Security in Self
David.Ungar at Eng.Sun.COM
Tue Apr 12 08:55:45 UTC 1994
Interesting, but since the granularity is objects instead of methods or
it may be that this exact proposal is a better match for preventing one
user from corrupting
another's data that for the maintenance of invarients.
Thanks for the thoughts!
At 10:14 PM 4/12/94 +0100, I.R.Woollard at bnr.co.uk wrote:
>>Do you mean saying
>>a) "I am X and I may access A, B, ...
>> (regardless of what A, B, ... specifies)"
>>b) "I am A and I grant access to X, Y, ..."?
>I think that a) is true! But that X needs proof!
>For security, Self lacks:
>1 - privacy of slots to access by "self" only.
>2 - knowledge of what object called this one ("sender")
>3.- some way to call the object that was found to contain the method
>that is now running ("receiver"). (This prevents inheritance doing
>horrible things, see later... )
>Half baked example, given these changes are done:
>"classPoint" here is an object representing the class of objects that
>can do assignment to points. It is publically accessible via a global
>(| parent* = traits certificated.
> x = (myX).
> y = (myY).
> x: anX y: aY cert: aCert = ( classPoint checkCert: aCert From: sender
> ifTrue: [myX: anX myY: anY]).
> _ myX <- 0.
> _ myY <- 0.
> certificate <- nil.
>Certificates slots are - the object being certified
> - the class that it is certifying the object is a
> - a private secret shared between certificate and class
> membership, of the calling object to the group that
> certificate says the object belongs.
>certificate point =
>(| _ owner = point.
> _ memberOf = class.
> _ secret = (someobject).
> getSecret = ((sender = receiver memberOf) ifTrue: [secret] False: [nil].
>Point is then modified by the UI, which we assume is in the class that
>is allowed to make new certificates of point...
>point certificate: (pointCertificate copy: point)
>Example of classPoint implementation:
>class = (| _ secret = (someobject).
> checkCert: aCertificate From: anObject =
> ( (anObject = aCert owner)
> && (secret = aCert getSecret) )
>The point is that nothing except a certificate or the class itself can
>ever get ahold of the secret, and only the class gives out
>certificates about itself. Anybody may get a pointer to a certificate,
>but because it doesn't refer to them, it doesn't help.
>Generating cerificates left as an exercise to the reader...
>p.s. I have a paper that discusses the distributed case, its pretty similar,
>uses public key encryption instead of secrets.
>p.p.s. after all this the image had better be written out in rwx......
>with root permissions!
More information about the Self-interest