Retrofitting objcaps (was: Capabilities in Squeak)

Mark S. Miller markm at cs.jhu.edu
Tue Oct 17 16:47:38 UTC 2006 

Lex Spoon wrote:
> Michael van der Gulik <squeakml at gulik.co.nz> writes:
>> Does anybody have code (particularly VM modifications) which allow
>> Capabilities in Squeak?
>>
>> In particular, I'm referring to code that implements stuff described
>> on this page:
>> http://minnow.cc.gatech.edu/squeak/uploads/2074/sandbox.html
> 
> This is my old "Islands" project, [...] 
> Full information about Islands is available at this page:
> 
>     http://minnow.cc.gatech.edu/squeak/2074
 > [...]
> I still think the basic approach is good.  The next thing I would do,
> were I to continue, would be to get rid of the dynamically bound
> global variables, and instead to have separate, static namespaces.

That does sound good.


> The reason for the current approach--i.e. all global references are
> bound indirectly through the currently active island--is that compiled
> code can be reused across multiple islands.  In retrospect, it would
> be better to maintain conceptual pruity and simply recompile any
> reused code.

A different compilation strategy would still allow compiled code to be shared 
-- by treating these the way other languages treat captured outer lexical 
variables.


> More broadly, I still think the object capabilities approach is
> important and worth giving a good look in any new language.  It is a
> feature you cannot very well add late.

It has indeed been hard to add objcaps to Squeak after the fact, or rather to 
subtract out the non-objcap parts of the language. (Motto: "Don't add 
security, remove insecurity.") Other efforts have yielded varying results. 
Securing Java to create Joe-E[1] looks quite good, and we have recently been 
using this successfully within HP. Although Java is much more 
"object-oriented" than Scheme or OCaml, W7[2] and Emily[3] were much easier 
than Joe-E, whereas securing Common Lisp[4] was hard enough that the effort 
seems to have been abandoned. The effort to secure Mozart/Oz is proceeding 
slowly, but has yielded one of the best documents[5] about the issues in 
retrofitting objcaps into an existing language. I am also hopeful about a new 
effort to secure Python[6].

All these efforts have freshly encountered many of the same issues. It would 
be good if they could learn more from each other. A secure Squeak-like 
language would still be awesome. Perhaps we should have a workshop about 
retrofitting objcaps into existing languages?

[1] http://www.joe-e.org/
[2] http://mumble.net/~jar/pubs/secureos/
[3] http://www.hpl.hp.com/techreports/2006/HPL-2006-116.html
[4] http://www.eros-os.org/pipermail/e-lang/2005-August/010923.html
[5] http://www.info.ucl.ac.be/~pvr/oze.pdf
[6] http://sayspy.blogspot.com/2006/07/security-design-doc-using-object.html

-- 
Text by me above is hereby placed in the public domain

     Cheers,
     --MarkM

More information about the Squeak-dev mailing list