE: 2:00 - 3:00 P.M., Tuesday November 25, 2003
LOCATION: Sigma, 1L (PA)
HOST: Vinay Deolalikar
ABSTRACT:
When you run Solitaire, why can it delete any file you can? Such pervasive
excesses of access rights cause our vulnerability to viruses and more. For
thirty years, mainstream systems -- such as today's Unixes, Windows, Java, .NET
-- have been built on two conflicting logics of access: capabilities and ACLs.
They unsuccessfully provide security using ACL logic. They successfully provide
functionality using modularity and abstraction mechanisms which follow
capability logic.
E, a distributed secure object-capability language, is the plumbing
underneath CapDesk, the virus-safe desktop demonstrated in Marc Stiegler's
earlier talk on the "SkyNet Virus". E's security derives mostly by
removing from conventional objects all causal pathways outside the pure object
model -- leaving only capability-based access. Rather than making users chose
between functionality and security, we use one access paradigm to provide both
together. As an example, we show secure distributed money implemented in 15
lines of readable E code.
|
|
|
printable version
