[e-lang] A broken brand?

Sandro Magi naasking at higherlogics.com
Wed Mar 5 10:27:22 EST 2008

David Wagner wrote:
>> I don't see a way to have
>> employed a type system so that MarcS pattern with the bug fails to
>> type check but without the bug passes the type check.
> I don't understand this distinction.  Suppose that unseal() used a guard
> to check that its box argument is of type Box, where Box is a trusted
> type defined by Brand that cannot be subclassed.  Then we'd know that we
> can rely upon the behavior of the call to box(): that invocation cannot
> trigger the execution of untrusted code.  Unless I've missed something, it
> seems like this would suffice to render the code safe against my attack.

MarkM clarified in a follow-up: types wouldn't have helped if you want 
to retain transparent intermediation. A naive approach to encoding the 
sealer/unsealer using types to thwart this attack would interfere with 
such intermediation. A more sophisticated encoding might work, but I 
haven't thought much about it. Then again, intermediation is not always 
a good thing, so perhaps this is one of those cases.


More information about the e-lang mailing list