direct_proxies "problem"

David Bruant bruant.d at
Sat Jan 12 15:33:52 PST 2013

Le 13/01/2013 00:09, Nathan Wall a écrit :
> hmm.. I just realized that B doesn't have direct access to O. So even if B does have access to M, trying to get N from P[M] would expose N to the membrane.
Yes and once the membrane has captured N, it has to search again if some 
object use in A<--->B communication has an N property... and restart all 
over if an object does and has another private name attached.
Theoretically, the membrane can always be one step ahead of the private 
communication. Practically, it costs a lot without the 
unknownPrivateSymbol trap.

> So perhaps I don't understand your original dilemma?
For this scenario, we've proven that unknownPrivateSymbol is not 
absolutely necessary, but not having it would result in a huge runtime 
cost and there is a (minor) risk of bug in the private property search 
that could compromise the security. So, I think that even if it's not 
absolutely necessary for this scenario, the unknownPrivateSymbol trap is 
a good thing.

I have described one scenario where the unknownPrivateSymbol isn't 
strictly necessary. Maybe there are other where it is (I can't think of 
any now, but I don't know if there is none either)

> (Forgive me if I'm making you repeat past discussions for my sake. It's not my intention to just make you explain things to me that the rest of the list already understands.)
Proxies and private symbols are both new features. I don't recall this 
kind of questions happened on the list too much, so I think it's 
beneficial for everyone to have this discussion on the list.


> Nathan
>> Here's how I'm imagining it: So if A shares object O with B, the membrane may wrap O in proxy P. O may have a private symbol properties M and N, where the property for symbol M actually points to symbol N:
>> let O = { },
>> M = new Symbol(true/* private */),
>> N = new Symbol(true/* private */);
>> O[M] = N;
>> O[N] = null;
>> When A shares O with B, the membrane will not be able to see either one of these symbols.
>> Let's assume no `unknownPrivateSymbol` trap.
>> The objects cannot yet communicate without the membrane knowing because B does not know O's private symbols.
>> Later if A shares private symbol M with B, the membrane will intercept the symbol and add it to the whitelist before passing it along. Now the membrane knows about M but it can only learn about N by searching all previous communications for M. The membrane could in theory discover N by searching previous communications for M and finding N in O. I agree with you though that this is a pretty huge overhead for the membrane to have to do, so let's look for another way.
>> If the membrane fails to search O for M, then B can discover N under-the-hood -- that is, B gets access to a private symbol that the membrane doesn't have on its whitelist.
>> However, what if the membrane, instead of passing along M, creates a new private symbol M2, and this is the actual symbol shared with B. Now if B checks O for property M2 it will not be able to uncover the symbol N. The membrane adds M2 to its whitelist and anytime B tries to send M2 back to A, the membrane converts it to M (and vice versa). Therefore, A always sees only symbol M and B always sees only symbol M2.
>> Does this work and allow us to do without `unknownPrivateSymbol`?
>> (An even easier alternative is that the membrane could prevent sharing private symbols.)
>> Nathan
>> _______________________________________________
>> es-discuss mailing list
>> es-discuss at

More information about the es-discuss mailing list