Archive of UserLand's first discussion group, started October 5, 1998.

Re: "No Viri" Control Panel

Author:Paul Snively
Posted:5/5/2000; 11:34:03 AM
Topic:Virus from Manila
Msg #:17003 (In response to 16973)
Prev/Next:17002 / 17004

Winer: How about a virtual machine, a Windows emulator, that ran on my Intel box, that had its own file system. Enclosures could only operate within that machine, and not the real one that I do all my work on. It seems to me the problem is neatly solved through emulation. It's not that big a jump really, Java has already done it.

Yup--the trick here, given a secure computing infrastructure that's capable of emulating some other infrastructure, is a) to resist the temptation to alter the secure infrastructure to "assist" the insecure emulated infrastructure, and b) to educate the users of the emulated infrastructure that they have "risk-for-risk" compatibility.

Java does a pretty good job of being a "safe language," but even it's not foolproof; see <http://www.research.att.com/%7Evj/bug.html> for an example of a serious flaw in the implementation of dynamic classloading that renders Java non-typesafe. Further, Java does not, by default, do anything to address the issue of safe cooperation among mutually distrustful parties, which is the issue that "active content" raises.

Certainly, however, a major benefit of what most people call "scripting" languages or "safe" languages is that they offer fewer subtle machine-level points for malicious code to exploit, and this is a step in the right direction.

Jonathan Rees wrote an excellent paper, with examples, describing how an effective "security kernel" can be described/implemented in the lambda calculus. It's MIT AI Lab Memo 1564 and is available in Postscript from <http://www.ai.mit.edu/publications/pubsDB/pubsDB/onlinehtml>.




This page was archived on 6/13/2001; 4:55:05 PM.

© Copyright 1998-2001 UserLand Software, Inc.