andreas.raab at gmx.de
Thu Oct 19 16:56:14 UTC 2006
Matej Kosik wrote:
> However, if I passed reference to the `point' object to you (to your
> code), were I able to stop you (your code) from doing
> point class compile: 'x ^ whatever'
> ? If not, then this is not the solution to the original problem. It
> would be necessary to ban the "compile:" class method. And since
> Smalltalk has many crooked lanes, we could again miss some other
Of course you could prevent hat but the art is in restructuring the
class libraries to serve this goal. The trivial solution is to override
over access to the method dictionary by, e.g.,
ConstanstPoint class>>addSelector: selector withMethod: method
self error: 'Poop'.
or somesuch. That's not enough by far but it shows the general direction
(Lex has a lot of that in his whitepaper).
> Does `point' have a class? Yes. Its name is
> point class
> In my case `Object1'. What would prevent anyone from doing this
> (Smalltalk at: #Object1) compile: 'x ^ 10'
> this should again be banned.
This is why I used #newUniclass. In Tweak, this creates an anonymous
subclass which is marked by an asterisk in front so
Point newUniclass name -> #'*Point'
and it's not in the global system dictionary either. Of course there are
currently many other ways of getting your hands at it, like enumerating
the subclasses of point, or just all objects in memory. All of these
need to be tamed.
> It must be enforced that something like
> that is impossible. I am afraid that the number of possible
> vulnerabilities is overwhelming. Although this is related to the
> "libraries" rather than to the language, the question is, whether the
> "libraries" can be "tamed" or whether the whole thing should be thrown
> away and everything restarted with security in mind from the begining.
> In E they've done it. I believe. The tendency to keep current languages
> and "adding security" is caused by the fact that we love Smalltalk
> (Python, Ruby, Java, Erlang, ...) and do not want to turn back to it. I
> am not proposing everyone to swich to E, I am not part of the E project,
> I am only amazed, the question is, if we are really concerned with
> security, whether such switch (directly or indirectly) would not be
> necessary. Adding convenience/nice gui/great gui tools to E could be
> possible whereas adding security to Smalltalk/Java/Python/Ruby/Erlang
> may turn out to be
> - - either impossible
> - - or we will end up with essentially some almost E-quivalent (and thus
> contributing to world fragmentation)
The easier thing to do is to introduce an arbitrary layer on top of our
current system and use that as a baseline for programming. As you
progress, you move more and more from the layers below (which
effectively form your TCB) to the layers on top.
More information about the Squeak-dev