[cap-talk] Lua, Javascript, and the Object Capability Model
David-Sarah Hopwood
david-sarah at jacaranda.org
Sat Jul 25 22:03:06 EDT 2009
David-Sarah Hopwood wrote:
> Matej Kosik wrote:
>> James Graves wrote:
>>
>>> Lua, Javascript, and the Object Capability Model
>>> <http://partiallyappliedlife.blogspot.com/2009/07/lua-and-object-capability-model.html>
>> Lua probably supports sandboxing. Untrusted code is started in a context
>> where dangerous functions are undefined.
>>
>> Does it also support dynamic changes in the reference graph according to
>> object-capability security model? I.e. connectivity:
>> - by initial conditions
>> - parenthood
>> - by introduction
>> - by endowment
>> ?
>>
>> I guess not but because if you want to call a function in Lua, you
>> specify (forgeable) name.
>
> Lua 5.0 and later (http://www.lua.org/versions.html) supports first-class
> functions with lexical variable capture. I don't know enough about it to
> say whether the E/Cajita-style lexically encapsulated object pattern is
> secure in Lua, but it seems plausible.
On further investigation, it does seem quite feasible.
By default, Lua tables (associative arrays) are mutable. So, Cajita-style
objects implemented as tables of functions would not be secure. However,
<http://lua-users.org/wiki/ReadOnlyTables> describes a way to implement
a read-only view of a table.
Let's give the 'readonlytable' function from that page (or some variation
of it) the friendlier name 'object'. Then, the Point example from
<http://www.erights.org/elib/capability/ode/ode-objects.html> would be:
function makePoint(x, y) {
local point = object {
getX = function() return x end,
getY = function() return y end,
add = function(other)
return makePoint(x + other.getX(), y + other.getY())
end
}
return point
}
If objects are created using the 'object { ... }' syntax, then the
underlying table will be inaccessible, and so the difference between a
read-only view and an immutable table does not really matter. Another
potential loophole mentioned on the wiki page is the 'rawset' function,
but it appears that 'rawset' can be excluded from the global environment.
So Lua probably does support object-capability programming, as far as
the language is concerned. Obviously a lot more investigation is required
to determine whether there are other loopholes or undocumented "features"
in the implementation, and how the global environment should be tamed.
--
David-Sarah Hopwood ⚥ http://davidsarah.livejournal.com
More information about the cap-talk
mailing list