PJ6 said:
I just don't see a necessary correlation between the power of a language
and it's ability to do damage
The more powerful the language, the more complex it is. And the more
complex it is, the harder it is to prove theorems about it. And the harder
it is to prove theorems about it, the harder it is to prove that it cannot
deal damage (this is a gross oversimplification of Godel's Incompleteness
Theorem).
proper design should separate object creation/execution and whatever else
the language allows at runtime from direct system access.
The question isn't whether or not the program will be harmful if it is
properly designed; The question is rather, how can we guarantee that the
program will not be able to damage the client's computer, even if the author
of the program was malicious and trying to circumvent every security measure
we put in place?
If you create a language which cannot read or write files, then you
don't have to worry about a malicious program deleting all the files on the
client's computer, or worry about it reading sensitive data. But then you
have a "crippled language".
Java has this whole "virtual machine" thing (which I admit I know very
little about), it would seem to me not an overly difficult (if
labor-intensive) concept to apply security restrictions to the Framework
as a whole, to allow WinForms-style functionality over the web.
In theory, it isn't too difficult. In practice though, these frameworks
contain a LOT of code, and any software which contains a lot of code
inevitably has bugs in it. And if the bug happens to be in a
security-enforcing module, then you're in big trouble.
- Oliver