r3wp [groups: 83 posts: 189283]
  • Home
  • Script library
  • AltME Archive
  • Mailing list
  • Articles Index
  • Site search
 

World: r3wp

[!REBOL3]

BrianH
4-May-2011
[8397]
No, but all code created after the word is hidden doesn't get access, 
and only code created before the hiding has access to a token (bound 
word) that will let it create new code with access. You get the same 
sharp separation between code with access and code without.
Kaj
4-May-2011
[8398]
A POLA model is where you start out with no access. If you have to 
PROTECT/HIDE afterwards, that's the reverse of POLA
BrianH
4-May-2011
[8399]
Basically, the code that creates the token is the only code that 
has access to the token, and it can pass that token along to other 
code if it is safe to do so. The only difference is that code isn't 
protected unless it needs to be.
Kaj
4-May-2011
[8400]
Yes, the reverse of POLA. Capabilities is about building a POLA system
BrianH
4-May-2011
[8401]
For the benefit of those trying to follow this discussion without 
having read the articles, could you at least once expand the POLA 
acronym?
Kaj
4-May-2011
[8402]
Principle Of Least Access
BrianH
4-May-2011
[8403]
Thanks.
Kaj
4-May-2011
[8404]
Again, did you study true capabilities, especially in the E language, 
but also in Genode and the ground-breaking KeyKos and EROS systems? 
If you didn't, I can understand why we don't understand each other. 
By the way, POLA is not a capabilities term, but a generic security 
term
BrianH
4-May-2011
[8405]
I got the overview, but there are some limitations when talking about 
a language like REBOL.
Kaj
4-May-2011
[8406x2]
There are limitations in the current implementation, but not in the 
concept
Please study http://erights.organd http://genode.org.Without that, 
this discussion probably won't go anywhere
BrianH
4-May-2011
[8408x3]
Not so.
OK, the problem with that model *in this case* (PROTECT/hide) is 
that we are talking about object fields here, bindings of word values. 
REBOL objects bind their code blocks before executing them. If there 
is going to be any blocking of bindings, at least the object's own 
code needs to be bound first. This means that if you are going to 
make word bindings hidden, you need to do so after the object itself 
has been made, or at least after its code block has been bound. You 
can do this binding with PROTECT/hide, or with some setting in an 
object header, it doesn't matter. Since words are values and their 
bindings are static, being able to create a new word with the same 
binding means that you need access to a word with that binding, with 
*exactly* the same visibility issues as token access. The difference 
in this case between POLA and PROTECT/hide is whether object fields 
are hidden by default or not, not a matter of when they are hidden.
We can't directly use the E model because E is compiled, so there 
are things that happen at runtime in REBOL that happen in the compiler 
in E.
Kaj
4-May-2011
[8411]
It's a VM, so you still have control over them
BrianH
4-May-2011
[8412]
It's still compiled, and word lookup is handled by the compiler, 
not at runtime.
Kaj
4-May-2011
[8413]
What difference does that make?
BrianH
4-May-2011
[8414]
For E, these capabilities can basically be resolved statically in 
a lot of cases by the compiler. For REBOL, every capabilities check 
would need to happen at runtime.
Kaj
4-May-2011
[8415]
Yes, obviously. So, no difference in possibility
BrianH
4-May-2011
[8416]
I have to go now (well, an hour ago). May we continue this later?
Kaj
4-May-2011
[8417x6]
Certainly. It's been a favourite topic of mine for a decade :-)
From http://erights.org/history/original-e/programmers/Econcepts.html
Once the capability to reference an object or send a message has 
been granted, no further run-time check is required.
I hadn't checked E for a long time, but they are now implementing 
capabilities in JavaScript for Google, so we're going to hear from 
it whether we want or not:
http://code.google.com/p/google-caja/
I guess this is another one of those things where REBOL has the choice 
between being ahead or staying behind a lost opportunity
Ladislav
4-May-2011
[8423x7]
Pretending that security doesn't matter is a worse policy.

 - for me, security does matter, but this just pretends to be security
And what never matters to me is pretence.
Make parameters not work, and don't do blocks and parens through 
word values, same as R2's DO of path values.

 - this is exactly a complicated way how to pretend something is more 
 secure than it actually is. The only real effect is obtaining a less 
 comfortable and more annoying system
As for the

    a: quote (1 + 2)
    a ; == (1+ 2)


, that is not a "security measure". It is just a more comfortable 
behaviour.
...and I know it, since it was me who proposed it
On the other hand, I would never propose

    do a


to yield anything other than 3, pretending it might be perceived 
as "more secure".
Regarding APPLY- I was the one who implemented the first APPLY in 
REBOL, and I was the first who used it to obtain a more secure evaluation 
than using DO
BrianH
5-May-2011
[8430x4]
Agreed about this from your example above:
>> a: quote (1 + 2)  do a
== 3
But what I was proposing above was this:
>> do 'a
== (1 + 2)
Would that be acceptable to you?
Regarding your implementing the first APPLY, that's great. I wish 
I had seen or heard of your version, so I wouldn't have had to implement 
the R2/Forward version from scratch. Then maybe we wouldn't have 
needed the bug fixes that R2's APPLY got later.
IIRC, you provided some advice that helped with the R2/Forward version 
before it got included in R2 the first time. If so, thanks.
pretend something is more secure than it actually is

 - the biggest security concern of R3 is making sure that outside 
 code can't modify the code of functions.


There are various tricks that can be done in order to make sure that 
doesn't happen (putting calls to function values in parens, APPLY, 
SECURE 'debug). DO of blocks and parens don't need the APPLY or DO 
in a paren tricks in order to make sure they can't modify the calling 
code because they can't take parameters, so you can DO blocks and 
parens without changes to your source code - SECURE 'debug doesn't 
require changes to source code. This means that less effort is needed 
to make DO of blocks or parens more secure than DO of functions that 
can take parameters. The same goes for DO of any non-function type.


If you constrain DO of paths or words with functions assigned to 
them to not be able to take parameters, then they would be exactly 
as secure as DO of blocks or parens, and can be called with the same 
code - no additional code wrappers or screening would be needed. 
This would make DO of words or paths a drop in substitute for DO 
of blocks or parens.
Ladislav
5-May-2011
[8434]
Would that be acceptable to you?
 - I found out, that everyone except you is against it
BrianH
5-May-2011
[8435]
No, you found that out about functions, not blocks.
Ladislav
5-May-2011
[8436]
or, maybe not, we should make another poll
BrianH
5-May-2011
[8437x2]
Remember, having it evaluate blocks and parens like that would make 
it not consistent with how words and paths are treated when evaluated 
inline.
Consistency was the biggest argument you had for the treatment of 
word values with functions assigned to them.
Ladislav
5-May-2011
[8439]
Well, it looks, that

    do 'a ; == (1 + 2)

may be more convenient
BrianH
5-May-2011
[8440]
Cool.
Ladislav
5-May-2011
[8441x3]
(not that I intend to use it frequently)
It is interesting, that for the case:

    lit-word: first ['a]
    do [type? lit-word]

we have only two opinions
currently, and both prefer the lit-word! datatype as the result
BrianH
5-May-2011
[8444x3]
That isn't what you said in #1434 - you said that you would prefer 
getting the word! type.
I'm more concerned with people trying to sneak functions into data, 
which could then use parameters to get access to the original code 
of another function. This can be used for code injection, or for 
getting access to bound words that have since been hidden, or to 
internal contexts. Given that words are often valid data, having 
a special case where they can execute functions by sneaking in a 
bound word is a real concern. However, if that function can't take 
parameters, there is no hacking potential and function code can be 
secure. The workaround if you don't want any functions executed (beyond 
the hacking) could be to unbind words retrieved from data, bind them 
to a known context, or just avoid using DO word or path altogether.
As for #1434 (and your most recent code example), I would prefer 
to have lit-words and lit-paths be consistently active values (the 
way lit-words are in R3 now) for the same reasons you proposed #1881 
and #1882. This means having them convert to word and path when they 
are evaluated instead of just gotten. But if you would prefer them 
to be a special case like parens (the way lit-paths are in R3 now), 
that would work for me too as long as that is the case for both lit-words 
and lit-paths - it would make them a little easier to work with.