Some of you might be interested in this... The University of Pennsylvania is working on a new operating system that is supposed to be more secure than Unix or NT because it is capabilities based. http://www.eros-os.org/faq/secure.html Why is EROS secure? The answer to this is involved. Here are a few basic points: EROS protection is fine-grained. Instead of granting programs all of the rights of some user, EROS grants programs access to specific resources. Each program therefore runs with only the authority that it needs (the ``principle of least privilege''), which makes it inherently more secure. EROS access rights are preserved across system restarts. This makes it feasible to divide access rights across multiple processes without tearing out your hair to get the interrelationships between those processes right after every restart. Also, there is no need for a file system, which is a major source of security leaks. Invocations of authority are explicit. When an EROS program invokes a capability, its authority comes from the capability that it names, not from some ambient status or authority that the process holds (i.e. not from any notion of user identity). One result is that trusted programs are much harder to compromise. Because EROS is capability based, it is possible to strictly limit the communication channels that a program has. Among other things, user A can safely run software from an untrusted user B and know that there are no overt communication leaks. This is the kind of security that Java is trying (and failing) to provide. In the end, all of this combines to lead to a different style of building programs. EROS programs tend to be built out of small, testable components.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:46:07 PDT