[Python-Dev] new security doc using object-capabilities

[David Hopwood]

Phillip J. Eby wrote:
> At 12:04 PM 7/25/2006 +1200, Greg Ewing wrote:
>>Phillip J. Eby wrote:
>>
>>>When I say "name checker" I mean the Zope type that allows you to specify
>>>a list of names that are allowed for a given object.  This allowing is not
>>>based on identity or code signing or anything like that.  It's just a list
>>>of attribute names: i.e. a capability mask over an existing object.
>>
>>But this is backwards from what a true object-capability
>>system should be like if it's properly designed. Instead
>>of starting with too-powerful objects and trying to
>>hide some of their powers, the different powers should
>>be separated into different objects in the first place.
> 
> And what about code that needs to pass on a subset of a capability?  You 
> need the ability to create such capability-restricted subsets anyway, no 
> matter how "pure" a system you start with.

That is true, but doing so for every secure object has significant costs.
A simple wrapper is not sufficient, because it would not prevent a wrapped
object from returning a reference to itself, bypassing the wrapper. To solve
this problem you need to use the more complex Membrane pattern, which also
wraps the results of method calls on a wrapped object, for example.

In fact Zope's approach does implement a membrane, but this does not really
dent the argument that Greg Ewing was making. A pure capability system incurs
the complexity and performance costs of wrappers or membranes only in cases
where they are needed, not for every object, and the complexity is only in
user code, not in the system's security kernel.

-- 
David Hopwood <david.nospam.hopwood at blueyonder.co.uk>