ERights Home talks 
Back to: Smart Contracts talk On to: Immunity from Viruses

Building a Virus-Safe Computing Platform

Building a Virus-Safe Computing Platform:
Don't Add Security, Remove Insecurity

Talk given at the Information Theory Seminar of Hewlett Packard Laboratories, and at the Stanford Computer Systems Laboratory Colloquium.


  • Powerpoint 2002 or later (Mac OS X users report that KeyNote renders this well, but Powerpoint for the Mac does not)
  • pdf (a bit stale)
  • no html pages yet. Can anyone still generate html from Powerpoint without embedded Javascript?
  • no OpenOffice yet. When OpenOffice reads in the Powerpoint, it's not a pretty sight.


When you run Solitaire, why can it delete any file you can? Such pervasive excesses of access rights cause our vulnerability to viruses and more. For thirty years, mainstream systems -- such as today's Unixes, Windows, Java, .NET -- have been built on two conflicting logics of access: capabilities and ACLs. They unsuccessfully provide security using ACL logic. They successfully provide functionality using modularity and abstraction mechanisms which follow capability logic.

E, a distributed secure object-capability language, is the plumbing underneath CapDesk, the virus-safe desktop demonstrated in Marc Stiegler's earlier talk on the "SkyNet Virus". E's security derives mostly by removing from conventional objects all causal pathways outside the pure object model -- leaving only capability-based access. Rather than making users chose between functionality and security, we use one access paradigm to provide both together. As an example, we show secure distributed money implemented in 15 lines of readable E code.


Mark S. Miller is the Chief Architect of the Virus Safe Computing Initiative at Hewlett-Packard Laboratories, and is the Open Source Coordinator of the E Project at He is a designer of several secure distributed programming languages including Vulcan for Xerox PARC, Trusty Scheme for AutoDesk, Joule for Agorics and Fujitsu, Tclio for Sun Labs, and E for Electric Communities,, and Combex. As founder and CTO of Combex, Mark fashioned E into the platform used for CapDesk -- a Darpa-sponsored prototype of a virus-safe distributed desktop and application launching framework.

Mark was drawn into security by pursuit of another dream. He is a co-creator of the agoric paradigm of market-based adaptive distributed secure computation. He is also a founder of Agorics, a company started to capitalize on agoric computing ideas.

Unless stated otherwise, all text on this page which is either unattributed or by Mark S. Miller is hereby placed in the public domain.
ERights Home talks 
Back to: Smart Contracts talk On to: Immunity from Viruses
Download    FAQ    API    Mail Archive    Donate

report bug (including invalid html)

Golden Key Campaign Blue Ribbon Campaign