On Thu, Mar 18, 2010 at 2:23 PM, Chris Muller <asqueaker at gmail.com> wrote:
>> In SecureSqueak, direct invasive object access using basicAt:put:,
>> at:put: and so forth will be disallowed.
>
> I've always wondered what good this would do, blocking particular
> kinds of object-access api's.  Couldn't an attacker easily just
> (mis)use whatever legal-api to wreak havoc anyway?

No.

The goal of SecureSqueak is to provide an image that can run foreign
untrusted code in a way that doesn't affect the running of the rest of
the image, VM or operating system. I won't be providing attackers with
any APIs or objects that let them wreck havoc.

Java, for the most part, already does this. The only security feature
Java doesn't implement is the ability to control excessive memory or
CPU use.

Gulik.

-- 
http://gulik.pbwiki.com/