The security mechanisms have to be sufficiently higher order
to be useful.
My reservations concerning safe-tcl are that:
(1) It provides some of these higher-order safety features.
(2) It's missing others that may be required. -- Well - that's
not a problem. It's a programming language, so you can implement
the unexpected requirements that Nathaniel is worried you won't
capture in a more declarative non-procedural language.
(3) That extensional capability is the loophole: how can you
ensure that the higher-order access functions are used, and not
some lower level disguised approach. ( Not disguised to the
safe-tcl mechanism, but disguised to the user - i.e. will they
understand the warning. )
(4) safe-tcl can be incrementally extended to provide new higher-
level facilities, while restricting low level access, but this
leads to a versioning problem.
These problems may not be fatal. But think the security requirements
for enabled-mail, server-agents, and client-executed browser code
are all rather different, so a fatal flaw in one realm may be only
a minor annoyance in another. In some cases you can get away with
the conservative approach of rejecting anything that even looks
suspicious. In others, you will punt the decision to the user
with an Allow/Deny query.
In some of the distributed programming safety features I want
to get into Python, for example, I have a looser requirement.
That the program not do things it "claims" not to do: If it
imports no I/O capable module, then it doesn't do any I/O. If
it requires to communicate over a socket to another program,
then I can hand it an already opened socket, or an object
that represents a potential socket or inactive "future".
I'm trying for something that is halfway between the safe-tcl
model, and the more capability based model of Obliq. It's not
just a question of language syntax (I think), but of a very
different security model. I don't think Obliq could be made to
provide safe-tcl like enabled mail, but I think it may be a
better model for the types of client server interaction we're
considering on the Web.
-- Steve Majewski (804-982-0831) <sdm7g@Virginia.EDU> --
-- UVA Department of Molecular Physiology and Biological Physics --
-- Box 449 Health Science Center Charlottesville,VA 22908 --
[ "Cheese is more macho?" ]