From: Robert A Duff <bobduff@shell01.TheWorld.com>
Subject: Re: Arbitrary Sandbox
Date: Mon, 20 Feb 2012 18:27:10 -0500
Date: 2012-02-20T18:27:10-05:00 [thread overview]
Message-ID: <wccvcn1nl0x.fsf@shell01.TheWorld.com> (raw)
In-Reply-To: 18o3vqsl9uy2$.a3m68cg8ysro.dlg@40tude.net
"Dmitry A. Kazakov" <mailbox@dmitry-kazakov.de> writes:
> On Sat, 18 Feb 2012 13:55:48 -0500, Robert A Duff wrote:
>
>> "Dmitry A. Kazakov" <mailbox@dmitry-kazakov.de> writes:
>>
>>> I wonder what kind of architecture could require a safe implementation of
>>> Ada, e.g. when private parts of packages and protected objects would be
>>> mapped onto the memory physically inaccessible from public contexts.
>>
>> The kind of architecture that is overly complicated
>> and grossly inefficient. Imagine a private type with
>> discriminants. The discriminant of each object is visible
>> to clients; other components are not. Or imagine a private
>> extension of a (visible) record extension. What about the
>> fact that some portion (not all) of a child package has
>> visibility on the private part (but not the body) of the
>> parent package?
>>
>> Why do work at run time that can be done at compile time?
>
> Because it cannot (in presence of Unchecked_Conversion and similar stuff).
If U_C etc. causes trouble, use Java. Or use a subset of Ada that
doesn't allow such features. I really can't imagine a sensible way to
use such features and check them at run time.
It would be good to have an easy way to check whether a given
Ada program uses such dangerous features, and if so, where.
>> Implementing things in hardware doesn't magically make
>> them free.
>
> It makes them incomputable. In a secure environment you wanted certain
> things to become incomputable for non-trusted clients, e.g. reading user
> passwords.
Sure, but Ada's visibility features (private types and the like)
are not designed for security. Use other means for that (like
protection based on paging).
>> Putting high-level support for higher-level languages in hardware
>> has been tried a number of times, and it's always been a bad idea.
>
> Maybe so. But this is a different case, because memory protection and
> segmentation support is already there. Why no high-level language uses it?
You mean "already there" in 386/pentium? Languages don't use it because
it's inefficient, and because whatever segmentation can do can be done
better by some combination of software and paging.
- Bob
next prev parent reply other threads:[~2012-02-20 23:27 UTC|newest]
Thread overview: 77+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-02-09 23:47 Arbitrary Sandbox Rob Shea
2012-02-10 0:10 ` Rob Shea
2012-02-10 2:01 ` Tez
2012-02-10 2:21 ` Rob Shea
2012-02-10 2:47 ` Tez
2012-02-10 4:11 ` Shark8
2012-02-13 2:23 ` BrianG
2012-02-10 4:17 ` tmoran
2012-02-10 4:41 ` Rob Shea
2012-02-10 6:15 ` Jeffrey Carter
2012-02-10 6:18 ` Rob Shea
2012-02-10 19:39 ` Jeffrey Carter
2012-02-10 6:19 ` Thomas Løcke
2012-02-10 9:32 ` Rob Shea
2012-02-10 10:09 ` Thomas Løcke
2012-02-10 11:39 ` Ludovic Brenta
2012-02-10 12:05 ` Brian Drummond
2012-02-11 10:32 ` Maciej Sobczak
2012-02-11 11:39 ` Dmitry A. Kazakov
2012-02-11 21:15 ` Maciej Sobczak
2012-02-11 21:38 ` Dmitry A. Kazakov
2012-02-11 23:05 ` Rob Shea
2012-02-13 2:10 ` Tez
2012-02-13 9:08 ` Yannick Duchêne (Hibou57)
2012-02-13 16:28 ` Pascal Obry
2012-02-10 9:47 ` Georg Bauhaus
2012-02-10 11:45 ` Erich
2012-02-10 11:48 ` Ludovic Brenta
2012-02-11 6:11 ` Rob Shea
2012-02-12 2:10 ` Randy Brukardt
2012-02-12 8:40 ` björn lundin
2012-02-14 0:26 ` Shark8
2012-02-15 21:07 ` Randy Brukardt
2012-02-15 22:10 ` Yannick Duchêne (Hibou57)
2012-02-18 4:47 ` Shark8
2012-02-18 8:26 ` Dmitry A. Kazakov
2012-02-18 10:45 ` Yannick Duchêne (Hibou57)
2012-02-18 11:31 ` Dmitry A. Kazakov
2012-02-18 11:58 ` Niklas Holsti
2012-02-18 12:57 ` Yannick Duchêne (Hibou57)
2012-02-18 18:55 ` Robert A Duff
2012-02-18 19:24 ` Niklas Holsti
2012-02-18 20:06 ` tmoran
2012-02-18 21:53 ` Niklas Holsti
2012-02-18 22:58 ` Robert A Duff
2012-02-19 0:47 ` tmoran
2012-02-20 23:39 ` Robert A Duff
2012-02-21 3:29 ` tmoran
2012-02-21 17:17 ` tmoran
2012-02-21 21:03 ` Robert A Duff
2012-03-06 0:52 ` Randy Brukardt
2012-02-20 22:52 ` Adam Beneschan
2012-02-18 23:03 ` BrianG
2012-02-19 8:45 ` Dmitry A. Kazakov
2012-02-20 23:27 ` Robert A Duff [this message]
2012-02-21 8:36 ` Dmitry A. Kazakov
2012-02-21 9:59 ` Simon Wright
2012-02-21 10:59 ` Dmitry A. Kazakov
2012-02-21 17:25 ` Robert A Duff
2012-02-21 18:53 ` Dmitry A. Kazakov
2012-02-21 21:19 ` Robert A Duff
2012-02-22 8:24 ` Dmitry A. Kazakov
2012-02-21 21:25 ` Yannick Duchêne (Hibou57)
2012-02-22 8:26 ` Dmitry A. Kazakov
2012-02-21 8:47 ` Georg Bauhaus
2012-02-21 16:58 ` Robert A Duff
2012-03-06 1:06 ` Randy Brukardt
2012-03-07 5:43 ` Yannick Duchêne (Hibou57)
2012-03-07 13:05 ` Robert A Duff
2012-03-07 19:32 ` tmoran
2012-03-07 20:24 ` Dmitry A. Kazakov
2012-03-08 0:50 ` Robert A Duff
2012-03-08 1:50 ` tmoran
2012-03-08 11:01 ` Brian Drummond
2012-03-08 1:01 ` Shark8
2012-03-08 1:33 ` Randy Brukardt
2012-02-20 20:52 ` Tero Koskinen
replies disabled
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox