discussion: LLL and Security
Francois-Rene Rideau
rideau@clipper
Wed, 16 Nov 94 22:56:23 MET
There is a big problem with a LLL: Security.
And Security *cannot* be merely expressed in terms of a finite
number of predefined access rights. Security means that system Liveliness
won't be challenged. It means that no program may crash the system.
But the system is *not* only the raw resources; the system is a world of
object none of which should be crashed. Used resources shouldn't become
oversized, and should eventually be freed when not needed anymore; no ill
formed argument should be passed to a function (and the fact that an argument
be ok may be more difficult to prove as computing the argument; i.e.
requiring that the argument be a prime number or any such thing).
All such things can't be expressed in a *low-level* language. A low-level
language isn't where they should be expressed. But we need security anyway.
So what I propose is:
* external object specifications in a high-level specification language are
given with the low-level equivalents
* a PGP signature (concerning the code, the specs, and the author) ensures
that code has been verified as correct. A list of valid PGP keys is maintained
by the system.
-- , , _ v ~ ^ --
-- Fare -- rideau@clipper.ens.fr -- Francois-Rene Rideau -- +)ang-Vu Ban --
-- ' / . --
MOOSE project member. OSL developper. | | /
Dreams about The Universal (Distributed) Database. --- --- //
Snail mail: 6, rue Augustin Thierry 75019 PARIS FRANCE /|\ /|\ //
Phone: 033 1 42026735 /|\ /|\ /