20.10.8: addx/what Intel calls
Control-flow Enforcement Technology:
10.8, 10.9, 10.14: addx/protecting the call stack:
[@] was addx/soa/getting more efficiency along with safety/protecting the call stack
Showing posts with label addx. Show all posts
Showing posts with label addx. Show all posts
2020-12-31
getting more efficiency along with safety from #SOA
20.9.25: addx/soa/
getting more efficiency along with safety:
10.19: summary:
. soa (service oriented architecture)
is expensive when it intervenes
every call to a subprogram;
instead of calling soa mgt for every call,
we shouldn't be worried about an app making
internal calls to parts of the same app
by the same author with the same privileges.
. a complement of soa controlling the calls,
is stack isolation controlling the returns.
2017-08-08
Dr. Daniel Julius Bernstein
7.25: web.cs/sec/Dr. Daniel Julius Bernstein:
. Dr. Daniel Julius Bernstein
is an authority on computer security;
he's a big fan of extreme sandboxing
(where the app is cooperative)
and safe programming languages.
djb's main page, his papers
(and who they are cited by).
. Dr. Daniel Julius Bernstein
is an authority on computer security;
he's a big fan of extreme sandboxing
(where the app is cooperative)
and safe programming languages.
djb's main page, his papers
(and who they are cited by).
2014-12-27
Chris Granger`programming with Light Table
5.12: news.addx/Chris Granger`programming with Light Table:
chris-granger.com 2014/03:
. the important part of a spreadsheet program
is that it avoids incidental complexity:
if you understand keyboardable math notation
then you are writing equations that are
constantly run as programs .
. every cell accepting values
will have its changes trigger an update
that reruns any equations using it as input .
. a spreadsheet is completely observable;
ie, there are no hidden variables:
when you set up a spreadsheet,
all the calculations are based on
inputs visible to you on the same sheet .
. there are 2 examples of being direct:
a good spreadsheet program will let you
input a math equation as a function definition,
and it will express values graphically;
eg, color codes are given as colors,
and names of objects are replaced with
pictures of the objects .
. the limits of that programming model
is that it represents only a single program
that is a composition of functions .
. we need to intuitively and graphically extend that
to all the control structures people think in terms of .
"we're out to find something better,
something that isn't just for programmers
or non-programmers, but instead
removes that distinction entirely" .
. the author had originally began by
creating a code editor that would make it easier to
use your typical programming language,
but decided that current languages are the problem .
. their code editor featured Clojure
which is basically lisp .
Light Table's general editor capabilities
will work with most languages out there,
but it has deeper language integrations
(things like inline eval) for Clojure,
ClojureScript, Javascript, Python, HTML, and CSS...
More languages can be added via plugins in the future.
chris-granger.com 2014/03:
. the important part of a spreadsheet program
is that it avoids incidental complexity:
if you understand keyboardable math notation
then you are writing equations that are
constantly run as programs .
. every cell accepting values
will have its changes trigger an update
that reruns any equations using it as input .
. a spreadsheet is completely observable;
ie, there are no hidden variables:
when you set up a spreadsheet,
all the calculations are based on
inputs visible to you on the same sheet .
. there are 2 examples of being direct:
a good spreadsheet program will let you
input a math equation as a function definition,
and it will express values graphically;
eg, color codes are given as colors,
and names of objects are replaced with
pictures of the objects .
. the limits of that programming model
is that it represents only a single program
that is a composition of functions .
. we need to intuitively and graphically extend that
to all the control structures people think in terms of .
"we're out to find something better,
something that isn't just for programmers
or non-programmers, but instead
removes that distinction entirely" .
. the author had originally began by
creating a code editor that would make it easier to
use your typical programming language,
but decided that current languages are the problem .
. their code editor featured Clojure
which is basically lisp .
Light Table's general editor capabilities
will work with most languages out there,
but it has deeper language integrations
(things like inline eval) for Clojure,
ClojureScript, Javascript, Python, HTML, and CSS...
More languages can be added via plugins in the future.
2014-12-20
securing the virtual machine #addm
addm/sec/securing the virtual machine:
4.20: 12.20: summary:
. a virtual machine can provide security
along with some user freedom to develope code
by using a microkernel architecture
and learning from the Chrome browser team:
you can't build a secure app unless you
secure the underlying OS and firmware too .
4.20: 12.20: summary:
. a virtual machine can provide security
along with some user freedom to develope code
by using a microkernel architecture
and learning from the Chrome browser team:
you can't build a secure app unless you
secure the underlying OS and firmware too .
2013-12-25
design by autocrat
11.20: addx/design by autocrat:
. what if you are deluded, and need others' help
to show you that your design is fundamentally flawed;
but you are drugged by the freedom of working alone?
well, I've wanted to reuse some other work
but I've often found the documentation unreadable,
so this is about building an understanding
through finding that my design was flawed .
. at least I will be on the step toward
both designing a program I like,
and writing some documentation I can read
(likely others can read it too,
because I'm very forgetful,
so I will need to be thorough).
. what if you are deluded, and need others' help
to show you that your design is fundamentally flawed;
but you are drugged by the freedom of working alone?
well, I've wanted to reuse some other work
but I've often found the documentation unreadable,
so this is about building an understanding
through finding that my design was flawed .
. at least I will be on the step toward
both designing a program I like,
and writing some documentation I can read
(likely others can read it too,
because I'm very forgetful,
so I will need to be thorough).
2013-12-11
multi-language to univeral data format (UDF)
addx/multi-lang like .net:
10.2: 12.11:
. the addx system needs to be like
Microsoft's ".NET" such that it lets us
command addx with a variety of languages
-- adda would just be the default language .
. a new language being ported to addx
would provide a compiler that emits
addm's high-level code (HLC)
that is similar to .NET's assemblies .
10.2: 12.11:
. the addx system needs to be like
Microsoft's ".NET" such that it lets us
command addx with a variety of languages
-- adda would just be the default language .
. a new language being ported to addx
would provide a compiler that emits
addm's high-level code (HLC)
that is similar to .NET's assemblies .
2013-04-29
privacy assurance while reporting errors
3.19: addx/privacy rights/reporting errors:
. if an error should be reported to the coder
the report should be generated in such a way that
the user can see it contains no personal data;
or, it should say it does contain data
and ask if it is too sensitive .
. if an error should be reported to the coder
the report should be generated in such a way that
the user can see it contains no personal data;
or, it should say it does contain data
and ask if it is too sensitive .
2013-03-31
vmm (virtual machine monitoring)
2.5: addx/vmm/virtual dom0:
. just as addm is a VM (virtual machine),
addx is a VM monitor (vmm);
so it should do things like Vmware does,
only with some enhancements and extensions; eg,
. just as addm is a VM (virtual machine),
addx is a VM monitor (vmm);
so it should do things like Vmware does,
only with some enhancements and extensions; eg,
pythonic software construction
2.2: news.addx/pythonic software construction:
Fred Brooks` Mythical Man Month:
. Brooks suggested we plan to throw one away
because we will throw the first attempt anyway;
10years later he noted that incremental development
can reduce much of that loss;
nevertheless,
what he said still applies on a smaller scale:
Fred Brooks` Mythical Man Month:
. Brooks suggested we plan to throw one away
because we will throw the first attempt anyway;
10years later he noted that incremental development
can reduce much of that loss;
nevertheless,
what he said still applies on a smaller scale:
2013-03-09
platforms and requirements to target
1.23: addx/targets are {python, c, obj'c, parasail}:
. if parasail is not on all the needed platforms
the base lang should be obj'c not c;
because, obj'c has better programming-in-the-large features;
well, does it support concurrency?
. if parasail is not on all the needed platforms
the base lang should be obj'c not c;
because, obj'c has better programming-in-the-large features;
well, does it support concurrency?
2012-09-22
iOS app restriction motivations
7.22: todo.cyb/dev.iOS/
menu-driven prog'lang learning:
. I thought of an addx app for iOS:
let users try programming by menu .
. even if iOS users can't run the programs
that they create by menu,
it's a way to learn to program
by exploring menu's;
but in that case, it would need to be
for a way of learning a popular lang, not adda;
adda is interesting only if it's
a way to do something popular;
eg, you could make your iOS do things
by running the code you just built .
. this could be done via the use of javascript
by somehow sending it to the browser ?
[9.9:
. I should be keeping in mind that for $99/yr,
such an app should be designed to make money;
if I just want to be helpful,
I can do that for free with a web app .]
7.29: news.cyb/dev.iOS/
co.dev.mac#buck has book for dev.iOS?:
. it's one thing to say that
every program has to be inspected,
but why does every user
have to be inspected?!
ie, why can't the user write scripts ?
a user should be able to automate
anything a programmer is allowed to do .
. but it's a slippery slope;
if you let users do scripting
then they are trading scripts,
then they are failing to notice
what "they" are doing .
. can javascript come close to doing
everything a user can do ?
. another problem is user spoofing user:
many services like google
can't be used by automation because
then a human wouldn't be
influenced by the ad's,
so there would be no use serving ad's,
and no way to fund the product ...
(not sure that's a problem on the iOS;
Android users get served a lot of ads).
menu-driven prog'lang learning:
. I thought of an addx app for iOS:
let users try programming by menu .
. even if iOS users can't run the programs
that they create by menu,
it's a way to learn to program
by exploring menu's;
but in that case, it would need to be
for a way of learning a popular lang, not adda;
adda is interesting only if it's
a way to do something popular;
eg, you could make your iOS do things
by running the code you just built .
. this could be done via the use of javascript
by somehow sending it to the browser ?
[9.9:
. I should be keeping in mind that for $99/yr,
such an app should be designed to make money;
if I just want to be helpful,
I can do that for free with a web app .]
7.29: news.cyb/dev.iOS/
co.dev.mac#buck has book for dev.iOS?:
. it's one thing to say that
every program has to be inspected,
but why does every user
have to be inspected?!
ie, why can't the user write scripts ?
a user should be able to automate
anything a programmer is allowed to do .
. but it's a slippery slope;
if you let users do scripting
then they are trading scripts,
then they are failing to notice
what "they" are doing .
. can javascript come close to doing
everything a user can do ?
. another problem is user spoofing user:
many services like google
can't be used by automation because
then a human wouldn't be
influenced by the ad's,
so there would be no use serving ad's,
and no way to fund the product ...
(not sure that's a problem on the iOS;
Android users get served a lot of ads).
2012-09-20
an intuitive library
7.19: addx/library/an intuitive library:
. how do we equate the contents of adda's lib
with some sort of filesystem structure?
. are library units placed in a lib folder?
is this done by declaring the unit's name to be
libName/unitName?
how can things be more implicit or intuitive?
. when you write interactively
this is being stored as a folder called
interactive.adda .
. each folder named x.adda, for any x,
is a separate adda acct
meaning it's a top-level lib .
. it had been previously proposted that
naming a file or folder x.adda
would indicate the contents was text
that conformed to the adda language;
. the current idea differs slightly:
the folder named *.adda would mean that
all the files and folders inside
would have names like x.t,
where t would be some adda typename .
. the x.adda folder also lets the files inside
have names like x.t.txt
so that if you want to use
other tools to open the files,
these tools know a .txt is ascii or utf-8 .
. how do we equate the contents of adda's lib
with some sort of filesystem structure?
. are library units placed in a lib folder?
is this done by declaring the unit's name to be
libName/unitName?
how can things be more implicit or intuitive?
. when you write interactively
this is being stored as a folder called
interactive.adda .
. each folder named x.adda, for any x,
is a separate adda acct
meaning it's a top-level lib .
. it had been previously proposted that
naming a file or folder x.adda
would indicate the contents was text
that conformed to the adda language;
. the current idea differs slightly:
the folder named *.adda would mean that
all the files and folders inside
would have names like x.t,
where t would be some adda typename .
. the x.adda folder also lets the files inside
have names like x.t.txt
so that if you want to use
other tools to open the files,
these tools know a .txt is ascii or utf-8 .
2012-07-04
scriptability with sandboxing
6.30: addx/scriptability with sandboxing:
. I was surprised to learn that Preview
-- one of Apple's own apps -- is unscriptable;
but, perhaps that's because it's so costly to produce
the needed scripting dictionary .
. one of addx's motivating features
was the pervasive use of the MVC pattern;
with that in place, app's always come in 2 parts:
# the model that can talk to any controller
(because it's a command line tool);
# the gui controller that humans will need
in order to interact with the model .
. the scripting dictionary comes free
(without the developer having to do anything)
because in order to get an app installed in the system
it had to be submitted to the system librarian,
who put the model's specification in the library
which is viewable by humans and controllers alike .
. I was surprised to learn that Preview
-- one of Apple's own apps -- is unscriptable;
but, perhaps that's because it's so costly to produce
the needed scripting dictionary .
. one of addx's motivating features
was the pervasive use of the MVC pattern;
with that in place, app's always come in 2 parts:
# the model that can talk to any controller
(because it's a command line tool);
# the gui controller that humans will need
in order to interact with the model .
. the scripting dictionary comes free
(without the developer having to do anything)
because in order to get an app installed in the system
it had to be submitted to the system librarian,
who put the model's specification in the library
which is viewable by humans and controllers alike .
can a scripting engine really be safe?
6.1: addx/can a scripting engine really be safe?:
. I just heard that Apple will no longer allow apps to
communicate by sending each other AppleScripts;
instead they need to use each other's API .
. this I found confusing because I had a different understanding
of applescript connectivity:
. apps exported an API that applescript could understand,
and then applescripts could use all such apps .
. I guess what they were saying is that, counterintuitively,
only AppleScript had been able to use such API's:
you couldn't do so from the native lang (objective C).
. anyway, this got me to asking the question:
can a scripting engine really be safe?
here's my yes:
. I just heard that Apple will no longer allow apps to
communicate by sending each other AppleScripts;
instead they need to use each other's API .
. this I found confusing because I had a different understanding
of applescript connectivity:
. apps exported an API that applescript could understand,
and then applescripts could use all such apps .
. I guess what they were saying is that, counterintuitively,
only AppleScript had been able to use such API's:
you couldn't do so from the native lang (objective C).
. anyway, this got me to asking the question:
can a scripting engine really be safe?
here's my yes:
2012-05-16
commented PyQt code for main windows
. I’ve been learning pyqt coding from
Rapid GUI Programming with Python and Qt:
The Definitive Guide to PyQt Programming
by Mark Summerfield .
. the book includes openware examples
featuring several language versions;
I’m using the examples for Python 2.6 .
. I’ve been adding comments to his source;
the example I commented is from the file
chapter 6 (main windows)/imageChanger.pyw
(for a working program
you’ll also need the other files).
. I posted the commented code at my knol(wordpress)
where the format is wider,
and they have a Python language formatting tag!
[sourcecode language="python" wraplines="false" collapse="false"]. that special enclosure causes the code within
your source code goes here
[/sourcecode]
to be color-coded according to syntactic category .
. see it in action .
2012-01-31
correctness vs capability constraints
1.7: pos.addx/security/correctness vs capability constraints:
. I'm awed at the complexity of Ada;
they go to great lengths to
help you ensure program correctness;
but I doubt it can be used by the public .
. I think it would be sufficient to ensure only that
module capabilities were expressable and enforceable;
eg, any routes to implied sideaffects
need to be declared by a module .
. if parameters have links to caller`space,
then lack of an out-mode declaration
should by an assurance that the param
has no sideaffects .
[1.8:
. when the users call an app,
they expect know its capability limits,
yet they may also expect dynamic updates,
which could change the set of
subprograms called by the app .
. how does the user stay updated to
implied changes in app capability limits,
when the app has been linked to
more powerful subprograms ?
( you might assume that if you can trust a subprogram,
then you can trust apps to use that subprogram;
a counter example is when a worker has
top security clearance to work with your gov,
but you can't allow that work to be
employed by foreign gov's) .]
. if a subprogram has capabilities that are
greater than the app calling it,
then the app needs to
declare these enabling subprograms,
or the app's stated capabilities need to be
a function of whatever the app links into
dynamically .
. if the app's capabilities changed since
the user's last ok,
then the ok from user or mgt
has to happen again,
else the app can't be allowed to run .
. I'm awed at the complexity of Ada;
they go to great lengths to
help you ensure program correctness;
but I doubt it can be used by the public .
. I think it would be sufficient to ensure only that
module capabilities were expressable and enforceable;
eg, any routes to implied sideaffects
need to be declared by a module .
. if parameters have links to caller`space,
then lack of an out-mode declaration
should by an assurance that the param
has no sideaffects .
[1.8:
. when the users call an app,
they expect know its capability limits,
yet they may also expect dynamic updates,
which could change the set of
subprograms called by the app .
. how does the user stay updated to
implied changes in app capability limits,
when the app has been linked to
more powerful subprograms ?
( you might assume that if you can trust a subprogram,
then you can trust apps to use that subprogram;
a counter example is when a worker has
top security clearance to work with your gov,
but you can't allow that work to be
employed by foreign gov's) .]
. if a subprogram has capabilities that are
greater than the app calling it,
then the app needs to
declare these enabling subprograms,
or the app's stated capabilities need to be
a function of whatever the app links into
dynamically .
. if the app's capabilities changed since
the user's last ok,
then the ok from user or mgt
has to happen again,
else the app can't be allowed to run .
addx's text or lexical handler
1.3: addx/addt (text handler):
[1.31: update:
addl is the lui = lexical user interface;
"(addle) also means unable to think clearly
-- just how many feel around terminals
or any command line interface! ]
[1.6: summary:
. my original vision of the addx system
would avoid the use of shell,
replacing all use of it with adde;
but in case people would prefer access via shell,
there should be a module specific to that need .
. the essential feature of other shells,
is that they use text as both the input and output,
hence the name add`text .
. the shell lets you pipe outputs of one command
to the inputs of another command,
and they all assume you are sending a text stream .
. the addt module presents a set of commands
that provide shell equivalents for everything in adde .
. the addt commands are wrappers
around addx commands that do translations
from adda and addm word code to equivalent ascii versions .
. if the addx equivalents need to be piped to or from
native shell commands,
then addt offers a translation between the native text,
and addx binary communications:
eg, some-unix-cmd | a2t | adda | t2a | another-unix-cmd .
. another idea, to avoid explicit use of {a2t, t2a},
is to have one shell within a shell like python has,
but it would emulate the native shell's language,
so that while you were still dealing with your favorite shell,
you could also mix it with addx library calls,
by having addt insert the needed conversion filters
before passing it on to the actual shell .]
1.3: intro:
. the c`main`argv and unix`conventions
(esp'ly the borne shell)
determine how the user at a command line
can communicate with a program:
the cli or shell determine how a command is parsed
into the array of ascii strings that the program sees .
1.3: first idea:
. addt is a cli tool that is first responder to
any text inputs:
. it converts text to ascii byte code
which can be passed to `main's argv .
. need to define an addx byte code that
represents addm and etree as ascii rather than ints .
[1.31: update:
addl is the lui = lexical user interface;
"(addle) also means unable to think clearly
-- just how many feel around terminals
or any command line interface! ]
[1.6: summary:
. my original vision of the addx system
would avoid the use of shell,
replacing all use of it with adde;
but in case people would prefer access via shell,
there should be a module specific to that need .
. the essential feature of other shells,
is that they use text as both the input and output,
hence the name add`text .
. the shell lets you pipe outputs of one command
to the inputs of another command,
and they all assume you are sending a text stream .
. the addt module presents a set of commands
that provide shell equivalents for everything in adde .
. the addt commands are wrappers
around addx commands that do translations
from adda and addm word code to equivalent ascii versions .
. if the addx equivalents need to be piped to or from
native shell commands,
then addt offers a translation between the native text,
and addx binary communications:
eg, some-unix-cmd | a2t | adda | t2a | another-unix-cmd .
. another idea, to avoid explicit use of {a2t, t2a},
is to have one shell within a shell like python has,
but it would emulate the native shell's language,
so that while you were still dealing with your favorite shell,
you could also mix it with addx library calls,
by having addt insert the needed conversion filters
before passing it on to the actual shell .]
1.3: intro:
. the c`main`argv and unix`conventions
(esp'ly the borne shell)
determine how the user at a command line
can communicate with a program:
the cli or shell determine how a command is parsed
into the array of ascii strings that the program sees .
1.3: first idea:
. addt is a cli tool that is first responder to
any text inputs:
. it converts text to ascii byte code
which can be passed to `main's argv .
. need to define an addx byte code that
represents addm and etree as ascii rather than ints .
security per use case
1.1: addx/security per use case:
. know your users, the security book advises?
a corollary is:
make it clear in both the code's logic
and in the user's doc's,
what you expect of users .
. it was talking about the problem of
making security a hassle for users,
when, if you thought it out better,
you could find just the security measures you need
for their use case, and then bake just that in .
. one thing I recall hating
is not knowing all the dead ends upfront .
. there's all these things that can't be done,
and you can't know about it because
"(this app is so easy, intuitive, no thick manuals, etc ).
...
. sometimes you might not know what your users expect;
so then the menu's should have a search box
in addition to the menu hierarchy;
and, if a search returns nothing,
you ask them to explain what they want that is missing .
for touchscreen users,
and for those not familiar with terminology,
use a set of menus for identifying how features are
grouped by what kinds of things they do,
and by what the feature is called .
. let the users pick a place in that tree,
and optionally give a sentence for detailing
what's missing from the tree .
. a google app engine site could
merge all these requests and build the tree;
the tree will also be offline but not always uptodate .
. know your users, the security book advises?
a corollary is:
make it clear in both the code's logic
and in the user's doc's,
what you expect of users .
. it was talking about the problem of
making security a hassle for users,
when, if you thought it out better,
you could find just the security measures you need
for their use case, and then bake just that in .
. one thing I recall hating
is not knowing all the dead ends upfront .
. there's all these things that can't be done,
and you can't know about it because
"(this app is so easy, intuitive, no thick manuals, etc ).
...
. sometimes you might not know what your users expect;
so then the menu's should have a search box
in addition to the menu hierarchy;
and, if a search returns nothing,
you ask them to explain what they want that is missing .
for touchscreen users,
and for those not familiar with terminology,
use a set of menus for identifying how features are
grouped by what kinds of things they do,
and by what the feature is called .
. let the users pick a place in that tree,
and optionally give a sentence for detailing
what's missing from the tree .
. a google app engine site could
merge all these requests and build the tree;
the tree will also be offline but not always uptodate .
2011-11-30
evlan.org describes many #addx features
10.31: news.adda/lang"evlan/
evlan.org describes many addx features:
. Kenton Varda's Evlan has many addx features;
but, it "(currently has no type system);
and, it died in 2007.10.1, when the author "(got a real job)!
. what first caught my was cap-based security:
is its being a virtual operating system
which runs on top of any other operating system;
via a virtual machine that is the sole access
to the underlying platform's OS .
. by a complete platform,
he means it is not specialized to be
efficiently accessing all of bloated unix,
but to define what it needs,
and then have the vm access what it needs
for impl'ing the Evlan virtual platform .
adda's secure by language idea:
also implementing security at the hardware level;
this is the level where modularity can be enforced;
otherwise, malware could just jump to
what ever code there is with the permissions it needs .
(see qubes doc's) .]
-- that means esp'ly your browser --
are all written in this provable language ? ]
see: Capability-based Security is used in the
EROS operating system and the E programming language.
Also, Marc Stiegler et al.
addx's idea that concurrency is the key
to secure speed:
meant for a single CPU; eg, [written in adda:]
having only 19 keywords;
one of which is "(where)
which could have been said with a reused "(:) .]
Because Evlan is purely functional,
no function call is allowed to have "side effects".
. see www.acmqueue.com/modules.php?name=Content&pa=showpage&pid=225
(dead link, is this right: queue.acm.org/detail.cfm?id=864034)?
-- ask google where else that link can be found:
Natural programming languages and environments
Communications of the ACM September 2004/Vol. 47, No. 9 by Brad A. Myers, John F. Pane, Andy Ko
. another contrast to assembly-like imperative instructions
is addm's idea for a high-level interpreter:
instead of translating from an abstract syntax tree (AST)
into a sequence of assembly instructions;
addm, the vm, would try to evaluate an AST . ]
evlan.org describes many addx features:
. Kenton Varda's Evlan has many addx features;
but, it "(currently has no type system);
and, it died in 2007.10.1, when the author "(got a real job)!
. what first caught my was cap-based security:
Most of today's computer platforms operate under. the other main idea like addx
a fundamental assumption that has proven utterly false:
that if a user executes a program,
the user completely trusts the program.
This assumption has been made by just about
every operating system since Unix
and is made by all popular operating systems used today.
This one assumption is arguably responsible for
the majority of end-user security problems.
It is the reason malware -- adware, spyware, and viruses --
are even possible to write,
and it is the reason even big-name software
like certain web browsers
are so hard to keep secure.
Under the classical security model,
when a user runs a piece of software,
the user is granting that software the capability
to do anything that the user can do.
Under capability-based security,
when a user runs a piece of software,
the software starts out with no capabilities whatsoever.
The user may then grant specific capabilities to the program.
For example, the user might grant the program
permission to read its data files.
The user could also control whether or not
the program may access the network, play sounds, etc.
Most importantly,
all of these abilities can be controlled
independently on a per-program basis.
is its being a virtual operating system
which runs on top of any other operating system;
via a virtual machine that is the sole access
to the underlying platform's OS .
. by a complete platform,
he means it is not specialized to be
efficiently accessing all of bloated unix,
but to define what it needs,
and then have the vm access what it needs
for impl'ing the Evlan virtual platform .
adda's secure by language idea:
Even better than implementing security in an operating system,--[. keep in mind that this won't work without
is implementing it in a programming language:
developers are able to control the capabilities available
to each piece of code independently.
Good practice, then, would be to only give each component
the bare minimum capabilities that it needs to
perform its desired operation.
And, in fact, it is easier to give fewer capabilities,
so this is what programmers will usually do.
The result is that if a security hole exists in some part of your program,
the worst an attacker can do is
gain access to the capabilities that were given to that component.
also implementing security at the hardware level;
this is the level where modularity can be enforced;
otherwise, malware could just jump to
what ever code there is with the permissions it needs .
(see qubes doc's) .]
It is often possible to restrict all "dangerous" capabilities[. great to know if your os and every other app
to one very small piece of code within your program.
Then, all you have to do is make sure that
that one piece of code is secure.
When you are only dealing with a small amount of code,
it is often possible to prove that this is the case.
It is, in fact, quite possible to prove
that a program written in a capability-based language
is secure.
-- that means esp'ly your browser --
are all written in this provable language ? ]
see: Capability-based Security is used in the
EROS operating system and the E programming language.
Also, Marc Stiegler et al.
addx's idea that concurrency is the key
to secure speed:
Evlan has strong support for highly concurrent programmingMost of today's systems use imperative languages
being a purely functional language,
Where automatic parallelization is not possible,
there are very lightweight threads (without stacks).
meant for a single CPU; eg, [written in adda:]
processAll(results#t.type).proc:
for(i.int = results`domain):
results#i`= processItem results#i
).. in c, it would process each item in order,adda aspires to be simple:
from first to last.
It does not give the system any room to
process two items in parallel
or in some arbitrary (most-efficient) order .
It is far easier to remember--[. however he has ada-itis and braggs about
multiple uses for a single construct
than to remember multiple constructs.
having only 19 keywords;
one of which is "(where)
which could have been said with a reused "(:) .]
interoperability done via compatibility layers:functional:
If and when the legacy software is no longer in use,
the compatibility layers can be removed,
leaving only the ultra-efficient Evlan core behind.
Because Evlan is purely functional,
no function call is allowed to have "side effects".
. see www.acmqueue.com/modules.php?name=Content&pa=showpage&pid=225
(dead link, is this right: queue.acm.org/detail.cfm?id=864034)?
-- ask google where else that link can be found:
Natural programming languages and environments
Communications of the ACM September 2004/Vol. 47, No. 9 by Brad A. Myers, John F. Pane, Andy Ko
This article presents findings on natural programming languages.natural programming:
(i.e. natural as in intuitive in the UserCentric way)
It advocates features for programming languages,
that are justified by these findings.
Areas include:
SyntacticSugar, that causes fewer errors
(it more intuitive/natural).
Better integrated debugging-support,
esp. for hypotheses about bug-causes.
which suggests that humans like to write rules of the form
"When condition X is true, do Y".
I am not yet sure to what extent this will
change the current system, however.
By "natural programming" we are aiming forFunctional Bytecode
the language and environment to work the way that
nonprogrammers expect.
We argue that if the computer language were to
enable people to express algorithms and data
more like their natural expressions,
the transformation effort would be reduced.
Thus, the Natural Programming approach
is an application of the standard user-centered design process
to the specific domain of programming languages and environments.
[at that link is a] good short summary of the
Natural Programming project here at CMU.
We're affiliated with the EUSES consortium,
which is a group of universities working on
end-user software engineering.
google's 2007 Update on the Natural Programming Project
Bytecode for the Evlan virtual machine--[11.30:
uses a functional representation of the code.
In contrast, the VMs of Java and .NET
use assembly-like imperative instructions.
. the GNU C Compiler's "Static Single Assignment" phase
is actually very close to being equivalent to
a purely functional language. [no overwrites]
If GCC does this internally just to make optimization easier,
then it doesn't take a huge stretch to imagine a system which
compiles imperative code to functional bytecode .
. another contrast to assembly-like imperative instructions
is addm's idea for a high-level interpreter:
instead of translating from an abstract syntax tree (AST)
into a sequence of assembly instructions;
addm, the vm, would try to evaluate an AST . ]
The purpose of constraining variables to types
is to get the compiler to check your work for bugs
and optimize code as well .
. if you could specify that an index to an array
must be less than the size of the array
-- and if the compiler could then check for that --
then buffer overruns (one of the most common bugs
leading to security holes in modern software)
would be completely eliminated.
(run-time bounds checking can prevent buffer overruns,
but then users see your app shutting down unexpectedly).
Subscribe to:
Posts (Atom)
