[E-Lang] Re: Java 2 "Security"
Scott Smith
scott@cs.jhu.edu
Wed, 03 Jan 2001 12:01:29 -0500
"Jonathan S. Shapiro" wrote:
>
> > > one of the properties of the Java security model is the
> > > ability to temporarily raise a privilege so a more sensitive operation
> > > can be performed. A flag is put on the stack (i.e. in the messaging
> > > wait-for chain) which signifies the point at which a privilege is
> > > raised, and the privilege is raised until that frame is popped (there
> > > are various other aspects of the model I am skipping). To get this
> > > effect in a capability system you need to explicitly pass to each method
> > > call below the point where the privilege was temporarily raised the fact
> > > that this privelege was raised
>
> I think that this is unduly pessimistic, because it neglects the possibility
> of capabilities embedded in closures. One way to achieve what you want is to
> have a procedure that performs the sensitive operation that is "closed over"
> the necessary capability and does not disclose this capability to its
> callers.
>
I agree this is the best alternative in a capability system. But the
problem is if the closure is not sound (it leaks the capability directly
or indirecty) there is no backup mechanism to enforce security. The
stack inspection mechanism is such a backup: even if it were to leak it
would be useless since its out of scope. More walls, more security.
The main open question in my mind is whether this additional wall
provides enough extra security to make it worth using if there is
already a capability system in place.
Scott