Capability based security in Smalltalk? 
Author Message
 Capability based security in Smalltalk?

Hey all!

I'm interested in capability based security.   I first heard of it in the
Squeak community and have read some papers on it.  Now I am prototyping
some ideas in Smalltalk, but would like not to have to completely invent
it all myself.

Is there any information about implementations of this idea in Smalltalk?  
I would be interested in knowing about papers, sample code, or even in
hearing of the experiences of others here.




 author of Liberty BASIC, twice a PC Magazine Awards Finalist!

Sun, 29 May 2005 22:41:40 GMT  
 Capability based security in Smalltalk?
Capabability based security systems go back to the late 60's or early
70's.  I am not fully aware of the history of this idea, but I believe
one of the earliest implementations was a Plessy system out of
England.  The most notable (and successful) implementation is that of
the IBM System/38 (later renamed the AS/400), which was developed in
the late 70's.  I had the privilege of designing part of the
architecture of the S/38's operating system, so I became very familiar
with its security system.
   Few people outside of IBM's Rocester development lab. are aware
that the AS/400 is a marvelous bit of advanced software technology -
still many years in advance of anything else on the market.  For some
reason I have never understood, IBM has consistently failed to
adequately promote this technology - kind of a "best kept family
secret." The AS/400's users have certainly reaped its benefits, but
this isn't the place for me to sing its praises.
   Instead, I'll summarize the AS/400's capability-based security
features (to the best of my memory - it has been more than ten years
since I last looked at this!). First, the AS/400 is an object-based
system in which encapsulated objects reside in a single-level,
uniformly addressable, 64-bit virtual address space.  Its high-level
virtual machine implements a fixed repetoire of object types at two
levels, Program Objects for the number, string, etc. types manipulated
by programming languages and by the system's embedded database, and
System Objects that contain program objects.  Examples of System
Objects are Data Spaces, Indexes, Queues, Files, Directories, User
Profiles, Executable Programs, Processes, and a variety of process
work spaces.  Each System Object is a separate 32-bit virtual address
space in which program objects are mapped in various ways.
    There is one, and only one, way for an executable program to
address a program object in a System Object, and that is by means of a
type of program object called a System Pointer - a "capability" by
another name. Each System Pointer is 16 bytes long, the first 64 bits
contains a virtual address, and the last 64 bits contains
authorization information.  A key point to remember is that System
Pointers are inviolable; they can only be created by the Virtual
Machine, and there is no way for an executing program to change them.
In fact, they are protected by the memory system (at least they were
in the S/38).  Each 16-byte segment of real memory has an additional,
hidden bit that specifies if it is a System Pointer.
  In operation, a program asks a Directory object to resolve a name
into a System Pointer.  The Directory looks up the name and checks a
User Profile for the access rights of the requesting user for that
object.  It then creates and returns an appropriate System Pointer.
(Actually, there's more to it than this, but I don't remember all of
the details.) The program can then request any of the encapsulated
operations of that type of System Pointer. The Virtual Machine looks
at the access information in the System Pointer to determine if it is
allowed to perform the requested operation for that user.
   Actually, there is a second kind of System Pointer, called a Space
Pointer, that loosens things up a bit so that executable programs can
easily work with program objects within a System Object.  Space
Pointers give programs the ability to freely address the contents of a
System Object, to do all of the data manipulation things programs
normally do.  However, the Virtual Machine creates Space Pointers for
only certain types of System Objects that are designed for this level
of flexibility. One such type is the Space Object, which is just an
empty address space. A program can map a Space Object however it
wants; for example, as a heap. The Virtual Machine provides
instructions for manipulating Space Pointer addresses, but it never
allows the creation of an address that "leaks" outside of the
designated System Object.
   There is MUCH MORE to this beautiful systems architecture than I
can describe here, but I do want to point out how fantastic it would
be to marry it with Smalltalk.  Some of Smalltalk's key ideas (class
objects, inheritance, dynamic message binding and polymorphism) were
not publicly available at the time the System/38 was designed in the
late 70's.  There were many discussions among the architecture staff
about finding a way to bring some of the system's object-based
facilities into the programming languages the S/38 planned to support
(RPG and COBOL, initially, but many other languages, today), but we
had schedules to meet.
   When I first learned Smalltalk (in about 1983), I knew I'd seen the
promised land, but I was not able to  sell it to the "powers that be."
 Later,  a version of VisualAge Smalltalk was implemented on the
AS/400, but it is a straightforward implementation that does not take
advantage of the AS/400's unique architecture.  I now have the hope
that it might be possible to incorporate some AS/400 ideas into an
"enhanced Smalltalk."

Hope this helps...Rich Demers

Mon, 30 May 2005 22:57:49 GMT  
 [ 3 post ] 

 Relevant Pages 

1. Adding CGI-capabilities to a BaseHTTPServer/BaseHTTPRequestHandler-based webserver

2. Problem of security using ADO from Labview to connect to Access 2000 Data Base

3. Paper announcement: Language-Based Information-Flow Security

4. Security of browser based editors/site management

5. Web-cam based security cameras

6. Lisp based security agents

7. The Collective Capabilities of Available Smalltalk Systems

8. Heads Up: Smalltalk Capabilities and PowerPC Native Support

9. Smalltalk/V with networking capability?

10. Smalltalk GUI capabilities?

11. Smalltalk-like or Smalltalk-based Java IDE interface?

12. EMail Security Program in Smalltalk


Powered by phpBB® Forum Software