9.26: adda/security/cap'based or actors-based:
. since adda has control of the code,
does it need capabilities?
it's just like checking array bounds
protecting programmer from accidents .
. also when using agents and concurrency,
you need that soa-style id'ing
that let's you find out who's doing what
when things seem wrong .
. without having to know much about cap'-based systems,
it seems there's a clear path if you
stop worrying about efficiency, and model the system after
what you can understand is secure among human interactions:
organizing jobs just as if they were teams of people .
. all these actors keep journals
checked by god (the exec that runs their prgm for them)
. the flip side of logging is contracting:
a module has a req's list
that tells what permissions of what space it needs
and the exec will report any deviation from those
contractual obligations .
. global logging allows selective roll-backs
not just per object but agent-selecting:
undo all work of a faulty agent
then redo the work without that agent's contributions .
. req's should be specifying what operations or tools
it's using on what space
. another way to do this is have the exec generate
a report of the space being used .
. this can be done as a blacbox without needin to know the code:
as long as it was compiled to be exec'd by addm,
it can't make outside contacts without being logged by addm .
. likewise if it had an efficient way to virtualize the native platform,
then it could do the same with native binaries .
[9.29:
. the language that both addm and the binary would talk
is the files in the virtualization that would get the output .
]
10.9: adda/no need to specify current directory with command:
. regarding dev.unix/need to specify current directory with command:
adda will instead rely on cap'based security
to protect authors from each other .
10.26: adda/self-modifying or code-generating code/security:
. how is adda safe letting code modify itself?
it does so only by calling the adda compiler
which can enforce rules to run by .
. it has to declare everything it wants to modify;
and, this is checked against user or client preferences .
[11.3:
. eg, adda asks the user's agent this:
"( this code was generated from .program,
and wants permission for { .access to .resource, ... }
do permit?
do disallow code additions,
do disallow permission change requests? .
) ] .
11.30: adda/lisp/security options:
. along with having a cap'based security system
it can tell the user if a provider uses self-modifying tech
for in case that should be avoided for safety critical applications,
or for when correctness is not easily proven from scanning output .
No comments:
Post a Comment