[e-lang] How to implement or test this CapTP detail neatly?

[Kevin Reid]

In my CapTP implementation, it is possible to amplify a CapTP proxy  
with an unsealer specific to that connection to retrieve the  
IncomingPos for that proxy. This is used for serializing a proxy when  
it occurs in a message going over its own connection (as IncomingDesc).

The problem with this implementation is that a malicious local ref  
can replay a proxy's __optSealedDispatch response after the proxy has  
been GCed, thus causing it to possibly be unserialized on the other  
side as some unrelated object.

So, the sealed box needs to be less powerful. I've thought of several  
solutions.


1. Retain the proxy as part of the contents of the sealed box so that  
the position cannot be reused while the box lives.

I like this one, but I see no way to *test* it, short of running the  
tested CapTP system in a vat which is guaranteed to have a precise  
garbage collector.


2. The sealed box unseals to something which can provide the position  
and is revoked when the position is GCed.


3. The sealed box unseals to [proxy, position] and the amplifier  
rejects it if the contained proxy is not the same as the amplified  
reference.

This is the same as #1 with an additional check; this can be tested  
for with the faked GC I already use in my tests.


Are there any other interesting methods?

What's the best way to handle the problem?

Is there a general method for avoiding producing bugs like this?

Are there additional benefits to the check in #3, which prohibits an  
arbitrary ref from serializing like a proxy belonging to this  
connection?

-- 
Kevin Reid                            <http://homepage.mac.com/kpreid/>