a Virus-Safe Computing Platform
Building a Virus-Safe Computing Platform:
Don't Add Security, Remove Insecurity
Talk given at the Information
Theory Seminar of Hewlett Packard Laboratories, and at the Stanford
Computer Systems Laboratory Colloquium.
- Powerpoint 2002 or later
(Mac OS X users report that KeyNote renders this well, but Powerpoint
for the Mac does not)
(a bit stale)
- no html pages yet. Can anyone still generate html from Powerpoint
- no OpenOffice yet. When OpenOffice reads in the Powerpoint, it's not
a pretty sight.
When you run Solitaire, why can it delete any file you can?
Such pervasive excesses of access rights cause our vulnerability to viruses
and more. For thirty years, mainstream systems -- such as today's Unixes,
Windows, Java, .NET -- have been built on two conflicting logics of access:
capabilities and ACLs. They unsuccessfully provide security using ACL
logic. They successfully provide functionality using modularity and abstraction
mechanisms which follow capability logic.
E, a distributed secure object-capability
language, is the plumbing underneath CapDesk, the virus-safe desktop demonstrated
in Marc Stiegler's earlier talk on the "SkyNet
Virus". E's security
derives mostly by removing from conventional objects all causal pathways
outside the pure object model -- leaving only capability-based access.
Rather than making users chose between functionality and security, we
use one access paradigm to provide both together. As an example, we show
secure distributed money implemented in 15 lines of readable E
Mark S. Miller is the Chief Architect of the Virus Safe Computing Initiative
at Hewlett-Packard Laboratories, and is the Open Source Coordinator of
the E Project at http://www.erights.org.
He is a designer of several secure distributed programming languages including
Vulcan for Xerox PARC, Trusty Scheme for AutoDesk, Joule for Agorics and
Fujitsu, Tclio for Sun Labs, and E
for Electric Communities, ERights.org, and Combex. As founder and CTO
of Combex, Mark fashioned E
into the platform used for CapDesk -- a Darpa-sponsored prototype of a
virus-safe distributed desktop and application launching framework.
Mark was drawn into security by pursuit of another dream. He is a co-creator
of the agoric
paradigm of market-based adaptive distributed secure computation.
He is also a founder of Agorics, a company started to capitalize on agoric