I just want to mention that when I read Lex's "Object as Capabilities in Squeak" I was struck by the number of similarities between it and much of what is in the ANSI Smalltalk specification. Just as one example, in ANSI Smalltalk a reference to OrderedCollection doesn't necessarily bind to a "class object". It is simply a "named object" (a constant global binding) to an object that is required to conform to the protocol <OrderedCollection factory> and this protocol only includes a few instantiation messages.
In developing the ANSI Smalltalk specification we were trying to define the core user language and protocols that is most commonly used in application programs, rather than in tools or the reflective implementation of a Smalltalk environment. To do so, we needed to strip away all the meta-level and implement artifact messages that clutter all conventional Smalltalk implementation. This sounds very similar to what you need to do to define a secure dialect of Smalltalk.
If you haven't read the ANSI spec. for awhile (or ever) you might find that this perspective offers some clues to the perennial question "what were your guys smoking when you wrote that spec?".
If you don't have a copy of the ANSI Smalltalk Standard a near final draft is still available at:
ftp://ftp.smalltalksystems.com/sts-pub/x3j20/standard_v1_9.doc or ftp://ftp.smalltalksystems.com/sts-pub/x3j20/standard_v1_9.rtf
Allen_Wirfs-Brock@instantiations.com
Hi Allen,
This is very interesting news. I don't know how important eventual sending is in providing a system supporting capabilities. There is a really rough implementation I did, on the swiki ( http://minnow.cc.gatech.edu/squeak/2410 ), but it is broken in several places (self sending through an inspector on an eventual reference). In looking at the ANSI spec, there was a discussion of the computational model and it is a immediate call/return model of execution, which I have pasted below. Additionally, the protocol specifications define a return value, which may not support a promise model of execution.
What are your thoughts about changing the computational model of squeak in this way?
I suppose the broader question is do we need to do this to support capabilities?
cheers, rob
"from the ANSI speciffication"
A message send causes execution of the currently active method to be temporarily suspended and for program execution to continue starting with the first expression of another method. A message send directs a message to an object. The object is called the receiver of the message. A message consists of a method selector and a set of arguments. Each argument is a reference to an object. When an object receives a message, the method selector of the message is used to select the method from the object's behavior that corresponds to the selector. The method becomes the new locus of execution. Special processing takes place if the receiver's behavior does not include a method corresponding to the message's method selector.
A return terminates execution of a method and causes execution to resume within the method that executed the message send that activated the method containing the return. Execution continues immediately following the message send expression. The return provides a value (an object reference) that becomes the value of the message send.
On Friday, January 31, 2003, at 07:59 PM, Allen Wirfs-Brock wrote:
I just want to mention that when I read Lex's "Object as Capabilities in Squeak" I was struck by the number of similarities between it and much of what is in the ANSI Smalltalk specification. Just as one example, in ANSI Smalltalk a reference to OrderedCollection doesn't necessarily bind to a "class object". It is simply a "named object" (a constant global binding) to an object that is required to conform to the protocol <OrderedCollection factory> and this protocol only includes a few instantiation messages.
In developing the ANSI Smalltalk specification we were trying to define the core user language and protocols that is most commonly used in application programs, rather than in tools or the reflective implementation of a Smalltalk environment. To do so, we needed to strip away all the meta-level and implement artifact messages that clutter all conventional Smalltalk implementation. This sounds very similar to what you need to do to define a secure dialect of > Smalltalk.
If you haven't read the ANSI spec. for awhile (or ever) you might find that this perspective offers some clues to the perennial question "what were your guys smoking when you wrote that spec?".
If you don't have a copy of the ANSI Smalltalk Standard a near final draft is still available at:
ftp://ftp.smalltalksystems.com/sts-pub/x3j20/standard_v1_9.doc or ftp://ftp.smalltalksystems.com/sts-pub/x3j20/standard_v1_9.rtf
Allen_Wirfs-Brock@instantiations.com
Squeak-e mailing list Squeak-e@lists.squeakfoundation.org http://lists.squeakfoundation.org/listinfo/squeak-e
I have a question about this. Part of the philosophy which motivated the creation of Squeak (as I understand it) is to be an "open" system. That is users/researchers can get at any part of the system. So my question is, would you want to violate this philosophy by changing Squeak to "control" access to parts of the system?
Or would capabilities be something that you implement between "images", that is, different instantiations of the image run-time?
Are capabilities something that becomes important for inter-host communication over a network? Or for intra-host (on the same host) user process cooperation?
I'm not sure what these questions mean in terms of "normal" Smalltalk operation and security measures. Has anyone on this list dealt with Smalltalk security issues before, without relying upon host operating system services?
Shane
On 1 Feb 2003 at 17:02, Robert Withers wrote:
Hi Allen,
This is very interesting news. I don't know how important eventual sending is in providing a system supporting capabilities. There is a really rough implementation I did, on the swiki ( http://minnow.cc.gatech.edu/squeak/2410 ), but it is broken in several places (self sending through an inspector on an eventual reference). In looking at the ANSI spec, there was a discussion of the computational model and it is a immediate call/return model of execution, which I have pasted below. Additionally, the protocol specifications define a return value, which may not support a promise model of execution.
What are your thoughts about changing the computational model of squeak in this way?
I suppose the broader question is do we need to do this to support capabilities?
cheers,
rob
"from the ANSI speciffication"
<fontfamily><param>Arial</param><smaller>A <italic>message send</italic> causes execution of the currently active method to be temporarily suspended and for program execution to continue starting with the first expression of another method. A message send directs a message to an object. The object is called the <italic>receiver</italic> of the message. A <italic>message </italic>consists of a method selector and a set of arguments. Each argument is a reference to an object. When an object receives a message, the method selector of the message is used to select the method from the object's behavior that corresponds to the selector. The method becomes the new locus of execution. Special processing takes place if the receiver's behavior does not include a method corresponding to the message's method selector.
A <italic>return</italic> terminates execution of a method and causes execution to resume within the method that executed the message send that activated the method containing the return. Execution continues immediately following the message send expression. The return provides a value (an object reference) that becomes the value of the message send.
</smaller></fontfamily>
On Friday, January 31, 2003, at 07:59 PM, Allen Wirfs-Brock wrote:
<excerpt>I just want to mention that when I read Lex's "Object as Capabilities in Squeak" I was struck by the number of similarities between it and much of what is in the ANSI Smalltalk specification. Just as one example, in ANSI Smalltalk a reference to OrderedCollection doesn't necessarily bind to a "class object". It is simply a "named object" (a constant global binding) to an object that is required to conform to the protocol <<OrderedCollection factory> and this protocol only includes a few instantiation messages.
In developing the ANSI Smalltalk specification we were trying to define the core user language and protocols that is most commonly used in application programs, rather than in tools or the reflective implementation of a Smalltalk environment. To do so, we needed to strip away all the meta-level and implement artifact messages that clutter all conventional Smalltalk implementation. This sounds very similar to what you need to do to define a secure dialect of Smalltalk.
If you haven't read the ANSI spec. for awhile (or ever) you might find that this perspective offers some clues to the perennial question "what were your guys smoking when you wrote that spec?".
If you don't have a copy of the ANSI Smalltalk Standard a near final draft is still available at:
ftp://ftp.smalltalksystems.com/sts-pub/x3j20/standard_v1_9.doc
or
ftp://ftp.smalltalksystems.com/sts-pub/x3j20/standard_v1_9.rtf
Allen_Wirfs-Brock@instantiations.com
Squeak-e mailing list
Squeak-e@lists.squeakfoundation.org
http://lists.squeakfoundation.org/listinfo/squeak-e
</excerpt>
On Saturday, February 1, 2003, at 05:52 PM, shane@shaneroberts.com wrote:
I have a question about this. Part of the philosophy which motivated the creation of Squeak (as I understand it) is to be an "open" system. That is users/researchers can get at any part of the system. So my question is, would you want to violate this philosophy by changing Squeak to "control" access to parts of the system?
Sure I would. In development mode, I would allow access to the entire system, or rather I would allow the user (console, so to speak) to get at the system, but no third-party code should be allowed in while you are doing this. Once you put it into lock-down mode, it should not allow you access to parts you don't know about. Thus third parties could safely run code on your machine. You could still kill foreign code, I suppose. These seem to be in the area of UI interfacing of the security to the user, and I haven't really thought about that too much.
But it still needs to be alive in the sense of: http://minnow.cc.gatech.edu/squeak/2950 . That's what will make it Smalltalk.
Or would capabilities be something that you implement between "images", that is, different instantiations of the image run-time?
inter- and intra- image I believe we are considering.
Are capabilities something that becomes important for inter-host communication over a network? Or for intra-host (on the same host) user process cooperation?
yes.
I'm not sure what these questions mean in terms of "normal" Smalltalk operation and security measures. Has anyone on this list dealt with Smalltalk security issues before, without relying upon host operating system services?
this is a big reason that I presume we felt it was pertinent to form another list. the host OS is only there to give us a launching point and allow squeak access to display, sockets, files, sound, time, and that kind of thing.
Rob
ps. Cees: we need the reply-to fix.. my 'C' and 'V' are wearing down to nubs - that's not my CV, of course. :)
On Saturday, February 1, 2003, at 06:38 PM, Robert Withers wrote:
I'm not sure what these questions mean in terms of "normal" Smalltalk operation and security measures. Has anyone on this list dealt with Smalltalk security issues before, without relying upon host operating system services?
this is a big reason that I presume we felt it was pertinent to form another list. the host OS is only there to give us a launching point and allow squeak access to display, sockets, files, sound, time, and that kind of thing.
I didn't answer your question, did I?
I meant to say that we are considering changes to the Squeak language, although we may be able to keep it ANSI compliant, surprisingly. _this_ is why I think we thought we should form another list, plus we were being very noisy.
I think it possible that some squeakers have written security to the host, but it would be for a specific host and that breaks the cross-platform nature of squeak. There is a fair bit of security features already in squeak, including message signing and other bits. There is a security plugin which can sandbox the image (no file access, etc..). I think we are looking at finer grain techniques for securing live objects.
sorry about that, rob
At 02:02 PM 2/1/2003 Saturday, Robert Withers wrote:
I don't know how important eventual sending is in providing a system supporting capabilities. [...] I suppose the broader question is do we need to do this to support capabilities?
There's no direct coupling between these two, but there's some indirect coupling explained below. The Ode http://erights.org/elib/capability/ode/index.html explains E's security model well, but uses only the sequential subset of E to do so. Of course, a purely sequential model of computation is as vulnerable as can be to denial of service -- a single infinite loop blocks the universe. The inset bug description on http://erights.org/elib/capability/ode/ode-bearer.html is a subtler form of this same issue. But a purely sequential call-return Squeak-E language with capabilities, no event loops, no eventual sends, no promises, and no communication would still be a valid capability system, since capability systems don't generally claim resistance to denial of service. (KeyKOS and EROS are notable exceptions.)
The real issue is how to add concurrency to sequential capability computation, in order to get concurrent and/or distributed capability computation. (Since we're starting with Squeak, we should ignore purely concurrent capability systems, like Actors, FCP, and Joule.)
I know that E's model of concurrency does work well with capabilities, and can be added to sequential Squeak as Rob has been doing.
The very different KeyKOS/EROS model also works well with capabilities, but cannot be added to sequential Squeak without a rather violent refactoring of lots of code. (In the KeyKOS/EROS model, recursive entry must cause a deadlock, even when it's recursive sequential entry. In their context, this is indeed the right design choice for reasons I won't go into.
Java's concurrency is incompatible with capability security. As one example, <rant> two objects sharing the same immutable string should not thereby be able to communicate with each other. After all, the string says its immutable. However, this string has an implicit lock and can be synchronized on. Further, two separately loaded classes that have never been given access to any common objects can still obtain shared access to such a string for communications, since Java literal strings are interned at class-loading time. The collaborators need only name the same literal string in their source code. By naming three strings, they can use a simple bus protocol to communicate arbitrary bit sequences reliably. </rant>
But the above Java problem is just stupid. One can do a Java-like concurrency model without any problems that egregious. As I recall, PPS2.5 had a similar model, but less preemptive. (Where is Squeak's model documented?) Let's call this class of models "Threads & Locks", where the same object may be accessed by different threads (shared memory multi-threading) leading to monitors or semaphores or some kind of fine-grained locking to try to keep these threads from stepping on each others toes. Security aside, I think this model has been an unmitigated disaster for correctness and reliability http://erights.org/elib/concurrency/event-loop.html .
I know that David Reed has proposed an interesting concurrency and distributed computing model for Croquet. I'd love to see a description of it. I don't yet know enough to comment.
A language for writing secure programs must first of all be a language for writing reliable programs. E's event-loop concurrency preserves most of the reliability of sequential programs. I recommend reading http://www.combex.com/papers/darpa-review/security-review.html#non-security , the section "Non-security Elements that Simplified Review" in the Darpa Security Review of E and the DarpaBrowser (written in E), where David Wagner and Dean Tribble write:
As a result, objects in E never deal with synchronization. Consequently, all potential time-of-check-to- time-of-use (TOCTTOU) vulnerabilities could be evaluated within a single flow of control, and thus took little time to check for. By contrast, in systems in which multiple threads interact within objects, such determinations can be extremely difficult or infeasible to determine.
Since proving substantial programs either correct or secure (for complex security goals) is not yet feasible, and probably won't be any time soon, such reductions in efforts for manual inspection and review processes are quite important. I also believe they are a good predictor of the programmer's ability to write it correctly with higher confidence and lower effort in the first place.
Finally, Smalltalk isn't just a system. It stand for a philosophy named "object-oriented programming". From my sense of what this philosophy is, capabilities could be termed "object-oriented security". (This coinage by Dean Tribble.) The virtues of capabilities are an extension of the virtues of oo. Likewise, I believe E's event-loop concurrency control model is the extension of the oo philosophy into the concurrency realm, which we try to make clear especially at http://erights.org/elib/concurrency/event-loop.html and http://erights.org/elib/concurrency/turns.html . In these three cases -- objects, security, concurrency -- the issues can be seen in the terms the economist F.A. Hayek explained: How do plans come to be coordinated with each other (message passing) without disrupting each other (encapsulation)? For an object-oriented view of Hayekian economics, see http://www.erights.org/talks/categories/index.html .
So I hope we make Squeak-E a system that not only works, but one that's also a purer expression of the philosophy that Smalltalk has always stood for.
---------------------------------------- Text by me above is hereby placed in the public domain
Cheers, --MarkM
On Saturday, February 1, 2003, at 07:56 PM, Mark S. Miller wrote:
I know that E's model of concurrency does work well with capabilities, and can be added to sequential Squeak as Rob has been doing.
Mark,
I started down the path toward E due to an interest in building a concurrency model in squeak. I was initially looking at ConcurrentSmalltalk and had coded a Secretary class for that purpose. In ConcurrentSmalltalk, they introduce a mechanism in the control flow, like many other concurrent languages I believe, where the receiver explicitly receives the message sent, and the sender would explicitly receive the return value. This suddenly started looking like the use of concurrency would cause all kinds of explicit handshaking to propagate into the image proper.
There were many aspects of your concurrency model that attracted me, but I suppose the biggest was the promise. The promise in E is more than a promise of a value to be returned, it was the promise of an object being returned. With this slightest of shifts, you had decided that a program could send messages to the promise. The contract of the promise is 1) it will resolve to an object, which may be broken and 2) all messages sent to the promise will be forwarded to the resolved object.
After reading more about the concurrency model and the distribution model, it became clear that this model goes further. When messages are sent to a promise for a previous message send, that happened to be to a receiver that was remote, then those subsequent message sends would be sent to the remote location of the original receiver. If the resolved object for the promise is co-located with the original receiver, then you could immediately send the subsequent messages to that object in the remote image. If the resolved object for the promise is located in yet a second remote image, then the messages would be sent from the first remote image, directly to the new receiver's image. This is quite remarkable.
To make all of this work in partially-order fashion - I think that was the reason - you introduced the event-loop concurrency model. This is very similar to an UI thread event loop, so it makes a lot of sense in squeak. This sealed my fate and here we are. :)
As I recall, PPS2.5 had a similar model, but less preemptive. (Where is Squeak's model documented?)
I searched and searched and couldn't find any write up on this. Here is a handful of links: http://minnow.cc.gatech.edu/squeak/1602 , http://www.iam.unibe.ch/~ducasse/WebPages/FreeBooks.html . Of course the source code is there, but it doesn't really have any comments. I think the right way to describe it is preemptive multitasking, where a higher priority process may preempt a lower priority process. It has Semaphores for coordination. I worked on a LindaTalk implementation, for awhile.
I know that David Reed has proposed an interesting concurrency and distributed computing model for Croquet. I'd love to see a description of it. I don't yet know enough to comment.
I would also very much like to hear about his work. Is there someone who could invite him to join us, perhaps?
Finally, Smalltalk isn't just a system. It stand for a philosophy named "object-oriented programming".
Actually, Alan Kay is attributed with saying something along the lines of wishing he had termed it message-oriented programming, since the focus should be on the communication rather than the things. The power is in the interactions themselves, rather than in the agents interacting.
From my sense of what this philosophy is, capabilities could be termed "object-oriented security". (This coinage by Dean Tribble.) The virtues of capabilities are an extension of the virtues of oo. Likewise, I believe E's event-loop concurrency control model is the extension of the oo philosophy into the concurrency realm, which we try to make clear especially at http://erights.org/elib/concurrency/event-loop.html and http://erights.org/elib/concurrency/turns.html . In these three cases -- objects, security, concurrency -- the issues can be seen in the terms the economist F.A. Hayek explained: How do plans come to be coordinated with each other (message passing) without disrupting each other (encapsulation)? For an object-oriented view of Hayekian economics, see http://www.erights.org/talks/categories/index.html .
This is a great paper. It is difficult to read and there is a lot of new terminology to digest, but the thesis is unique and powerful. The economics of development, or rather the development of economics. Well, we have a another store front, here. :)
So I hope we make Squeak-E a system that not only works, but one that's also a purer expression of the philosophy that Smalltalk has always stood for.
I sure we will spend a good part of our time ensuring that this is indeed the case. :)
cheers, rob
At 04:59 PM 1/31/2003 Friday, Allen Wirfs-Brock wrote:
I just want to mention that when I read Lex's "Object as Capabilities in Squeak" I was struck by the number of similarities between it and much of what is in the ANSI Smalltalk specification. [...] To do so, we needed to strip away all the meta-level and implement artifact messages that clutter all conventional Smalltalk implementation. This sounds very similar to what you need to do to define a secure dialect of Smalltalk.
So what's the relationship between ANSI Smalltalk and Squeak?
Does Squeak conform to the ANSI spec?
Is Squeak a superset of ANSI Smalltalk?
Are the above two questions equivalent?
If the answers are approximately yes, would it be a useful exercise on the way to Squeak-E to identify what subset of ANSI Smalltalk we are confident obeys capability discipline and should be included in Squeak-E? Let's say we call this subset SafeSmalltalk. SafeSmalltalk would not necessarily be expected to be a workable language, in that critical stuff may have been left out and SafeSmalltalk doesn't say what it's replaced with.
We could then define the first <adjective>-Squeak-E (eg Core-Squeak-E) as SafeSmalltalk + those additions we are confident maintain capability discipline, and are needed to get back to a language approximately as functional as ANSI Smalltalk. Such an effort would postpone the implementation questions of how Squeak-E and Squeak coexist in the same image.
Does this sound like a useful exercise to anyone?
Btw, I am quite aware that I'm coming in from outside y'all's community and culture. I greatly appreciate the open arms with which I've been welcomed, but I do remember that y'all's way of doing things may be different than what I expect. So if this is just off track as a way to proceed, please let me know. Thanks.
---------------------------------------- Text by me above is hereby placed in the public domain
Cheers, --MarkM
squeak-e@lists.squeakfoundation.org