Security in Self

David Ungar David.Ungar at Eng.Sun.COM
Tue Apr 12 08:55:45 UTC 1994

Interesting, but since the granularity is objects instead of methods or
it may be that this exact proposal is a better match for preventing one
user from corrupting
another's data that for the maintenance of invarients.

Thanks for the thoughts!

-- Dave

At 10:14 PM 4/12/94 +0100, I.R.Woollard at wrote:
>>Do you mean saying
>>a) "I am X and I may access A, B, ...
>>   (regardless of what A, B, ... specifies)"
>>instead of
>>b) "I am A and I grant access to X, Y, ..."?
>I think that a) is true! But that X needs proof!
>For security, Self lacks:
>1 - privacy of slots to access by "self" only.
>2 - knowledge of what object called this one ("sender")
>3.- some way to call the object that was found to contain the method
>that is now running ("receiver"). (This prevents inheritance doing
>horrible things, see later... )
>Half baked example, given these changes are done:
>"classPoint" here is an object representing the class of objects that
>can do assignment to points. It is publically accessible via a global
>point =
>(| parent* = traits certificated.
>   x = (myX).
>   y = (myY).
>   x: anX y: aY cert: aCert = ( classPoint checkCert: aCert From: sender
>                                ifTrue: [myX: anX myY: anY]).
>   _ myX <- 0.
>   _ myY <- 0.
>   certificate <- nil.
>Certificates slots are - the object being certified
>                       - the class that it is certifying the object is a
>member of
>                       - a private secret shared between certificate and class
>                         membership, of the calling object to the group that
>                         certificate says the object belongs.
>certificate point =
>(| _ owner = point.
>   _ memberOf = class.
>   _ secret = (someobject).
>   getSecret = ((sender = receiver memberOf) ifTrue: [secret] False: [nil].
>Point is then modified by the UI, which we assume is in the class that
>is allowed to make new certificates of point...
>point certificate: (pointCertificate copy: point)
>Example of classPoint implementation:
>class = (| _ secret = (someobject).
>           checkCert: aCertificate From: anObject =
>             ( (anObject = aCert owner)
>               && (secret = aCert getSecret) )
>The point is that nothing except a certificate or the class itself can
>ever get ahold of the secret, and only the class gives out
>certificates about itself. Anybody may get a pointer to a certificate,
>but because it doesn't refer to them, it doesn't help.
>Generating cerificates left as an exercise to the reader...
>p.s. I have a paper that discusses the distributed case, its pretty similar,
>uses public key encryption instead of secrets.
>p.p.s. after all this the image had better be written out in rwx......
>with root permissions!

More information about the Self-interest mailing list