RE: [xml-dev] XML is Mobile Code? [was: Defining an XML vocabulary: spe

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index]

RE: [xml-dev] XML is Mobile Code? [was: Defining an XML vocabulary: specify syntax, semantics, and BEHAVIOR?]

From: "Michael Kay" <mike@saxonica.com>
To: "'Costello, Roger L.'" <costello@mitre.org>,<xml-dev@lists.xml.org>
Date: Sat, 12 Apr 2008 12:59:08 +0100

Well, terrorists can blow up an aeroplane by sending the SMS message "Hello
world" to a suitably configured mobile phone. All data is executable code,
given a suitable interpreter. Anyone who thinks they can achieve security by
monitoring the data sent over a network (e.g. by prohibiting attachments
with the file extension .ZIP or .XML) is either extremely naive, or
pragmatic enough to know that it's only a very small part of the solution.

Michael Kay
http://www.saxonica.com/

> -----Original Message-----
> From: Costello, Roger L. [mailto:costello@mitre.org] 
> Sent: 12 April 2008 12:16
> To: xml-dev@lists.xml.org
> Subject: [xml-dev] XML is Mobile Code? [was: Defining an XML 
> vocabulary: specify syntax, semantics, and BEHAVIOR?]
> 
> Hi Folks,
> 
> It just occurred to me ...
> 
> We have determined that XML has two primary roles:
> 
>     1. Encode behavior (instructions)
> 
>     2. Encode data
> 
> [Len, what does it mean to "encode script nodes?"]
> 
> In its first role (encoding behavior), XML is mobile code.  
> For example, the XSLT vocabulary is an encoding of a certain 
> behavior (i.e.
> an encoding of a certain set of instructions), and when you 
> transport an XSLT document across the Internet, you are 
> transporting code. 
> 
> When you transport, say, JavaScript code across the Internet, 
> you know the extent of the security implications since 
> JavaScript is a bounded syntax with bounded capabilities (and 
> a bounded set of security problems).
> 
> But XML is unbounded, and the types of behavior that may be 
> encoded in XML is unbounded.  Thus, there is no way, in 
> general, to assess the extent of the security implications 
> for arbitrary XML documents.
> Yikes!  
> 
> I am surely missing something.  Please tell me where my thinking errs.
> 
> /Roger
> 
> 
> ______________________________________________________________
> _________
> 
> XML-DEV is a publicly archived, unmoderated list hosted by 
> OASIS to support XML implementation and development. To 
> minimize spam in the archives, you must subscribe before posting.
> 
> [Un]Subscribe/change address: http://www.oasis-open.org/mlmanage/
> Or unsubscribe: xml-dev-unsubscribe@lists.xml.org
> subscribe: xml-dev-subscribe@lists.xml.org List archive: 
> http://lists.xml.org/archives/xml-dev/
> List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
>

Follow-Ups:
- RE: [xml-dev] XML is Mobile Code? [was: Defining an XML vocabulary: specify syntax, semantics, and BEHAVIOR?]
  - From: "Len" <cbullard@hiwaay.net>

References:
- Re: [xml-dev] Defining an XML vocabulary: specify syntax, semanti cs, and BEHAVIOR?
  - From: "bryan rasmussen" <rasmussen.bryan@gmail.com>
- RE: [xml-dev] Defining an XML vocabulary: specify syntax, semanti cs, and BEHAVIOR?
  - From: "Len" <cbullard@hiwaay.net>
- Re: [xml-dev] Defining an XML vocabulary: specify syntax, semanti cs, and BEHAVIOR?
  - From: "bryan rasmussen" <rasmussen.bryan@gmail.com>
- XML is Mobile Code? [was: Defining an XML vocabulary: specify syntax, semantics, and BEHAVIOR?]
  - From: "Costello, Roger L." <costello@mitre.org>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index]