DescriptionEROS is designed as a client/service} system. Except where shared state or multiplexing are required, each client receives it's own instance of any service that it uses. Constructors are trusted agents (programs) that build service instances. More generally, constructors provide the means by which mutually suspicious parties can collaborate. A service provider acquires a new constructor (which is fabricated by the MetaConstructor), and installs into this new constructor the capabilities that the service instances should initially hold. The provider then seals the constructor, whereupon a distinguished start capability known as a requestor capability is returned. Programs built by constructors can be characterized as discreet or indiscreet. A discreet program is one that provably cannot leak information to a third party. Such a program's faults cannot propagate to other programs. Discretion is ascertained by construction. As each capability is installed in the constructor, the constructor examines the discretion of that capability. The installed capability is either:
Constructors are able to certify the authenticity of other constructors, and that any space used to construct program instances comes from a trusted source of storage. Because the constructor is a trusted agent, a client can be sure that their data will not be leaked, and that the constructed service cannot consume all available client resources. For purposes of active networking, the role played by constructors is the confinement of suspicious programs. While cryptographic signatures can be used to certify programs by previous arrangement, the provenance of a netlet in general is unknown, and the active node must presume that such netlets are potentially hostile. The solution is to place the incoming netlet inside a confinement boundary, minimizing mischievious missionism. Copyright 1998 by Jonathan Shapiro. All rights reserved. For terms of redistribution, see the GNU General Public License |