Yes, I have always found your project interesting, even if I don't
understand it.  For immutability I understand that blocking
basicAt:put:, instVarAt:put:, the Compiler, etc., might help for
secure immutability from attackers, but can you support object
serialization?  Beyond that, I was curious about is whether
SecureSqueak addresses how to prevent an attacker from using any
object as a confused deputy.  Or from changing someone's name from
Peter to Paul, etc.  Does SecureSqueak employ capabilities to address
these issues?

On Wed, Mar 17, 2010 at 9:03 PM, Michael van der Gulik
<mikevdg at gmail.com> wrote:
> On Thu, Mar 18, 2010 at 2:23 PM, Chris Muller <asqueaker at gmail.com> wrote:
>>> In SecureSqueak, direct invasive object access using basicAt:put:,
>>> at:put: and so forth will be disallowed.
>>
>> I've always wondered what good this would do, blocking particular
>> kinds of object-access api's.  Couldn't an attacker easily just
>> (mis)use whatever legal-api to wreak havoc anyway?
>
> No.
>
> The goal of SecureSqueak is to provide an image that can run foreign
> untrusted code in a way that doesn't affect the running of the rest of
> the image, VM or operating system. I won't be providing attackers with
> any APIs or objects that let them wreck havoc.
>
> Java, for the most part, already does this. The only security feature
> Java doesn't implement is the ability to control excessive memory or
> CPU use.
>
> Gulik.
>
> --
> http://gulik.pbwiki.com/
>
>