Mark S. Miller
erights at google.com
Fri Jan 6 08:43:13 PST 2012
On Fri, Jan 6, 2012 at 8:31 AM, David Bruant <bruant.d at gmail.com> wrote:
> Le 06/01/2012 06:03, Mark S. Miller a écrit :
>> Such a built in memoization, whether by boundTo or this enhancement to
>> bind itself, creates a fatal ambient communications channel.
>> // initSES initialization, freezing all built in primordials other
>> than the true global
>> // load Alice as a confined object graph
>> // load Bob as a confined object graph. Alice and Bob should not be
>> able to communicate
>> // Covert channels mean we might not be able to prevent them from
>> communicating bits
>> // But we must certainly prevent capability leaks
>> Alice says
>> Object.boundTo(Object).foo = capabilityBobShouldntGet;
>> Bob says
>> var HAH = Object.boundTo(Object).foo;
> If Alice and Bob have been loaded as confined object graphs, they could
> both be exposed different objects for what each refer to as "Object", no?
It depends on the intentions of the party that instantiated the confined
Alice and Bob -- call her Carol the Confiner, or simply Carol.
If Carol wants to have a rich interaction with Alice and Bob, then she will
typically want Alice, Bob, and Carol to all exist within a single SES
context (frame) and thereby share the same Object. That way, none of them
have to worry about the weird and complex behavior of, for example,
instanceof, when computing across multiple frames.
Very concretely, Carol will want to have the same Object as Alice, and to
have the same Object as Bob. Therefore, Alice and Bob will have the same
Object as each other. Sharing Object and the other accessible built-in
primordials (i.e., all the primordials except the global object) is safe in
SES because the accessible primordial state contains no communications
channels. To a first approximation, it contains no mutable state at all.
The only exceptions are Date.now(), Date(), and Math.random(), none of
which creates a communications channel.
> Ps: by the way, what does "HAH" mean?
It is Bob's evil laugh, as Alice and Bob have successfully conspired to
leak capabilityBobShouldntGet to Bob.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the es-discuss