test(function () {
resetLog();
var o = {x: {y: function () {}}};
var m = makeMembrane(o);
m.setPolicy(o.x.y, {caller: logCall});
m.view.x.y();
return wasLogged();
});
==> true
Problem: securely share an arbitrary object with different parties with varying levels of trust
Phase 1 of the solution: a functional, bidirectional advice system
- lazily & deeply copy an object and proxy calls from the view to the model
- subtlety: prevent references from the model to leak to the view and vice-versa; consumers of the view have a different notion of equality than those of the model
- allow users of the model to set advice for actions performed by consumers of a view
- subtlety: advice applies only to the view. membrane owners may separately and securely control the associated view.
- subtlety: advice acts exactly at the divide between the model and view, but must still be protected
For those familiar with them, this is similar to a popular idea with object capabilities -- except adding advice is the first step towards usability and verification.
Phase 2: to be described in a much later post -- how to realistically get usability and verification out of this.
Phase 3: profit
No comments:
Post a Comment