What's New with E?

Google Techtalk series on ABAC - Authorization Based Access Control

Robust Composition:
Towards a Unified Approach to Access Control and Concurrency Control

MarkM's dissertation. Explains the rationale, philosophy, and goals of E and related systems.

Supersedes Paradigm Regained, Concurrency Among Strangers, and The Structure of Authority.

SCOLL:
A Language for Safe Capability Based Collaboration

by Yves Jaradin, Fred Spiessens, & Peter van Roy

Provides a formal system for reasoning about safe bounds on authority (as defined in Robust Composition).

The E-on-Common-Lisp Project Kevin Reid's reimplementation of E on Common Lisp continues to make progress. This project now has its own page.

The E Surprise List Kevin's list of surprising things about E is worth a look.

Progress on E parser in Antlr E. Dean Tribble's Antlr-based parser for E is now in the E distribution, and accepts almost all E code in the distribution.

Bug database moved to Sourceforge Thanks to Steve Jenson for preserving continuity of our bug database following the loss of the previous site.

Concurrency Among Strangers:
Programming in E as Plan Coordination

by Mark S. Miller, E. Dean Tribble, Jonathan Shapiro

Explains E's concurrency control & distributed computing model.

Safer Scripting Through Precompilation

by Ben Laurie

Explains "CaPerl", Ben's attempt at a capability-safe variant of Perl.

Polaris:
Towards Virus Safe Computing for Windows XP

by Marc Stiegler, Alan H. Karp, Ka-Ping Yee, Mark Miller Shows how to apply the lessons of CapDesk to secure legacy apps running on legacy OSes, in order to create a desktop that's safer, more functional, and more usable at the same time. Requires only that the legacy OS provide a working ACL system.

Plash:
the Principle of Least Authority Shell

by Mark Seaborn A bash-like shell for Unix, in which filename arguments grant the program authority to access those files.

The Oz-E Project:
Design Guidelines for a Secure Multiparadigm Programming Language

by Fred Spiessens, Peter Van Roy Explores the issues in making an object-capability-secure variant of the Oz language. The lessons here should prove useful in making an obj-cap-secure variant of any memory-safe language whose underlying formalism is consistent with obj-cap-security.

The L Programming Language & System

by Anthony Hannan A minimal language with many of the goals of E and Smalltalk.

The Structure of Authority:
Why security is not a separable concern

by Mark S. Miller, Bill Tulloh, Jonathan Shapiro A tour of POLA integrated across four levels, from humans to objects. Least authority is fractal!

Origins of the Non-Delegation Doctrine

by Nick Szabo Applies POLA to constitutional law.

Causeway:
A message-oriented distributed debugger

by Terry Stanley, Mark Miller
from an idea by E. Dean Tribble Browse the causal graph of events in your distributed computation with a follow the process view, or our new follow the conversation view.

Donut-Lab A PlanetLab with no center. An example of what can be accomplished in E in 72 hours.

The E Language Wiki Embedded in an impressive web of links to related material, such as CapabilitySecurityModel, a nice taxonomy of kinds of capability systems.

Handling Symbolic Data The debut of a new section of this website. Explains E's term-trees and serialization.

The Den Project
A distributed mud system written in E Kevin Reid's prototype towards a decentralized, persistent, secure, social virtual reality; to support mutual suspicion between parts of its world. This is the application area E was originally created for.

MILOSProject
Bringing capability security to Mozart/OZ As part of this effort, Fred Spiessens is using pi-calculus to try formalizing the notions of "authority" and "causality" used in Paradigm Regained.

YURL.net launches

Tyler Close and Sue Butler brings the y property (the lambda/object-capability theory of naming) to the web.

E will be switching from VatTP and cap:// URIs to the httpsy protocol and httpsy:// URLs. (Separately, CapTP will be switching from Java serialization to Data-E.)

We are making progress towards having a local (non-distributed) headless (without a UI toolkit) E compiled through GCJ. This should make for an easier install of E and of apps written in E. It will also enables linking with C code through CNI, which is both simpler and higher performance than JNI.

Paradigm Regained:
Abstraction Mechanisms for Access Control Actual policies are enforced by building abstractions on base mechanisms. Capabilities support this practice. Most formal analysis has missed this source of power. (Discussion thread root.)

The SkyNet Virus
Why it is Unstoppable;
How to Stop it

Marc Stiegler explains what it means to apply the Principle of Least Authority (POLA) consistently, at both the programming level (using capabilities) and user-interface level (demonstrating CapDesk).
Includes both slides and video.

Building a Virus-Safe Computing Platform:
Don't add security. Remove insecurity. Mark Miller explains how capabilities recursively reduce vulnerabilities by making the access matrix fractal.

Institutions as Abstraction Boundaries:
Negotiated Categories and the Self-Reorganization of the Market Order

Economies and object systems both compose knowledge by coordinating the plans of mutually suspicious parties, by using abstraction in similar ways. Bill Tulloh and Mark Miller apply object concepts to understand the role of abstraction in economic activity.

Safe Serialization Under Mutual Suspicion Conventional "language" technology give us only separate single machine ephemeral object-capability graphs. Serialization -- with the security properties explained here -- is the fabric for stitching these together into a virtual distributed persistent graph.

Escape from Multithreaded Hell Stefan Reich's slide presentation pulls together for the first time many aspects of E's concurrency into a single coherent explanation. The original in German.

E Code Library project on SourceForge.net! Run by Darius Bacon, who is making progress on Smallcaps and ENative at this site.

Dean starts the E-on-Squeak project Whereas Squeak-E is a variant of Squeak with features from E, E-on-Squeak is E itself, implemented on the Squeak virtual machine. The Squeak virtual machine is far more suited to running E than is the JVM. Read the thread starting here.

E at JHU and HP Labs MarkM changes jobs in order to keep working on the same thing. E stays open.

The Squeak-E Swiki

The home page of the Squeak-E project; building a capability secure distributed Smalltalk.

Capability Myths Demolished

gives a brief history of how capabilities have been misunderstood, and sets the record straight.

Read Usenix2003's rejection of our paper, including Boebert's take on his "On the Inability of an Unmodified Capability System to Enforce the *-Property ", which we cite.

User Interaction Design for Secure Systems Ka-Ping Yee's paper openning up this whole new area of inquiry has just been accepted by the 4th International Conference on Information and Communications Security. (CapDesk largely follows these principles.)

E supports SWT starting with the 0.8.21 release. SWT, the Standard Widget Toolkit, is IBM's alternative to Swing. Unlike Swing, it's simple enough to be tamed (made to follow capability discipline).

Progress towards Auditors Ping is doing Auditors for E as a class project.

Squeak-E Rob Withers and other Squeakers start implementing E semantics in Squeak.

Distributed Updoc and the evalServerPool In 0.8.17, Terry Stanley has Updoc farm out work to a distributed pool of evalServers.

A Security Analysis of the Combex DarpaBrowser Architecure
by David Wagner and Dean Tribble This Darpa sponsored security review concludes by saying:

We wish to emphasize that the web browser exercise was a very difficult problem. It is at or beyond the state of the art in security, and solving it seems to require invention of new technology. If anything, the exercise seems to have been designed to answer the question: Where are the borders of what is achievable? The E capability architecture seems to be a promising way to stretch those borders beyond what was previously achievable, by making it easier to build security boundaries between mutually distrusting software components. In this sense, the experiment seems to be a real success. Many open questions remain, but we feel that the E capability architecture is a promising direction in computer security research and we hope it receives further attention.
[emphasis added]

At the coming O'Reilly Emerging Technology Conference:

MarcS shows CapDesk, and explains how E, capabilities, caplets, and POLA (the Principle Of Least Authority) bring about an intuitive secure desktop invulnerable to viruses.

E 0.8.12 released, with CapDesk and the DarpaBrowser. (This is no longer the current release of E.) This is the release about to be subjected to a security review by David Wagner and Dean Tribble. We'll let you know how it goes!

Combex™ pages debut The for-profit facet of the E project.

The Digital Path:
Smart Contracts and the Third World Our draft paper, and our best explanation to date of smart contracts, accepted to Austrian Perspectives on the New Economy.

Mac OS X support is finally here, in E 0.8.10 !! Many thanks to Chris Hibbert and Charles Evans!

MarcS' eDesk debuts in 0.8.10delta4 Conventional seeming gui desktop environment for installing and running caplets in which authorization is intuitively bundled in with conventional user designation actions.

0.8.10gamma2: Development paths join. Dean's transformer (see below) in now integrated into the main development path. This is the first release to have both CapTP and the speed of offset-based (rather than name-based) variable access.

0.8.10alpha1: A brave new CapTP (our cryptographic capability protocol).

This is the first release of E to be distributed (with full pipelining support, but no 3vat introductions yet), persistent (sort-of), and to support and confine locally untrusted code. The is the new current E distribution.

The Dean-Transformer Release The new release 0.8.9t.1 (a side branch off 0.8.9t) contains Dean's wonderful new transformer, making interpretation faster, and taking a big step towards a compiler.

Bug Reporting and Tracking Due to the generous efforts of Steve Jenson (Thanks!), we now have a real live bug tracking system. We're using the SourceForge software as installed by Steve on his own server.

What's Updoc? Updoc turns documentation with embedded code examples into readable and maintainable regression tests. As explained here and here, this web site is already starting to do double duty as a test suite for E.

Combex gets money to work on E! Combex is our startup dedicated to exploiting the commercial potential for E, distributed cyptographic capabilities, and smart contracting. As explained here, thanks to the military industrial complex, our startup has now started up, and we should be going into high speed on E development.

Secure UI Draft Design

Miriam Walker & Ka-Ping Yee break important new ground: A secure graphical user interface for interacting with a general purpose secure platform.

Even more important: their seven principles of secure UI design!