![[Home]](http://www.bayleshanks.com/cartoonbayle.png)
Difference between revision 2 and current revision
No diff available.read stdio, write stdout, write stderr
read/write other streams, files
read/write/execute any file under location (note: read privilage is sufficient to import a Jasper library, unless it uses extra-Jasper extensions) network communications, other sensors/effectors used via special locations
ulimit #spawned threads, amount of memory
see http://lua-users.org/wiki/SandBoxes section "Table of Variables"
note: it's important that "globals" aren't truly global, and can be hidden from function calls upon demand (also must hide even 'hidden' scoped globals)
should also be able to pass in read-only variable references in order to give the program a way to create other 'pipes' into the untrusted code (maybe)
CALLINGFUNCTION
---
--
shall we implement immutable, unaliasable, purity (see jasperDataModes) as capabilities, the same as security capabilities?
each value has attached capabilities, which map onto std attributes (see jasperAttributes) or custom attributes (e.g. for stuff like Rails permissions). there are operators to remove capabilities.
sometimes you want to allow debug code to do something that you don't want normal code to do, e.g. printing stuff to the console from a pure function. this should be possible if the point of capabilities is safety, but not if it is security. perhaps a concept like 'user groups' could help here? if you want to disallow something for safety, not security, leave the capability on for the DEBUG group, but if the purpose is security, then turn it off there too.
in essence these user groups allow the capabilities to be removed, but then to resurface when the value is passed to the right type of code segment. this seems to remove the need for a facility to pass capabilities around on their own, although maybe we should allow that too, in case i've forgotten something.
also need 'lockable' and 'unaliasable unless locked'
...in general, are capabilities just masking of object attributes (edges)?
in that case i guess there would be some sort of meta attribute that lists which attributes have been masked.. this list itself would be masked unless you are in the 'admin' group
---
" Loopholes in Object-Oriented Programming Languages
Some object-based programming languages (e.g. JavaScript?, Java, and C#) provide ways to access resources in other ways than according to the rules above including the following:
direct assignment to the instance variables of an object in Java and C#
direct reflexive inspection of the meta-data of an object in Java and C#
the pervasive ability to import primitive modules, e.g. java.io.File that enable external effects.Such use of undeniable authority effectively defeats the security benefits of the Object-capability model. Caja and Joe-E are variants of JavaScript? and Java, respectively, that impose restrictions to eliminate these loopholes. "
-- http://en.wikipedia.org/wiki/Object-capability_model
---
