Date: Fri, 9 Aug 2013 14:48:34 -0400 From: Steven Bellovin <smb@cs.columbia.edu> To: darrenr@NetBSD.org Cc: tech-net@NetBSD.org, Mindaugas Rasiukevicius <rmind@NetBSD.org>, guy@alum.mit.edu, freebsd-net@freebsd.org Subject: Re: BPF_MISC+BPF_COP and BPF_COPX Message-ID: <38CDC9BB-09C7-4241-8746-163BD15B80EC@cs.columbia.edu> In-Reply-To: <5203535D.2040508@netbsd.org> References: <20130804191310.2FFBB14A152@mail.netbsd.org> <5202693C.50608@netbsd.org> <20130807175548.1528014A21F@mail.netbsd.org> <5203535D.2040508@netbsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Aug 8, 2013, at 4:14 AM, Darren Reed <darrenr@NetBSD.org> wrote: > > No. It's not about calling a function, it is about proving the BPF > program is correct and secure. > > BPF today is essentially assembly language operations that are all > easily tested and verified. There's a one-word summary: *assurance*. With the current design, it's easy to *know* what can happen. With a Turing-complete extension, it isn't. Assurance is often what separates actually secure systems from ones that are merely claimed to be secure. --Steve Bellovin, https://www.cs.columbia.edu/~smb
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?38CDC9BB-09C7-4241-8746-163BD15B80EC>