implementing sandboxes with capabilities
Lex Spoon
lex at cc.gatech.edu
Thu Apr 20 15:24:29 UTC 2000
E is where I got my ideas from. :) Something like "Hey, that should
work in Smalltalk, too. Why isn't anyone doing this?".
-Lex
"Jay Carlson" <nop at nop.com> wrote:
> > I haven't really followed this thread but you might find interesting a
> language called Hermes, developed at the IBM Watson research institute.
>
> > It is a "process oriented" language which uses ports (as capabilities) for
> communicate between processes.
>
> While we're doing references, I'll do something I should have done a few
> days ago: point to the E language ( http://www.erights.org/ ). In
> particular, the pipelining with promises that came up sure looks like this
> diagram: http://www.erights.org/elib/concurrency/pipeline.html .
>
> Front page summary of ELib below.
>
> Jay
> ---
>
> ELib provides the stuff that goes on between objects:
>
> o E's Capabilities are object references that can span machines and
> persist, while still being unforgeable.
>
> o E's Message Pipelining results in far fewer network round trips.
>
> o E's Vat is a simple to use, deadlock-free, scheduling mechanism.
>
> o E's Java API enables stock Java objects to participate.
>
> ELib is written in pure Java, and is currently being used commercially from
> Java. In this form, it simply makes the E object model available to Java
> programmers. However, the programmer then has to deal simultaneously with
> two object models. ELib provides for strict capability security between
> processes, but ELib by itself can do nothing to repair Java's security
> problems within a process. After all, how can we take away holes by adding a
> library? On the other hand, we can repair these problems by doing for Java
> what Java did for Windows -- build a linguistic layer of protective
> insulation.
More information about the Squeak-dev
mailing list
|