bruant.d at gmail.com
Fri Jan 6 01:31:29 PST 2012
Le 06/01/2012 06:03, Mark S. Miller a écrit :
> Such a built in memoization, whether by boundTo or this enhancement to
> bind itself, creates a fatal ambient communications channel.
> // initSES initialization, freezing all built in primordials other
> than the true global
> // load Alice as a confined object graph
> // load Bob as a confined object graph. Alice and Bob should not
> be able to communicate
> // Covert channels mean we might not be able to prevent them from
> communicating bits
> // But we must certainly prevent capability leaks
> Alice says
> Object.boundTo(Object).foo = capabilityBobShouldntGet;
> Object.bind(Object).foo = capabilityBobShouldntGet;
> Bob says
> var HAH = Object.boundTo(Object).foo;
> var HAH = Object.bind(Object).foo;
> David's WeakMap approach elegantly avoid this problem, because Alice
> and Bob can only communicate if they already share access to this
> WeakMap, in which case they could already communicate anyway.
Are you talking about https://gist.github.com/1567494 ?
Because I think I have the same issue. I think I faithfully implemented
what Andrea described.
Everyone with access to Object.prototype.boundTo has (implicitely)
access to the WeakMap, so the capability leak you describe remains in my
example, I think.
More information about the es-discuss