[E-Lang] MintMaker with ACLs

David Wagner daw@mozart.cs.berkeley.edu
1 Feb 2001 06:52:56 GMT

Tyler Close wrote:
>Several very useful design patterns become fatal security holes:
>Visitor, Internal Iteration, Observer, Hollywood (don't call me, I'll
>call you, eg: SAX), Strategy, ... Essentially, anything that requires
>what is traditionally thought of as a callback.

The canonical solution is to use RPC.  Run the caller and callee
in separate processes (so that they run in different protection domains),
and send a message from caller to callee.

For an alternate solution (that avoids the need for multiple processes
and may have better performance characteristics), you might enjoy reading
the following paper:
    Wallach, Balfanz, Dean, and Felten:
  ``Extensible Security Architectures for Java'', SOSP'97.
Among other things, it describes how to extend stack introspection to
solve the security problems that result when you combine callbacks with
implicit uid's.  The solution is not perfect, but you may find it