[E-Lang] Re: Java 2 "Security"

Bill Frantz frantz@communities.com
Tue, 02 Jan 2001 15:00:56 -0800


At 01:02 PM 1/2/01 -0700, Marc Stiegler wrote:
>In my admittedly limited practical experiences, I actually haven't found
>much need for stack-frame-based revocation. Once you've given an object a
>power, there is generally no new security issue raised in allowing the
>object to keep the power--not until you are about to grant the object
>yet-another-power: you may not trust the object with both powers at the same
>time even though you trust it with either one by itself (the ability to read
>confidential data and the ability to connect to the Internet, for example).
>So the E machinery allows the following pattern, which stack frame control
>does not:
>
>powerUser setPower1(revokable1)
>powerUser setPower2(revokable2)
>powerUser usePowers
>revokable1 revoke
>revokable2 revoke
>powerUser setPower3(revokable3)
>#and so on

You do have to worry about:

powerUser setPower1(revokable1)
powerUser setPower2(revokable2)
powerUser usePowers
  [poweruser saves confidential data]
revokable1 revoke
revokable2 revoke
powerUser setPower3(revokable3)
  [poweruser passes confidential data to revokable3]
#and so on

>From a security prospective, it is better not to reuse objects this way.