diff options
| author | Thomas Schwinge <tschwinge@gnu.org> | 2007-09-14 15:31:38 +0200 |
|---|---|---|
| committer | Thomas Schwinge <tschwinge@gnu.org> | 2007-09-14 15:31:38 +0200 |
| commit | 0f98bd853e71466b60189d18148d2b4b66c5d238 (patch) | |
| tree | fe79fa512695d8b9784bd914e28bc216d53f5264 /destructive_interference.mdwn | |
| parent | e67759e31d3b4e30ba958e1e27217cb5fad4e0ba (diff) | |
| download | web-0f98bd853e71466b60189d18148d2b4b66c5d238.tar.gz web-0f98bd853e71466b60189d18148d2b4b66c5d238.tar.bz2 web-0f98bd853e71466b60189d18148d2b4b66c5d238.zip | |
Add some more wiki links.
Diffstat (limited to 'destructive_interference.mdwn')
| -rw-r--r-- | destructive_interference.mdwn | 39 |
1 files changed, 39 insertions, 0 deletions
diff --git a/destructive_interference.mdwn b/destructive_interference.mdwn new file mode 100644 index 00000000..941da8a4 --- /dev/null +++ b/destructive_interference.mdwn @@ -0,0 +1,39 @@ +[[license text=""" +Copyright © 2007 Free Software Foundation, Inc. + +Permission is granted to copy, distribute and/or modify this document under the +terms of the GNU Free Documentation License, Version 1.2 or any later version +published by the Free Software Foundation; with no Invariant Sections, no +Front-Cover Texts, and no Back-Cover Texts. A copy of the license is included +in the section entitled [[GNU_Free_Documentation_License|/fdl.txt]]. + +By contributing to this page, you agree to assign copyright for your +contribution to the Free Software Foundation. The Free Software Foundation +promises to always use either a verbatim copying license or a free +documentation license when publishing your contribution. We grant you back all +your rights under copyright, including the rights to copy, modify, and +redistribute your contributions. +"""]] + +Interference can be destructive or non-destructive. When a [[principal]] +invokes an object (thereby requesting a service) and the implementation +carries out the principal's intent, the interference was non-destructive +in the sense that the interference was desired. + +In invoking the object, the principal may make itself vulnerable to +destructive interference. When a user runs Solitaire on Windows, +the Solitaire program is instantiated and given all of the user's +authority. The program may delete all of the users files after +publishing credit card and other sensitive information on the Internet. +This type of interference is undesirable, however, generally practically +unavoidable due to the way programs work on Windows (and Unix, for that +matter). + +The problem is that the callee has induced negative consequence for caller +due to actions of the former. To not have to depend on another program (and +thereby not have to add it to its [[tcb]]), it is necessary that the +caller only make itself vulnerable to destructive inference in ways that +can be detected and from which it can recover. + +Mark Miller examines the idea of destructive interference in his PhD thesis +[Robust Composition: Towards a Unified Approach to Access Control and Concurrency Control](http://www.erights.org/talks/thesis/). |