[e-lang] What is defensive consistency?

[Bill Frantz]

daw at cs.berkeley.edu (David Wagner) on Friday, November 2, 2007 wrote:

>The part I find tricky is that the server can't know what capability
>was used to invoke it.  So what is the poor developer who has to write
>the server code supposed to do?

In KeyKOS, we used two patterns to handle these cases.

The first pattern was for simple objects, where different users shared a EQ
capability to the object. Here the programmer had to be very careful to not allow
input from the caller so corrupt the object. An example was the CLOCK
object <http://www.agorics.com/Library/KeyKos/Gnosis/132.html#clock>.

The other pattern was the factory pattern. When the object was first
invoked, a new instance was created from a factory call, it assumed that
it would only be used by one "client". Other instances would not be
effected by input-induce misbehavior in that instance. An example is the
"TYPE" object. (note that the manual reference to it from the index is
broken.) This object took as a parameter another object and attempted to
treat it as a "file" and display its contents on an output key. The
protocol for calling it, included a factory invocation to make a new
instance, which could die if the parameter object was ill-behaved,
without effecting other calls.

Cheers - Bill

---------------------------------------------------------------------------
Bill Frantz        |"We used to quip that "password" is the most common
408-356-8506       | password. Now it's 'password1.' Who said users haven't
www.periwinkle.com | learned anything about security?" -- Bruce Schneier