[cap-talk] object-oriented-security.org
Sandro Magi
naasking at higherlogics.com
Sun Mar 21 21:56:17 PDT 2010
On 21/03/2010 8:25 PM, David-Sarah Hopwood wrote:
> Sandro Magi wrote:
>> Object references in any memory safe language are unforgeable.
>
> That's not so. The canonical counterexample is Smalltalk, which (in most
> implementations) allows you to enumerate all references via allObjectsDo.
> This is practically equivalent to forging them.
For sufficiently imprecise definitions of "forging", maybe. A more
precise classification is that allObjectsDo is an ambient authority.
And arguing that forging and ambient authorities are practically
equivalent dilutes their usefulness IMO.
Forging == inability to manufacture authorities
Ambient authority == side-effecting initial authorities
Certainly they are related:
1. one can have an ambient authority to forge authorities,
2. if one can forge authorities, all authorities are accessible and thus
in a sense "ambient"
You need to lock down both for object capabilities, and I think the
distinction is useful. Memory-safety to prevent forging, and only
encapsulated parametric side-effects to tame ambient authorities.
Sandro
More information about the cap-talk
mailing list