black-box re-use? (was: Re: [E-Lang] MintMaker with ACLs)

Marc Stiegler marcs@skyhunter.com
Thu, 1 Feb 2001 11:37:18 -0700 

I believe Zooko has asked an extremely important question here, and while I
would expect people to find Tyler's theoretical analysis convincing, I would
like to mention some empirical evidence as well on code-reuse  with
capabilities.

My pet project for the last couple of months has been building a
capability-secure windowing toolkit that lies on top of Java/Swing.
Java/Swing is a mess from a capabilities perspective; access to any widget
gives full authority over the global clipboard, for example.

Code reuse is an absolute requirement: I have no way of going in and fixing
AWT or Swing. If I had to go in and add a protection mechanism I would have
to give up and go find something else to do.

In fact, though there is considerable code required to completely wrap
AWT/Swing while granting users all the functionality of these packages in a
capability-secure fashion, I now have an architecture and plan that does
this complete wrapping, in addition to a small proof-of-concept emaker
package that securely wraps the whole system (though it does not yet let
through all the functionality, i.e., the security is complete, but the
functionality is not yet).

I believe that anyone who looks at AWT/Swing through a capability lens will
conclude that this is a pretty impressive demonstration of the power of
capability architecture to refactor delegated powers without rewriting
existing code. Truthfully, even I was a little surprised when I concluded
that such complete security discipline could be enforced on AWT/Swing while
letting such complete functionality shine through.

--marcs


----- Original Message -----
From: Tyler Close <tclose@oilspace.com>
To: <zooko@mad-scientist.com>
Cc: <e-lang@eros-os.org>
Sent: Thursday, February 01, 2001 7:56 AM
Subject: RE: black-box re-use? (was: Re: [E-Lang] MintMaker with ACLs)


> Zooko wrote:
> > For example if there are other users, or other programmers,
> > currently
> > using the basic mint code, without the "see-balance-only"
> > feature, is
> > it the case that adding the feature to MintMaker will be
> > less likely to
> > disrupt them than adding the same feature to HalMint?
>
> You're right on the money, but I would phrase it as "will not disrupt
> them" rather than "less likely to". Their rights did not change in any
> way. They are totally unaffected.
>
> > Is this difference a necessary consequence of the security
> > models, or a
> > design decision on the part of language designers, or a
> > design decision
> > on the part of the programmers, MarkM(?) and Hal?
>
> You didn't ask me, but I think it's inherent to the security model.
> The access check is at the subject. If the subject doesn't check,
> there is no check. What else can be said?
>
> Tyler
>
> _______________________________________________
> e-lang mailing list
> e-lang@mail.eros-os.org
> http://www.eros-os.org/mailman/listinfo/e-lang
>