[E-Lang] Security Breach: Nominee for the Stock Exchange
Prize
Tyler Close
tclose@oilspace.com
Wed, 18 Apr 2001 09:20:32 +0100
At 04:44 PM 4/17/01 -0700, Mark S. Miller wrote:
>Btw, even though the motivation for exploring these issues was the current
>controversy over connection and timeout semantics, the above problem & fix
>seem to be equivalent in any of the current proposals.
I disagree. In a system where ERiaSR, the user's bidding agent, upon being
revived, would have resent the original bid request, not issued a
completely new bid request. The receiving Vat guarantees that a message is
processed at most once (possibly using the scheme I laid out in my original
proposal for always sturdy refs).
The ERiaSR model is easier and more natural to code to. MarcS would not
have suffered this security breach if he was programming to an ERiaSR model.
The additional program logic that the LiveRef model imposes is a very good
example of the "bottom-up" flow of complexity that Dean was talking about.
Tyler