implementing sandboxes with capabilities

Lex Spoon lex at cc.gatech.edu
Thu Apr 20 15:24:29 UTC 2000


E is where I got my ideas from.  :)  Something like "Hey, that should
work in Smalltalk, too.  Why isn't anyone doing this?".

-Lex


"Jay Carlson" <nop at nop.com> wrote:
> > I haven't really followed this thread but you might find interesting a
> language called Hermes, developed at the IBM Watson research institute.
> 
> > It is a "process oriented" language which uses ports (as capabilities) for
> communicate between processes.
> 
> While we're doing references, I'll do something I should have done a few
> days ago: point to the E language ( http://www.erights.org/ ).  In
> particular, the pipelining with promises that came up sure looks like this
> diagram: http://www.erights.org/elib/concurrency/pipeline.html .
> 
> Front page summary of ELib below.
> 
> Jay
> ---
> 
> ELib provides the stuff that goes on between objects:
> 
>   o  E's Capabilities are object references that can span machines and
> persist, while still being unforgeable.
> 
>   o  E's Message Pipelining results in far fewer network round trips.
> 
>   o  E's Vat is a simple to use, deadlock-free, scheduling mechanism.
> 
>   o  E's Java API enables stock Java objects to participate.
> 
> ELib is written in pure Java, and is currently being used commercially from
> Java. In this form, it simply makes the E object model available to Java
> programmers. However, the programmer then has to deal simultaneously with
> two object models. ELib provides for strict capability security between
> processes, but ELib by itself can do nothing to repair Java's security
> problems within a process. After all, how can we take away holes by adding a
> library? On the other hand, we can repair these problems by doing for Java
> what Java did for Windows -- build a linguistic layer of protective
> insulation.





More information about the Squeak-dev mailing list