From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=ham autolearn_force=no version=3.4.4 X-Google-Thread: a07f3367d7,af0c6ea85f3ed92d X-Google-Attributes: gida07f3367d7,public,usenet X-Google-NewGroupId: yes X-Google-Language: ENGLISH,ASCII-7-bit Received: by 10.205.134.6 with SMTP id ia6mr276964bkc.0.1329595654048; Sat, 18 Feb 2012 12:07:34 -0800 (PST) MIME-Version: 1.0 Path: t13ni42920bkb.0!nntp.google.com!news1.google.com!goblin1!goblin2!goblin.stu.neva.ru!aioe.org!.POSTED!not-for-mail From: tmoran@acm.org Newsgroups: comp.lang.ada Subject: Re: Arbitrary Sandbox Date: Sat, 18 Feb 2012 20:06:09 +0000 (UTC) Organization: Aioe.org NNTP Server Message-ID: References: <9qac7gFk0nU1@mid.individual.net> NNTP-Posting-Host: Lf0Nl3CcQzx+ocHx9cmuGg.user.speranza.aioe.org X-Complaints-To: abuse@aioe.org X-Notice: Filtered by postfilter v. 0.8.2 X-Newsreader: Tom's custom newsreader Date: 2012-02-18T20:06:09+00:00 List-Id: > I seem to remember that the Burroughs mainframe computers had rather > poor hardware-level protections. A buggy or malicious compiler could > generate code that had harmful effects that were not restricted to the > user running the code, if I remember correctly. A consequence was that > an ordinary user was not allowed to create a compiler; special > privileges were required to label a program as a "compiler" and thus let > it generate executable code. The Burroughs philosophy was to design hardware and software together, which included doing different kinds of checks in different, appropriate, places. Bad code could be prevented by a correct compiler, so an arbitrary generator of bit streams couldn't call its output "executable code". Indexing out of range couldn't be prevented by a compiler, so it was checked at run time by hardware. And so forth. In five years supporting a B5500 at U of Wisconsin, I never saw a core dump caused by a compiler generating bad code. (Unfortunately, Burroughs added to their Algol "stream procedures" which were unchecked string operations - those were the source of most problems.)