Re: Why write an Ada web browser ?, was: Re: GNAT Ada - DLL - MSVC

[Darren New <dnew@san.rr.com>]

David Marceau wrote:
> > That's the point. The question is how Ada would make run-time plug-ins
> > safer, and the answer is that it wouldn't.
> I will attempt to clarify why I believe ada is safer for creating
> dynamic run-time plugins.

I think we're talking at cross purposes. Unless you're going to reimplement
*every* plug-in in Ada, the plug-ins you don't reimplement will have the
same security problems. 

That is, sure, you can implement a Flash player or a ReadVideo player in Ada
and perhaps fix some security bugs by doing so. But making your web browser
secure and still having it invoke RealVideo's player isn't going to be any
safer.
 
> Firstly there are two types of dynamic run-time plug-ins:
> 1)in-process(dll COM objects as Microsoft calls them)
>         As you know they may be gui or non-gui plugins.
>         If one instantiates an untrusted third party in-process plug-in,
>         we can expose the original executing process to unwanting hacking
>         since they share the same machine and user privileges as the original
> executing process.

I don't know of any way to change this on UNIX unless your web browser is
setuid to root, and that's just asking for trouble. That is, how does one
invoke a plug-in that is "safe" as a separate UNIX process, if you don't
start with root privs?

>         The out-of-process plug-in doesn't necessarily have to run on the same
> machine as the original executing process.
>         The out-of-process plug-in doesn't necessarily have to run with the
> same user privileges.

Well, yah, under Windows, it does. Especially under Windows 9x and
derivatives thereof.
 
> > That's the point. The question is how Ada would make run-time plug-ins
> > safer, and the answer is that it wouldn't.
> Ada by design makes safer executables than c/c++/java.

I'll grant you that's true of C and C++, but not Java.

>  Thus is will
> make safer out-of-process plugins gui and non-gui ones.

Doesn't follow. Especially if your out-of-process plugins are not in Ada.

I won't argue that rewriting all the network code in Ada would increase
security. I just don't think it's likely to happen any time soon, due to
non-technical reasons.

> In a web browser(ada compiled or not) you don't necessarily have to
> design it to invoke its plugins with the same user privileges.

I think the security of most common OSes would prevent you from doing
otherwise. 

> That's what would make an ada-based browser with ada-based plug-in safer
> to run and use.
> If you don't agree with me then please clarify this or perhaps I will
> consider you as a comp.lang.ada flaming MicroSerf.

No, if you rewrite everything in Ada with the primary concern being to
prevent plug-ins from doing nasty things, you'll get better security. Using
existing plug-ins with an ada-based browser probably won't help much.
Rewriting all existing plug-ins when a majority of people use single-user
OSes to browse the web doesn't help.
 
-- 
Darren New 
San Diego, CA, USA (PST). Cryptokeys on demand.
** http://home.san.rr.com/dnew/DNResume.html **
** http://images.fbrtech.com/dnew/ **

     My brain needs a "back" button so I can
         remember where I left my coffee mug.