[cap-talk] Lua, Javascript, and the Object Capability Model

[James Graves]

Matej Kosik <kosik at fiit.stuba.sk> wrote: 

> Lua probably supports sandboxing. Untrusted code is started in a context
> where dangerous functions are undefined.

Yes.  When you are initializing a new Lua instance in C code, you
explicitly bring in the standard libraries.  However you can chose
what to put into the instance's environment.

> Does it also support dynamic changes in the reference graph according to
> object-capability security model? I.e. connectivity:
> - by initial conditions

Yes, as above.

> - parenthood

Yes.  For example, if you create a new object (table), that is the
only reference to it.  You cannot forge a local reference from inside
Lua code.

> - by introduction

Yes, in the same Lua instance, if you've got a reference to an object
(data, function, module, etc.) you can give that as a result of a
function call.  Or write it back into your environment, which can be 
be later read by your parent.

> - by endowment

Yes, you can pass in whatever you've got in your environment into a
child environment.  You can also pass in objects via the function
parameters when starting the child environment... which is technically
'introduction' I suppose.

> I guess not but because if you want to call a function in Lua, you
> specify (forgeable) name. That name is looked up in appropriate
> hash-table. Untrusted subsystems may have different hash-tables. I am
> not sure though whether it is possible to realize "connectivity by
> introduction" in this system. There are certain useful security policies
> that cannot be implemented if this is not possible.

I'm not quite sure what your point is here.

Names are just entries in your environment, which is either
function-local or your envionment.  And your parent can modify your
environment in any possible way.

So you have to trust your parent, but isn't that always the case?

BR,

James