[E-Lang] Re: Hydro & E: Update Syntax

[Tyler Close]

Dean wrote:
> 19) Eliminate assignment support for mutable collections.
>
> Sure it's nice, but Java does just fine without, and why
> encourage the
> style we think has security problems.  OTOH, the security
> problem that I
> recall was related to the inappropriate inheritance
> structure, not the
> mutability.  Is there a separate security consequence of
> mutability?  In
> the E model where the contents of a Vat is completely
> serialized and
> internally trusted, why should mutable collections pose a
> problem?  Can
> someone send me a pointer to that discussion?

The security issues related to mutability were mostly due to the
message protocol that made it very easy to mistake a mutable
collection for an immutable one, and very difficult to detect this
error.

There are also related security arguments. If you have easily used
mutable collections, then they will be used more than immutable ones.
If you are mostly using mutable collections, then you will not be
inclined to switch to an immutable representation to protect your
mutability from untrusted code. The main example is a class which uses
an array to store its associations, and just passes out that array to
code that wants to inspect the associations.

The most obvious ways in which to use mutable collections are highly
insecure. They are fail-open rather than fail-safe.

Tyler