When you run Solitaire, why can it delete any file you can? Such pervasive excesses of access rights cause our vulnerability to viruses and more. For thirty years, mainstream systems -- such as today's Unixes, Windows, Java, .NET -- have been built on two conflicting logics of access: capabilities and ACLs. They unsuccessfully provide security using ACL logic. They successfully provide functionality using modularity and abstraction mechanisms which follow capability logic.
E, a distributed secure object-capability language, is the plumbing underneath CapDesk, the virus-safe desktop demonstrated in Marc Stiegler's earlier talk on the "SkyNet Virus". E's security derives mostly by removing from conventional objects all causal pathways outside the pure object model -- leaving only capability-based access. Rather than making users chose between functionality and security, we use one access paradigm to provide both together. As an example, we show secure distributed money implemented in 15 lines of readable E code.
About the speaker:
Mark S. Miller is the Chief Architect of the Virus Safe Computing Initiative at Hewlett-Packard Laboratories, and is the Open Source Coordinator of the E Project at http://www.erights.org. He is a designer of several secure distributed programming languages including Vulcan for Xerox PARC, Trusty Scheme for AutoDesk, Joule for Agorics and Fujitsu, Tclio for Sun Labs, and E for Electric Communities, ERights.org, and Combex. As founder and CTO of Combex, Mark fashioned E into the platform used for CapDesk -- a Darpa-sponsored prototype of a virus-safe desktop and application launching framework.
Mark was drawn into security by pursuit of another dream. He is a co-creator of the agoric paradigm of market-based adaptive distributed secure computation. He is also a founder of Agorics, a company started to capitalize on agoric computing ideas.
Mark S. Miller
Hewlett Packard Laboratories
1501 Page Mill Rd. Bldg 3U, #1183
Palo Alto, CA 94304
650 857 7321
650 857 7029