Thursday, February 5, 2009

success!

Submitted! The insight: by extending the membrane pattern to also be a secure advice system, you can build a very effective policy system by injecting it into the membrane. This is a big boon to web browsers: you can make different systems to support mashups, inter-frame sharing, secure extensions, etc.

Normally, with just a membrane (assuming you've managed to implement one securely, which is tricky!), you can do the following:


var m = makeCanonicalMembrane(webpage);
broadcast(m.view);
...
m.disable(); //disable any access to the webpage or associated objects


That's ugly, so we might provide an enable/disable method for individual objects:


var m = makeCanonicalMembrane(webpage);
m.disable($('passwordField'));
broadcast(m.view);


That's closer to the traditional security standpoint: permit/deny policies. However, from a software engineering perspective... the only worse solution is the previous one. So, we introduce an advice system where users can plug in their own methods:


function encrypt (o, p) { return hash(o[p]); }
var m = makeAdviceMembrane(webpage);
m.advise($('passwordField'), {getters: {value: encrypt}});
broadcast(m.view);


But this is clunky -- you are literally advising every single little function call. However, at this point, you have provided a simple way to inject a policy system which knows how to manipulate the view. For example, you might want to encrypt every password field. We might make a policy system that supports selectors, and translates calls into lower-level advice:


var mp = makePolicyMembrane(makeAdviceMembrane(webpage));
mp.applyPolicy(
webpage,
{selector: "//input[@type='password']",
enabled: false});
broadcast(mp.view);


This is really a new way of secure programming. Instead of sharing an object, you share a customizable and secure view of the object, and automatically generate a customized one by providing a declarative security policy. There are a lot of directions to take this. For example, I'm playing with the ability to hide DOM nodes, not just disable them. This is tantamount to taking an element in a linked list and, in a view of that list, have all previous and next pointers skip over it. Fun with bidirectional programming commences once you support mutation. Furthermore, I can likely hook this into our old Margrave verification system!

Anyways, life is always more fun with pictures. This stuff actually works with bubblemark, where we modify every ball to actually be a view of one! The horizontal bar is where you jump from running a smooth animation to a jerky one.

No comments:

Post a Comment