#280 Need a safe variant of makeEProxyResolver

feature_request
open
local elib (53)
1
2005-08-15
2005-08-15
No

From
http://www.eros-os.org/pipermail/e-lang/2005-July/010828.html

On Jul 2, 2005, at 11:49, Mark Miller wrote:
> Kevin Reid wrote:
>> Consider this code:
>> def coerced :=
> > (def guard := thing <- __getAllegedType()) <-
coerce(thing)
>
> Yes. E already does your option #3a:
>
>> 3a. Make available in the safeScope an operation
for responding to
>> the eventual sends to a promise before that promise
is resolved. This
>> restores the property that "a malicious vat hosting
one set of
>> objects can only cause external effects equivalent
to a correct vat
>> hosting some different (maliciously coded) set of
objects" (from
>>
<http://www.erights.org/elib/capability/ode/ode-protocol.html>).
>
> The object in question is only available from the
privileged scope,
> not the safe scope, since its gc notification
provides access to
> non-determinism.

Since it is privileged, it does not implement 3a as I
see it. The
programmer can think "Oh, that's a privileged object,
they can mess up
ordinary E guarantees anyway, so I won't worry about it".

Discussion

    • assigned_to: nobody --> caplet