Smalltalk in a Sandbox

Lex Spoon lex at cc.gatech.edu
Thu Dec 2 10:54:29 UTC 1999


Torsten.Bergmann at phaidros.com wrote:
> There was a discussion on the GSUG-Mailinglist
> (German Smalltalk User Group) about Smalltalk in a Sandbox.
> 
> Maybe you are interested on the following paper:
> 
> http://www.heeg.de/~georg/guendel.htm
> 

Everyone seemsto think "security" and immediately think of access
control lists (ACLs).  I really wish someone would try a capabilities
approach.  Capabilities avoid:

	1. The need to check every single message send that crosses a
protection boundary, thus making it faster.

	2. The need to design ACLs that can stand up to any sequence of message
sends across the boundaries.  By limitting yourself to ACL systems, you
run into "Confused Deputy" problems, and severely limit what you can do.
 Designing good ACLs really is hard--just consider Unix's /tmp and
/var/spool/tex/fonts (or whever tex's font directory is)

Furthermore, capabilities can be implemented with no VM changes except
to help debugging: an object in Smalltalk is already a capability if
only you remove messages such as instVarAt: and class.  (And then you
need to implement these things somewhere else to allow for debugging to
keep working)

And as a counterexample, Python is a similar language to Smalltalk, and
it implemnets 
its Grail browser using capabilities.  To mediate between an applet and
the GUI, applets are given object references to restricted versions of
GUI widgits which only obey reasonable commands.  The restricted
versions internally have a reference to a real widgit, but this is
invisible to the applet.  And just about all you have to do to restrict
the restricted widgit, is simply to only implement methods that you
don't want to make available.  People might look to this browser's
documentation if they want an example of how to work with capabilities
in an OO system.


So, if anyone wants to look at a layman's level talk of capability
theory, here are some sites that I've found approachable:

	- http://www.cis.upenn.edu/~KeyKOS/ConfusedDeputy.html
	- http://www.eros-os.org/essays/capintro.html
	- the "Miscellaneous notes" section of:
http://www.cis.upenn.edu/~KeyKOS/
	- http://www.erights.org, which talks about E and has various notes
about capabilities


I started setting up a capability-based squeaklet system once, and got
part of the way there.  I got the capabilities implemented fine, but
there was some significant work left to get enough GUI elements
available that a Squeaklet wouldn't be useless.  If anyone wants to chat
about how this all worked, drop me a line.  I probably won't work on it
in the next *several* months due to lack of time and too many other cool
projects.


Lex





More information about the Squeak-dev mailing list