[cap-talk] capability copy and capability map
Neal H. Walfield
neal at walfield.org
Fri Oct 27 02:57:16 CDT 2006
At Thu, 26 Oct 2006 19:33:50 -0700,
Charles Landau wrote:
> The server implements two bank accounts obj1 and obj2.
> Carol holds obj1 which is derived from the server.
> Alice holds obj2 derived from the server. Alice grants her obj2 to Carol.
> Carol invokes her obj1 passing her obj2, requesting to transfer $100
> from account obj2 to account obj1.
> Server performs eq?(server's obj2, obj2 passed by Carol), which under
> your assumptions returns true.
> Now Alice decides she no longer wants Carol to have authority over
> account obj2, and revokes Carol's obj2.
> Alice invokes obj2 to find out what Carol did to the account before
> it was revoked. Let us assume the server is multithreaded and replies
> that account obj2 holds $100. Alice knows that no one other than
> Alice and Carol have ever had access to account obj2, so there should
> now remain $100 in account obj2.
> Now the server continues processing Carol's invocation. Relying on
> the result of the eq? operation performed above, the server transfers
> $100 from account obj2 to account obj1.
Why couldn't this happen in the wrapper case? Another example:
- Alice holds obj1 which is derived from the server.
- Alice creates a wrapper for obj1 and passes this to Carol.
- Carol invokes the wrapper object.
- After the server receives the message from Carol but before the
operation is performed, Alice destroys the wrapper object.
Neal
More information about the cap-talk
mailing list