asqueaker at gmail.com
Thu Mar 18 02:42:15 UTC 2010
Yes, I have always found your project interesting, even if I don't
understand it. For immutability I understand that blocking
basicAt:put:, instVarAt:put:, the Compiler, etc., might help for
secure immutability from attackers, but can you support object
serialization? Beyond that, I was curious about is whether
SecureSqueak addresses how to prevent an attacker from using any
object as a confused deputy. Or from changing someone's name from
Peter to Paul, etc. Does SecureSqueak employ capabilities to address
On Wed, Mar 17, 2010 at 9:03 PM, Michael van der Gulik
<mikevdg at gmail.com> wrote:
> On Thu, Mar 18, 2010 at 2:23 PM, Chris Muller <asqueaker at gmail.com> wrote:
>>> In SecureSqueak, direct invasive object access using basicAt:put:,
>>> at:put: and so forth will be disallowed.
>> I've always wondered what good this would do, blocking particular
>> kinds of object-access api's. Couldn't an attacker easily just
>> (mis)use whatever legal-api to wreak havoc anyway?
> The goal of SecureSqueak is to provide an image that can run foreign
> untrusted code in a way that doesn't affect the running of the rest of
> the image, VM or operating system. I won't be providing attackers with
> any APIs or objects that let them wreck havoc.
> Java, for the most part, already does this. The only security feature
> Java doesn't implement is the ability to control excessive memory or
> CPU use.
More information about the Squeak-dev