[e-lang] A broken brand?
naasking at higherlogics.com
Wed Mar 5 10:27:22 EST 2008
David Wagner wrote:
>> I don't see a way to have
>> employed a type system so that MarcS pattern with the bug fails to
>> type check but without the bug passes the type check.
> I don't understand this distinction. Suppose that unseal() used a guard
> to check that its box argument is of type Box, where Box is a trusted
> type defined by Brand that cannot be subclassed. Then we'd know that we
> can rely upon the behavior of the call to box(): that invocation cannot
> trigger the execution of untrusted code. Unless I've missed something, it
> seems like this would suffice to render the code safe against my attack.
MarkM clarified in a follow-up: types wouldn't have helped if you want
to retain transparent intermediation. A naive approach to encoding the
sealer/unsealer using types to thwart this attack would interfere with
such intermediation. A more sophisticated encoding might work, but I
haven't thought much about it. Then again, intermediation is not always
a good thing, so perhaps this is one of those cases.
More information about the e-lang