Profile cover photo
Profile photo
Gilad Bracha
Gilad's posts

Post has attachment
And now, for some good news: I'm honored to receive the Dahl-Nygaard prize:

+Ross Tate won as well, and truly deserves it. Most recently Ross, together with Nada Amin, showed the Java type system is unsound.

Post has attachment
Tough love for Smalltalkers. My keynote at Smalltalks 2016: where Smalltalk and its community could do better:

Post has attachment
Illiterate Programming
I have long been a fan of literate programming, especially live literate programming . I wrote a brief note  about the topic a while ago, but for various reasons did not distribute it. Recently, the early release of Eve (very nice work) has injected some ne...

Post has attachment

Post has shared content
Save the date! We're looking forward to meeting you in Munich for the annual Dart developer summit.

Post has shared content

Post has attachment
My book on Dart is available in physical form today. Thanks to all that made it finally happen after so many delays.

Post has shared content
Why capabilities? Short statement for SOSP History Day.

SOSP History Day was a superb event. It was all recorded and the recordings will be made public. Capabilities were repeatedly mentioned in the presentations much more often than I expected, and mostly positively.

I was on a panel at the end of the day whose topic was 
"Is Security a Hopeless Quest?"
Each panelist opened with a 5 minute statement. I tried to boil down the case for capabilities into the shortest clearest statement I could for an informed audience. Here is what I said. Feel free to forward. 

In the ‘70s, there were two main access control models:
the identity-centric model of access-control lists
and the authorization-centric model of capabilities.
For various reasons the world went down the identity-centric path,
resulting in the situation we are now in.
On the identity-centric path, why is security likely a hopeless quest?

When we build systems, we compose software written by different people.
These composed components may cooperate as we intend,
or they may destructively interfere.
We have gotten very good at avoiding accidental interference
by using abstraction mechanisms and designing good abstraction boundaries.
By composition, we have delivered astonishing functionality to the world.

Today, when we secure systems, we assign authority to identities.
When I run a program, it runs as me.
The square root function in my math library can delete my files.
Although it does not abuse this excess authority,
if it has a flaw enabling an attacker to subvert it,
then anything it may do, the attacker can do.
It is this excess authority that invites most of the attacks we see in the world today.

By contrast, when we secure systems with capabilities,
we work with the grain of how we organize software for functionality.
At every level of composition,
from programming language to operating systems to distributed services,
we design abstraction boundaries so that a component’s interface
only requires arguments that are somehow relevant to its task.
If such argument passing were the only source of authority,
we would have already taken a huge step towards least authority.
If most programs only ran with the least authority they need to do their jobs,
most abuses would be minor.

I do not imagine a world with fewer exploitable bugs.
I imagine a world in which much less is at risk to most bugs.

Post has shared content
Ignore the adversarial hype; we basically agree.  In any case, after a few decades, the world has caught up, and optional/gradual types are going mainstream. Live programming is next, and Newspeak style modularity will get there in time.  
Types for an untyped world... 

Post has attachment
At ECOOP, I'll be participating in a discussion about optional types: where they came from,   what they are, where they're going.
Wait while more posts are being loaded