Puzzle: Adding domain-based security to Squeak.
Michael van der Gulik
squeakml at gulik.co.nz
Sat Aug 5 09:19:52 UTC 2006
Hi all.
Here's a generic problem for people that like puzzles that I can't seem
to work out: I want to add "Domains" to Squeak, so that system resources
can be managed.
Here's how it would work, in theory:
* A domain would typically be a group of objects related to a particular
application.
* Every object belongs to a domain.
And then:
- A domain's memory usage can be capped. Object>>new would be
implemented so that it would wait for free memory or throw an Exception
if the memory cap has been breached.
- A domain can only start up a limited number of Processes. This would
control fork bombs etc. Process>>new or some other entry point would
check for this and wait or throw an Exception if the process limit has
been breached.
- Ditto for other system resources, such as disk usage, network
bandwidth, access to devices etc.
- I'm implementing a distributed system, so remote objects that come in
will already belong to a particular domain. A local DomainManager or
some other mechanism would determine if objects from that domain are
allowed to use local system resources, and at which priorities.
For example, I could have two domains: "AlicesEmail" an "BobsEmail".
AlicesEmail is capped at 10Mb of memory and 6 processes. BobsEmail is
capped at 20Mb of memory and 15 processes. Assuming that the Squeak
image is a remote mail server; now neither Alice nor Bob can make the
image explode by doing funny things with their email. Both domains use
the same classes.
Now, here's the problem:
How would I implement Object>>new and Process>>new (or other equally
good locations) so that the domain for that object is found and a
DomainManager queried about that domain's privileges?
The possibilities that I've thought of so far are:
1. Adding an instance variable called 'domain' to Object is a bad idea -
consider SmallIntegers and parts of the VM that assume certain instance
variables are in certain places.
2. Creating dictionaries of which objects are in which domains would
work, but is going to be extremely inefficient. _Every_ object in the
image would have an entry in these dictionaries.
3. Creating a subclass of Object with an instance variable "domain"
could work, and then all other objects that are used by domain-using
code are subclasses. I'm still thinking through the implications.
4. Assigning domains to processes rather than objects is a possibility,
but this would allow resource theft when invocations are done on objects
out of the current domain. If this was done, the current domain would
just be <<thisContext domain>>.
5. Another option is to make radical changes to the VM, so that a domain
of objects are all kept in the same range of memory. This would be a
rather major change and would introduce bugs.
6. I could do fancy tricks with the garbage collector like ImageSegment
does and trace references back to an object which identifies the current
domain. This is slow and yuck.
So far alternatives 3 or 4 seem possible.
Thinking aloud; option 4 could be implemented by implementing
Domain>>doPrivileged: taking a block as an argument. Object>>new and
Process>>new can then search down the stack until Domain>>doPrivileged:
is found and ask the global DomainManager what that domain is allowed to
do. Calls out of the current domain can be stripped of privileges by
doing something like noPrivilegesDomain>>doPrivileged: [otherObject
doSomething]. otherObject would then need to call doPrivileged: again
with its own domain to regain the ability to fork and make new objects.
Umm... this would need some way of preventing user processes from
peeking down the stack and stealing another domain (i.e. using
capability-based security).
Option 3 has the advantage of making less work for the poor application
developer, but incurs an extra pointer for every single object.
Java does something similar, but it does it based on classes or jar
files (afaik). This is not particularly good - you can't have two
domains with different privileges which share the same implementation.
For example, you can't have an "AlicesEmail" and "BobsEmail" domains
with different privileges if they both use the same classes.
Thoughts? Does anything like this already exist?
Mikevdg.
More information about the Squeak-dev
mailing list
|