implementing sandboxes with capabilities
Robert Withers
withers at vnet.net
Wed Apr 12 00:22:24 UTC 2000
Dean_Swan at Mitel.COM wrote:
>
> From: Dean Swan at MITEL on 04/11/2000 07:11 PM
>
> This discussion has been very interesting, but I don't understand what you'd use
> this "sandbox" system for. If I've followed the discussion correctly, what is
> being proposed is a mechanism to "wall-off" a group of objects from the rest of
> the image, supposedly for purposes of security?
Right. The same mechanism could be used for other purposes as well like
persistence and as SharedObjectSpace for using shared memory in a SMP
machine...
> What is the benefit of doing this when compared to simply lauching an image with
> limited capabilities in another instance of the VM running under the host
> operating system?
The example given was the original BookMorph that Lex released. Did you
open it? Aren't you glad that it didn't have a script that said
#deleteAllFilesFromOS?
> Is this intended to support remote users of a server type application? If so, I
> think Squeak has a real limitation in the way it implements multi-threading.
> Something would need to be done to keep a "client" method from hogging all of
> the CPU, which even an otherwise harmless method, operating in a "sterile"
> environment could still do. This would amount to a "denial of service" attack.
There is a way to do this with a timer thread and a call to the OS sleep
API. The timer would evidently juggle the priorities of the worker
threads. Part of it's job could be a usage check on the workers and do
its own denial-of-service to the little pest process.
> Other than supporting multi-user/server type applications, with user programming
> capability, I can't think of anything that this "buys you" for the amount of
> complexity it seems to require.
It effectively isolates a portion of ObjectMemory so that you can
control access to it and access out of it. This could be used for a lot
of things, in combination with MethodWrappers of some kind:
- Security
- Audit
- Persistence
- Parallelism/SharedMemory
- RemoteObjects
- Monitors and other synchronizations
- Isolated Code Analysis
- Namespaces/Environments
> Why would this be better than a Linux or FreeBSD box with multiple user
> accounts, and using the security features of the host OS? It just strikes me as
> a bit of an academic exercise to add all this capability to Squeak. What am I
> missing?
It may very well be that I'm the one in left field. ;-) It seems to me
that security is only one application of this, and a common framework
for isolation and redirection of message sends can have many other
applications.
cheers,
Rob
>
> -Dean Swan
> dean_swan at mitel.com
--
--------------------------------------------------
Smalltalking by choice. Isn't it nice to have one!
More information about the Squeak-dev
mailing list
|