From: Erika Rice (erice@cs.washington.edu)
Date: Sun Nov 14 2004 - 18:13:20 PST
"Upgrading Transport Protocols using Untrusted Mobile Code" by Parveen
Patel, Andrew Whitaker, David Wetherall, Jay Lepreau, and Tim Stack:
This paper describes STP, a framework for developing self-spreading
transport protocols. This framework would allow the rapid deployment of
beneficial new protocols with little effort, even when both ends of a
connection need to use the protocol for it to be effective. The key
point of the framework is that it provides a safe API to the kernel so
that protocols can be run even if the code is untrusted. This aids fast
deployment by encouraging machines to spread code to each other when
they want to use a certain protocol without having to take the risk of
that code doing accidentally or maliciously abusing the privileges of
running in the kernel.
The system combines the use of a memory and type safe language with
monitoring to make sure that protocols do not do bad things. While both
of these are very good first steps, I would have liked to see some more
discussion of why this method and their code gives the safety that they
claim (i.e., being able to monitor protocols and determine when it
is necessary to stop them). Specifically, can their algorithms be
formally proven to do what they claim? Can the code be proven to
correctly implement the algorithm? What might be the things one would
need to show to prove this sort of safety? Because flaws in either the
theoretical architecture or the actual implementation would represent
serious security risks, knowing what components are most in need of
verification should be a top priority.
This archive was generated by hypermail 2.1.6 : Sun Nov 14 2004 - 18:13:20 PST