rlpowell@digitalkingdom.org (Robin Lee Powell) writes:
> So, I'm writing a MUD in Oz. This means that I have to assume that any
> given object in the MUD could have been written by an arbitrarily
> malicious person. But I still want to allow potentially destructive
> things to occur.
The way we always intended security to be enforced is through
controlled means of resource acquisition. There is nothing very
damaging that code can do unless it can get it's hands on system
specific resources (e.g. module OS). In order to obtain such
resources, any agent must negotiate with the hosting system, typically
via the mediation of a module manager.
Thus, the idea is that you can hand over to an untrusted agent a
special module manager which is secure and gives out only restricted
versions of dangerous modules. We haven't yet experimented very much
with this idea and the little experimentation that took place revealed
that the current API of the module manager is not yet conveniently
suited to the derivation of more secure managers by subclassing.
I have a better design in mind, but I must first attend to the
resolver, which itself requires better and extendible support for net
protocols, which itself requires non-blocking support for potentially
blocking system calls like connect, for which I already have a working
design and implementation for POSIX which Leif is keen to adapt for
Windows. pfff! there is a bit of a snowball effect :-)
This work will proceed when I get back fom vacation.
Cheers,
PS: what we will never have is Java's brain-dead call-chain-based
security mechanism, sorry (except we're not :-)
PPS: your alternative suggestion of using delegation to implement
security conscious resource access is also quite viable. You might
consider parametrizing the process with an explicit (but secure)
representation of capabilities.
-- Dr. Denys Duchier Denys.Duchier@ps.uni-sb.de Forschungsbereich Programmiersysteme (Programming Systems Lab) Universitaet des Saarlandes, Geb. 45 http://www.ps.uni-sb.de/~duchier Postfach 15 11 50 Phone: +49 681 302 5618 66041 Saarbruecken, Germany Fax: +49 681 302 5615 - Please send submissions to users@mozart-oz.org and administriva mail to users-request@mozart-oz.org. The Mozart Oz web site is at http://www.mozart-oz.org/.