[Fwd: Re: [plt-scheme] Stack inspection security]

From: David Van Horn (dvanhorn at cs.uvm.edu)
Date: Tue Oct 14 14:32:34 EDT 2003

[ Meant to send this to the list ]

John Clements wrote:
> First off, I'm guessing you're not familiar with my paper on this topic:
> A Tail-Recursive Semantics for Stack Inspections
> http://www.ccs.neu.edu/scheme/pubs/esop2003-cf.pdf
> ... which shows, among other things, how to implement stack inspection
> using continuation marks.

No, I'm actually quite familiar with it; that's where I got the idea for stack
inspection using continuation marks.  But the \lambda_{sec} language abstracts
over what a principal is.  The annotator consumes a peice of source code and
it's permissions, but where do these permissions come from?  In an
implementation, a policy would map principals to privileges, and the runtime
would need to mark any peice of code as belonging to some (unforgeable)
principal (or at least this is how it is done in the JVM & CLR).  My post was
intended to ask, "what's a principal in PLT Scheme?", which seems relevant if
PLT is going to allow code to be downloaded and run from the internet.

> With that said, let me encourage you to look at mechanisms other than stack inspection.
> My conversations with others (including Christian Skalka) about security makes
> me wonder whether stack inspection is really the best mechanism for security,
> especially in mzscheme.
> I for one would be more inclined to try to set up a capability-based system for security.

I am looking at other mechanisms, stack inspection was just the first.  I
think an object confinement system would be rather nice.  But I don't see why
you couldn't have several security mechanisms.


Posted on the users mailing list.