blob: c41e5a36f478f11b0caa650f57ffcc53c3fcb50a (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
|
[[meta copyright="Copyright © 2007, 2008 Free Software Foundation, Inc."]]
[[meta license="""[[toggle id="license" text="GFDL 1.2+"]][[toggleable
id="license" text="Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version 1.2 or
any later version published by the Free Software Foundation; with no Invariant
Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the license
is included in the section entitled
[[GNU_Free_Documentation_License|/fdl]]."]]"""]]
Interference can be destructive or non-destructive. When a [[principal]]
invokes an object (thereby requesting a service) and the implementation
carries out the principal's intent, the interference was non-destructive
in the sense that the interference was desired.
In invoking the object, the principal may make itself vulnerable to
destructive interference. When a user runs Solitaire on Windows,
the Solitaire program is instantiated and given all of the user's
authority. The program may delete all of the users files after
publishing credit card and other sensitive information on the Internet.
This type of interference is undesirable, however, generally practically
unavoidable due to the way programs work on Windows (and Unix, for that
matter).
The problem is that the callee has induced negative consequence for caller
due to actions of the former. To not have to depend on another program (and
thereby not have to add it to its [[tcb]]), it is necessary that the
caller only make itself vulnerable to destructive inference in ways that
can be detected and from which it can recover.
Mark Miller examines the idea of destructive interference in his PhD thesis
[Robust Composition: Towards a Unified Approach to Access Control and Concurrency Control](http://www.erights.org/talks/thesis/).
|