Re: [Gnu-arch-users] Re: arch roadmap 1 (and "what's tom up to")

[Andrew Suffield]

On Wed, Jul 07, 2004 at 08:56:50AM -0700, Tom Lord wrote:
>     > From: Anselm Lingnau <address@hidden>
> 
>     > Jeremy Shaw wrote:
> 
>     >> I think the basic model is, the VM will have someway to mark
>     >> commands as safe or unsafe. There will also be a way to set
>     >> which unsafe commands a program can run on a per program, per
>     >> command basis. This would allow you to implement a large number
>     >> of possible security policies...
> 
>     > Sandboxing at the VM level isn't easy to get right, as, e.g.,
>     > the Java folks have found out to their chagrin.
> 
> It might be helpful (to me at least) if you can report on what
> problems they've had and why you think those problems stem from
> sandboxing at the VM level rather than in some other way.

There are two ways to do it: complete segregation of behaviour, which
makes it extremely difficult to do anything useful (an applet that
cannot do IO, except via the browser UI, is of limited value), and
partial segregation, where different bits of code have different
access rights and can call each other across access boundaries. Java
does the latter. It's *really* hard to get right.

What Java discovered was that to do really useful sandboxing in the
real world, you need to do it the hard way. They also discovered that
it was really hard, and that they hadn't got it right
(repeatedly). And Java's still growing at an exponential rate
(codebase roughly doubles at each release).

Throw in code signing and fine-grained access control (not just
"trusted"/"untrusted"), and it gets even harder. They got those wrong
too.

-- 
  .''`.  ** Debian GNU/Linux ** | Andrew Suffield
 : :' :  http://www.debian.org/ |
 `. `'                          |
   `-             -><-          |

signature.asc
Description: Digital signature