Re: Vista and the Type Safe missed oportunity (was Re: [SC-L] New security website: darkreading )

[George Capehart <gwc () acm org>]

Dinis Cruz wrote:

<snip introductory comments>

> A couple comment on your article:
>
> /"... .NET has a built-in security model just like Java. //.NET is type
> safe just as Java is type safe. ..."/
>  
> This is only correct when .Net is executed under Partial Trust and Java
> with the Security Manager enabled.
>
> In Full Trust .Net or Java with Security Manager disabled, the VM
> verifier is disabled and the built-in security mode is just about useless.
>
> The main security advantage that the current .Net and Java environments
> have, is that they are not as vulnerable to buffer overflows as C/C++


<snip rest of excellent discussion>

Hola Dinis et al.,

I subscribe to many security-related mailing lists, and I don't remember
on which this one occurred, but, in the past two to three months, there
was a great discussion around Multics and the Multics security model and
implementation.  Now, I'm an old phart, but not quite that old . . .
(Apologies to the Multicians out there . . .  :-)  ).  WRT type safety,
etc., one of the big appeals of Multics was that it was written in PL/I.
Now, I /*am*/ old enough to admit to having learned PL/I in Comp Sci
101, and I actually did productive work with it (when I could get to the
keypunch).  Looking back on it, PL/I protected me (a beginning
programmer) from many errors of omission that I would have made had I
been using C or C++.  In some ways, I think we are back doing the same
thing for which we excoriate others . . . not learning lessons from
those who came before us and reinventing the wheel.  IMHO, WRT operating
systems, there is ample history to guide us on what works and what
doesn't.  (And how to write OSs in HLLs).  Those who elect not to pay
attention to history and who must forge their way into the vast,
uncharted (by them) waters deserve everything they get.  And, FWIW, I'm
surprised that Butler Lampson is still Microsoft . . .

My 0.02$CURRENCY.

Cheers,

/g

-------------------------------------------------------------------------
Sponsored by: Watchfire

The Twelve Most Common Application-level Hack Attacks
Hackers continue to add billions to the cost of doing business online 
despite security executives' efforts to prevent malicious attacks. This 
whitepaper identifies the most common methods of attacks that we have seen, 
and outlines a guideline for developing secure web applications. 
Download this whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000007t9r
--------------------------------------------------------------------------