Dean_Swan at Mitel.COM wrote:
> 
> From:  Dean Swan at MITEL on 04/11/2000 07:11 PM
> 
> This discussion has been very interesting, but I don't understand what you'd use
> this "sandbox" system for.  If I've followed the discussion correctly, what is
> being proposed is a mechanism to "wall-off" a group of objects from the rest of
> the image, supposedly for purposes of security?

Right.  The same mechanism could be used for other purposes as well like
persistence and as SharedObjectSpace for using shared memory in a SMP
machine...

> What is the benefit of doing this when compared to simply lauching an image with
> limited capabilities in another instance of the VM running under the host
> operating system?

The example given was the original BookMorph that Lex released.  Did you
open it?  Aren't you glad that it didn't have a script that said
#deleteAllFilesFromOS?

> Is this intended to support remote users of a server type application?  If so, I
> think Squeak has a real limitation in the way it implements multi-threading.
> Something would need to be done to keep a "client" method from hogging all of
> the CPU, which even an otherwise harmless method, operating in a "sterile"
> environment could still do.  This would amount to a "denial of service" attack.

There is a way to do this with a timer thread and a call to the OS sleep
API.   The timer would evidently juggle the priorities of the worker
threads.  Part of it's job could be a usage check on the workers and do
its own denial-of-service to the little pest process.
 
> Other than supporting multi-user/server type applications, with user programming
> capability, I can't think of anything that this "buys you" for the amount of
> complexity it seems to require.

It effectively isolates a portion of ObjectMemory so that you can
control access to it and access out of it.  This could be used for a lot
of things, in combination with MethodWrappers of some kind:
- Security
- Audit
- Persistence
- Parallelism/SharedMemory
- RemoteObjects
- Monitors and other synchronizations
- Isolated Code Analysis
- Namespaces/Environments

> Why would this be better than a Linux or FreeBSD box with multiple user
> accounts, and using the security features of the host OS?  It just strikes me as
> a bit of an academic exercise to add all this capability to Squeak.  What am I
> missing?

It may very well be that I'm the one in left field.  ;-)  It seems to me
that security is only one application of this, and a common framework
for isolation and redirection of message sends can have many other
applications.

cheers,
Rob

> 
>                                    -Dean Swan
>                                    dean_swan at mitel.com

-- 
--------------------------------------------------
Smalltalking by choice.  Isn't it nice to have one!