discussion: LLL and Security

Francois-Rene Rideau rideau@clipper
Wed, 16 Nov 94 22:56:23 MET


   There is a big problem with a LLL: Security.
   And Security *cannot* be merely expressed in terms of a finite
number of predefined access rights. Security means that system Liveliness
won't be challenged. It means that no program may crash the system.
   But the system is *not* only the raw resources; the system is a world of
object none of which should be crashed. Used resources shouldn't become
oversized, and should eventually be freed when not needed anymore; no ill
formed argument should be passed to a function (and the fact that an argument
be ok may be more difficult to prove as computing the argument; i.e.
requiring that the argument be a prime number or any such thing).
   All such things can't be expressed in a *low-level* language. A low-level
language isn't where they should be expressed. But we need security anyway.

   So what I propose is:
* external object specifications in a high-level specification language are
 given with the low-level equivalents
* a PGP signature (concerning the code, the specs, and the author) ensures
 that code has been verified as correct. A list of valid PGP keys is maintained
 by the system.

--    ,        	                                ,           _ v    ~  ^  --
-- Fare -- rideau@clipper.ens.fr -- Francois-Rene Rideau -- +)ang-Vu Ban --
--                                      '                   / .          --
MOOSE project member. OSL developper.                     |   |   /
Dreams about The Universal (Distributed) Database.       --- --- //
Snail mail: 6, rue Augustin Thierry 75019 PARIS FRANCE   /|\ /|\ //
Phone: 033 1 42026735                                    /|\ /|\ /