| From: | Magnus Hagander <magnus(at)hagander(dot)net> |
|---|---|
| To: | David Fetter <david(at)fetter(dot)org> |
| Cc: | Josh Berkus <josh(at)agliodbs(dot)com>, pgsql-hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Specification for Trusted PLs? |
| Date: | 2010-05-21 16:25:52 |
| Message-ID: | AANLkTim4TcUQSZYVbxujyt3-ckZQbAIoxcWJQ1lrDerd@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Fri, May 21, 2010 at 12:22 PM, David Fetter <david(at)fetter(dot)org> wrote:
> On Fri, May 21, 2010 at 11:57:33AM -0400, Magnus Hagander wrote:
>> On Fri, May 21, 2010 at 11:55 AM, Josh Berkus <josh(at)agliodbs(dot)com> wrote:
>> > So, here's a working definition:
>> >
>> > 1) cannot directly read or write files on the server.
>> > 2) cannot bind network ports
>>
>> To make that more covering, don't yu really need something like
>> "cannot communicate with outside processes"?
>
> These need to be testable conditions, and new tests need to get added
> any time we find that we've missed something. Making this concept
> fuzzier is exactly the wrong direction to go.
Well, the best way to define what a trusted language can do is to
define a *whitelist* of what it can do, not a blacklist of what it
can't do. That's the only way to get a complete definition. It's then
up to the implementation step to figure out how to represent that in
the form of tests.
--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Stephen Frost | 2010-05-21 16:26:24 | Re: Specification for Trusted PLs? |
| Previous Message | David Fetter | 2010-05-21 16:22:20 | Re: Specification for Trusted PLs? |