Last updated at 2:39 pm UTC on 16 January 2006
Capabilities are a different way to view security than the access control lists (ACL's) many people are familiar with. Capabilities mesh particularly well with object-oriented systems like Squeak, because plain old objects can be capabilities and thus form the backbone of a security policy. Python's security model is based on capabilities. In fact, Unix's security, while based on ACL's at the top-most level, uses file descriptors as capabilities when more fine-grained security is desired. There is a lot of interesting information about capabilities at http://www.erights.org.
Lex Spoon has cleaned up Squeak so that an object may be treated as a capability without unwanted privileges escaping. He didn't implement very many interfaces, but he did lock down most of the worst holes.
There is another project called Islands: Islands for Tweak.
For those interested, the original writeup is here: sandbox.sgml sandbox.ps sandbox.pdf sandbox.html
An older doc is at:
retrieveContents contentStream fileInObjectAndCode openInWorld
To run an Islands image, you need a couple of changes to the VM. To get these changes, file in the following files and then use VMMaker and proceed as appropriate for your platform:
Since these changes are so minimal, perhaps they can be included in the standard VM one day....
To get an Islands image to play in, you should grab lex-sandbox.zip. If you want to make your own image, start with Squeak 2.9 and use islands.zip. There is a file "islands-boot.st" in that file which should load everything for you. Be aware that it takes a LONG time, because every class gets recompiled. (Anyone want to change this mechanism? The issue is that the system wants to keep track of which methods are privilaged to use things like thisContext, and which are not, and this is currently done by adding an instance variable to all classes.)
Here are my (Lex's) broad plans for Islands in the near future, in order of priority. Of course, it's open source, so anyone should feel free to do what they like!
The most important thing to do, I think, is to get a morphic proxy working so that code on an island can display outside to a Morphic world. This is already mostly implemented, but it is extremely slow. Having an isolated Morphic would be an application many people can use and basically would make Islands a lot cooler.
It would be wonderful to generate some example usages of the system to compare in particular with E. The Mint example would be one thing to try; I emailed the list with my effort at it, but it wasn't compiled and tested. There are likely some small details that need to be cleaned up, before it will work.
Static Binding of Classes
Mark Miller has argued persuasively that classes should be statically bound. To do this, however, you need to be able to limit static scope of class accesses, something Squeak is poor at right now. At any rate, this area seems like the third priority in the future of Islands.
Islands for Squeak 3.4 and beyond
I created an Islands SAR file for Squeak 3.4 ( Islands.sar ).
If you're wondering what a SAR file is, check out FAQ: Squeak Packages.
LOADING changeset ACSMsgA.1.cs
- Loading this SAR takes alot of CPU and a long time ( all classes are re-compiled ).
- This SAR is not installing successfully yet.
(day is Undeclared) (year is Undeclared) (day is Undeclared)(DefaultSortBlock is Undeclared) LOADING changeset ACSMsgB.1.cs
LOADING changeset ACSMsgC.1.cs
LOADING changeset cheezyBangSyntax.1.cs
LOADING changeset cmCopy.1.cs
LOADING changeset PrivilagedMethods.9.cs
Error: Strings only store Characters
21 February 2003 5:59:34 pm
VM: Win32 - Squeak3.2gamma of 12 January 2002 [latest update: #4879]
Image: Squeak3.4gamma [latest update: #5169]
thisClass == nil
- The blowup appears to occur in MethodContext>>printString
ifTrue: [^'a Metaclass']
ifFalse: [^thisClass name , ' class']
- the error is a DNU for Dictionary, for a Message with selector: #, and arguments: #(' class')