[e-lang] Auditors

[David Hopwood]

Stephan van Staden wrote:
> I have a couple of questions regarding auditors:
> 
> Suppose I create a discriminating, not closely held auditor x in Vat A. 
> Does "not closely held" mean that references to x are made freely 
> available, such that Vat B can call x <- audit(script)? Will the result 
> of the audit then be recorded in Vat B such that a guard in Vat B can 
> use local information? As I have it, x may also cache auditing results 
> in Vat A, e.g. if it is functional and the script has an empty syntactic 
> environment. Suppose that an object o in Vat B passed an audit by x. If 
> a reference to o is then sent to Vat C, will this reference install 
> information regarding its x audit in Vat C? Can Vat C trust Vat B on the 
> results of the audit? Suppose now that x is instead PassByCopy and that 
> Vat B can execute the audit locally. To which extent can Vat B trust 
> that x is auditing what it claims to audit? In other words, is there an 
> auditing system for auditors? Perhaps a bit more radical: is 
> vat-auditing a possiblity?

I don't know the answers for E-on-Java or E-on-CL's current auditing
systems. In general, though, I would expect that it is only secure to
share cached auditing results between vats implemented by the same
TCB. In that case the cacheing could be a transparent optimization,
because the shared TCB can determine that the auditors in different
vats would compute the same result, if they have the same code and
inputs.

-- 
David Hopwood <david.hopwood at industrial-designers.co.uk>