Re: [xml-dev] XML is Mobile Code? [was: Defining an XML vocabulary: spec

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index]

Re: [xml-dev] XML is Mobile Code? [was: Defining an XML vocabulary: specify syntax, semantics, and BEHAVIOR?]

From: "bryan rasmussen" <rasmussen.bryan@gmail.com>
To: "Costello, Roger L." <costello@mitre.org>
Date: Sat, 12 Apr 2008 13:49:10 +0200

Well the 'boundedness' of the code is determined by the processor
which implements the specification. Boundedness is generally a
function of environmental limitations, see Principle of Least
Privilege. The example you gave was XSL-T, as a general rule while
XSL-T is a Turing complete language like JavaScript it tends to have
less privilege than JavaScript.

Cheers,
Bryan Rasmussen

On Sat, Apr 12, 2008 at 1:15 PM, Costello, Roger L. <costello@mitre.org> wrote:
> Hi Folks,
>
>  It just occurred to me ...
>
>  We have determined that XML has two primary roles:
>
>     1. Encode behavior (instructions)
>
>     2. Encode data
>
>  [Len, what does it mean to "encode script nodes?"]
>
>  In its first role (encoding behavior), XML is mobile code.  For
>  example, the XSLT vocabulary is an encoding of a certain behavior (i.e.
>  an encoding of a certain set of instructions), and when you transport
>  an XSLT document across the Internet, you are transporting code.
>
>  When you transport, say, JavaScript code across the Internet, you know
>  the extent of the security implications since JavaScript is a bounded
>  syntax with bounded capabilities (and a bounded set of security
>  problems).
>
>  But XML is unbounded, and the types of behavior that may be encoded in
>  XML is unbounded.  Thus, there is no way, in general, to assess the
>  extent of the security implications for arbitrary XML documents.
>  Yikes!
>
>  I am surely missing something.  Please tell me where my thinking errs.
>
>  /Roger
>
>
>  _______________________________________________________________________
>
>  XML-DEV is a publicly archived, unmoderated list hosted by OASIS
>  to support XML implementation and development. To minimize
>  spam in the archives, you must subscribe before posting.
>
>  [Un]Subscribe/change address: http://www.oasis-open.org/mlmanage/
>  Or unsubscribe: xml-dev-unsubscribe@lists.xml.org
>  subscribe: xml-dev-subscribe@lists.xml.org
>  List archive: http://lists.xml.org/archives/xml-dev/
>  List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
>
>

References:
- Re: [xml-dev] Defining an XML vocabulary: specify syntax, semanti cs, and BEHAVIOR?
  - From: "bryan rasmussen" <rasmussen.bryan@gmail.com>
- RE: [xml-dev] Defining an XML vocabulary: specify syntax, semanti cs, and BEHAVIOR?
  - From: "Len" <cbullard@hiwaay.net>
- Re: [xml-dev] Defining an XML vocabulary: specify syntax, semanti cs, and BEHAVIOR?
  - From: "bryan rasmussen" <rasmussen.bryan@gmail.com>
- XML is Mobile Code? [was: Defining an XML vocabulary: specify syntax, semantics, and BEHAVIOR?]
  - From: "Costello, Roger L." <costello@mitre.org>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index]