[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Security in Self



>Do you mean saying 
>a) "I am X and I may access A, B, ... 
>   (regardless of what A, B, ... specifies)" 
>instead of 
>b) "I am A and I grant access to X, Y, ..."?

I think that a) is true! But that X needs proof!


For security, Self lacks:

1 - privacy of slots to access by "self" only.

2 - knowledge of what object called this one ("sender")

3.- some way to call the object that was found to contain the method
that is now running ("receiver"). (This prevents inheritance doing
horrible things, see later... )


Half baked example, given these changes are done:

"classPoint" here is an object representing the class of objects that
can do assignment to points. It is publically accessible via a global
variable.

point =
(| parent* = traits certificated.
   x = (myX).
   y = (myY).
   x: anX y: aY cert: aCert = ( classPoint checkCert: aCert From: sender
                                ifTrue: [myX: anX myY: anY]).
   _ myX <- 0.
   _ myY <- 0.
   certificate <- nil.
|)

Certificates slots are - the object being certified
                       - the class that it is certifying the object is a member of
                       - a private secret shared between certificate and class
                         membership, of the calling object to the group that the
                         certificate says the object belongs.

certificate point =
(| _ owner = point.
   _ memberOf = class.
   _ secret = (someobject).
   getSecret = ((sender = receiver memberOf) ifTrue: [secret] False: [nil].
|)

Point is then modified by the UI, which we assume is in the class that
is allowed to make new certificates of point...

point certificate: (pointCertificate copy: point)


Example of classPoint implementation:

class = (| _ secret = (someobject).
           checkCert: aCertificate From: anObject = 
             ( (anObject = aCert owner)
               && (secret = aCert getSecret) )

The point is that nothing except a certificate or the class itself can
ever get ahold of the secret, and only the class gives out
certificates about itself. Anybody may get a pointer to a certificate,
but because it doesn't refer to them, it doesn't help.

Generating cerificates left as an exercise to the reader...

-Ian

p.s. I have a paper that discusses the distributed case, its pretty similar, but
uses public key encryption instead of secrets.

p.p.s. after all this the image had better be written out in rwx......
with root permissions!