implementing sandboxes with capabilities

Dean_Swan at Mitel.COM Dean_Swan at Mitel.COM
Tue Apr 11 23:11:38 UTC 2000



From:  Dean Swan at MITEL on 04/11/2000 07:11 PM

This discussion has been very interesting, but I don't understand what you'd use
this "sandbox" system for.  If I've followed the discussion correctly, what is
being proposed is a mechanism to "wall-off" a group of objects from the rest of
the image, supposedly for purposes of security?

What is the benefit of doing this when compared to simply lauching an image with
limited capabilities in another instance of the VM running under the host
operating system?

Is this intended to support remote users of a server type application?  If so, I
think Squeak has a real limitation in the way it implements multi-threading.
Something would need to be done to keep a "client" method from hogging all of
the CPU, which even an otherwise harmless method, operating in a "sterile"
environment could still do.  This would amount to a "denial of service" attack.

Other than supporting multi-user/server type applications, with user programming
capability, I can't think of anything that this "buys you" for the amount of
complexity it seems to require.

Why would this be better than a Linux or FreeBSD box with multiple user
accounts, and using the security features of the host OS?  It just strikes me as
a bit of an academic exercise to add all this capability to Squeak.  What am I
missing?

                                   -Dean Swan
                                   dean_swan at mitel.com






More information about the Squeak-dev mailing list