[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Security in Self

To: I.R.Woollard@bnr.co.uk, David.Ungar@Eng.Sun.COM, self-interest@otis.Stanford.EDU
Subject: Re: Security in Self
From: David.Ungar@Eng.Sun.COM (David Ungar)
Date: Tue, 12 Apr 1994 16:55:45 +0800
Resent-date: Tue, 12 Apr 1994 16:55:45 +0800
Resent-from: Bay.Chang@Eng.Sun.COM (Bay-Wei Chang [CONTRACTOR])
Resent-message-id: <9404130303.AA05035@traits.Eng.Sun.COM>
Resent-to: real-self-interest@self.stanford.edu

Interesting, but since the granularity is objects instead of methods or
statements,
it may be that this exact proposal is a better match for preventing one
user from corrupting
another's data that for the maintenance of invarients.


Thanks for the thoughts!

-- Dave

At 10:14 PM 4/12/94 +0100, I.R.Woollard@bnr.co.uk wrote:
>>Do you mean saying
>>a) "I am X and I may access A, B, ...
>>   (regardless of what A, B, ... specifies)"
>>instead of
>>b) "I am A and I grant access to X, Y, ..."?
>
>I think that a) is true! But that X needs proof!
>
>
>For security, Self lacks:
>
>1 - privacy of slots to access by "self" only.
>
>2 - knowledge of what object called this one ("sender")
>
>3.- some way to call the object that was found to contain the method
>that is now running ("receiver"). (This prevents inheritance doing
>horrible things, see later... )
>
>
>Half baked example, given these changes are done:
>
>"classPoint" here is an object representing the class of objects that
>can do assignment to points. It is publically accessible via a global
>variable.
>
>point =
>(| parent* = traits certificated.
>   x = (myX).
>   y = (myY).
>   x: anX y: aY cert: aCert = ( classPoint checkCert: aCert From: sender
>                                ifTrue: [myX: anX myY: anY]).
>   _ myX <- 0.
>   _ myY <- 0.
>   certificate <- nil.
>|)
>
>Certificates slots are - the object being certified
>                       - the class that it is certifying the object is a
>member of
>                       - a private secret shared between certificate and class
>                         membership, of the calling object to the group that
>the
>                         certificate says the object belongs.
>
>certificate point =
>(| _ owner = point.
>   _ memberOf = class.
>   _ secret = (someobject).
>   getSecret = ((sender = receiver memberOf) ifTrue: [secret] False: [nil].
>|)
>
>Point is then modified by the UI, which we assume is in the class that
>is allowed to make new certificates of point...
>
>point certificate: (pointCertificate copy: point)
>
>
>Example of classPoint implementation:
>
>class = (| _ secret = (someobject).
>           checkCert: aCertificate From: anObject =
>             ( (anObject = aCert owner)
>               && (secret = aCert getSecret) )
>
>The point is that nothing except a certificate or the class itself can
>ever get ahold of the secret, and only the class gives out
>certificates about itself. Anybody may get a pointer to a certificate,
>but because it doesn't refer to them, it doesn't help.
>
>Generating cerificates left as an exercise to the reader...
>
>-Ian
>
>p.s. I have a paper that discusses the distributed case, its pretty similar,
>but
>uses public key encryption instead of secrets.
>
>p.p.s. after all this the image had better be written out in rwx......
>with root permissions!

Prev by Date: Re: Security in Self
Next by Date: Re: Self Mosaic home page
Previous by thread: Re: assignment slots (was: two questions...)
Next by thread: Re: Security in Self
Index(es):
- Date
- Thread