Retrofitting objcaps (was: Capabilities in Squeak)
Mark S. Miller
markm at cs.jhu.edu
Tue Oct 17 16:47:38 UTC 2006
Lex Spoon wrote:
> Michael van der Gulik <squeakml at gulik.co.nz> writes:
>> Does anybody have code (particularly VM modifications) which allow
>> Capabilities in Squeak?
>>
>> In particular, I'm referring to code that implements stuff described
>> on this page:
>> http://minnow.cc.gatech.edu/squeak/uploads/2074/sandbox.html
>
> This is my old "Islands" project, [...]
> Full information about Islands is available at this page:
>
> http://minnow.cc.gatech.edu/squeak/2074
> [...]
> I still think the basic approach is good. The next thing I would do,
> were I to continue, would be to get rid of the dynamically bound
> global variables, and instead to have separate, static namespaces.
That does sound good.
> The reason for the current approach--i.e. all global references are
> bound indirectly through the currently active island--is that compiled
> code can be reused across multiple islands. In retrospect, it would
> be better to maintain conceptual pruity and simply recompile any
> reused code.
A different compilation strategy would still allow compiled code to be shared
-- by treating these the way other languages treat captured outer lexical
variables.
> More broadly, I still think the object capabilities approach is
> important and worth giving a good look in any new language. It is a
> feature you cannot very well add late.
It has indeed been hard to add objcaps to Squeak after the fact, or rather to
subtract out the non-objcap parts of the language. (Motto: "Don't add
security, remove insecurity.") Other efforts have yielded varying results.
Securing Java to create Joe-E[1] looks quite good, and we have recently been
using this successfully within HP. Although Java is much more
"object-oriented" than Scheme or OCaml, W7[2] and Emily[3] were much easier
than Joe-E, whereas securing Common Lisp[4] was hard enough that the effort
seems to have been abandoned. The effort to secure Mozart/Oz is proceeding
slowly, but has yielded one of the best documents[5] about the issues in
retrofitting objcaps into an existing language. I am also hopeful about a new
effort to secure Python[6].
All these efforts have freshly encountered many of the same issues. It would
be good if they could learn more from each other. A secure Squeak-like
language would still be awesome. Perhaps we should have a workshop about
retrofitting objcaps into existing languages?
[1] http://www.joe-e.org/
[2] http://mumble.net/~jar/pubs/secureos/
[3] http://www.hpl.hp.com/techreports/2006/HPL-2006-116.html
[4] http://www.eros-os.org/pipermail/e-lang/2005-August/010923.html
[5] http://www.info.ucl.ac.be/~pvr/oze.pdf
[6] http://sayspy.blogspot.com/2006/07/security-design-doc-using-object.html
--
Text by me above is hereby placed in the public domain
Cheers,
--MarkM
More information about the Squeak-dev
mailing list
|