A computer architecture (ISA) specifies the logical nature of a computer. A machine language program is for some particular architecture. The meaning of a program is largely independent on machine features beyond the architecture. A computer is a platform. Modern computer architectures include protection features that allow certain programs to limit what other programs can do.

Computer languages often include such protection features as well. An algol subroutine cannot access variables of its caller unless access to those variables is passed by reference to the routine. Java and JavaScript have largely carried on this discipline. A compiler and runtime for a language is a platform.

The software platform is itself often a program running inside another environment, indeed on some other platform. Typically just the bottom of this stack is a hardware platform. Most operating systems kernels are a platform for machine language programs. Most kernels include protection features that enable one program to limit what another can do.

The C language is notable in this respect as being useful yet utterly devoid of such mechanisms. C provides first class binding of parameters to arguments but fails to limit access to this mechanism. Whether it is a platform is a semantics argument I see no need to decide here. I address platform security mechanisms in this note.

The algol security feature mentioned above is fine grained in two senses:

The Java feature with security in its name is the Security Manager. The security manager can control discriminate between many small objects that to which it limits objects, but there seems room for only one such manager. There seems room for only one agency in the platform which is in a position to protect its own interests. The Java sandbox perhaps requires no more than this as there are only the interests of the computer owner-operator to guard.

PostScript is a language. One particular definition of PostScript includes statements to read and write files. I presume that the interpreters that render PostScript on my machine do not implement that feature even though they are in a position to do so. Yet nowhere can I find assurance from the producers of such renderers to that effect. No one else is in a position to provide such assurance.

A new sort of anti-feature manual is needed for platforms. It would spell out in general yet precise terms where information that its guests can get to and which actions guests can take. It is supposed to be widely known that Java applets cannot read files on the system where it runs. Where can this assurance, or even claim, be found?

Platforms, even hardware platforms, are in a position to send and receive signals involving sensitive data. It should not be necessary to build Faraday cages to know where you data is. There are projects to make collections of computers appear as if seamlessly connected with new wireless technologies. Before IRDA, Bluetooth and Wi-Fi security was much easier.


Read this.