Le 06/01/2012 17:43, Mark S. Miller a écrit :
On Fri, Jan 6, 2012 at 8:31 AM, David Bruant <bruan...@gmail.com
<mailto:bruan...@gmail.com>> wrote:
Le 06/01/2012 06:03, Mark S. Miller a écrit :
Such a built in memoization, whether by boundTo or this
enhancement to bind itself, creates a fatal ambient
communications channel.
// initSES initialization, freezing all built in
primordials other than the true global
// load Alice as a confined object graph
// load Bob as a confined object graph. Alice and Bob
should not be able to communicate
// Covert channels mean we might not be able to prevent
them from communicating bits
// But we must certainly prevent capability leaks
Alice says
Object.boundTo(Object).foo = capabilityBobShouldntGet;
Bob says
var HAH = Object.boundTo(Object).foo;
If Alice and Bob have been loaded as confined object graphs, they
could both be exposed different objects for what each refer to as
"Object", no?
It depends on the intentions of the party that instantiated the
confined Alice and Bob -- call her Carol the Confiner, or simply Carol.
If Carol wants to have a rich interaction with Alice and Bob, then she
will typically want Alice, Bob, and Carol to all exist within a single
SES context (frame) and thereby share the same Object. That way, none
of them have to worry about the weird and complex behavior of, for
example, instanceof, when computing across multiple frames.
Ok. I forgot that some mecanisms relied on object identity.
Very concretely, Carol will want to have the same Object as Alice, and
to have the same Object as Bob. Therefore, Alice and Bob will have the
same Object as each other. Sharing Object and the other accessible
built-in primordials (i.e., all the primordials except the global
object) is safe in SES because the accessible primordial state
contains no communications channels. To a first approximation, it
contains no mutable state at all. The only exceptions are Date.now(),
Date(), and Math.random(), none of which creates a communications channel.
Indeed. Mutable state does not seem to be the issue by itself. The issue
would be a mutable state that can be mutated by a script (which isn't
the case for Date and random)
[...]
> Ps: by the way, what does "HAH" mean?
It is Bob's evil laugh, as Alice and Bob have successfully conspired
to leak capabilityBobShouldntGet to Bob.
:-)
David
_______________________________________________
es-discuss mailing list
es-discuss@mozilla.org
https://mail.mozilla.org/listinfo/es-discuss
