Monday, November 29, 2010

Proxies gaining traction... objects considered harmful?

I saw that Brendan has started promoting proxies in his talks. Now that Mozilla's JS engine has a proxy primitive (essentially objects that support full overriding of meta object protocol interactions), Brendan stated that Firefox 4 code is apparently shifting to use them for securely connecting browser JS code In a security context, you need (1) a recursive pattern ("membranes") with double-sided protection but also (2) some way of securely injecting your policies into the wrappers (e.g.,for a whitelist, to prevent the whitelist object from leaking out and being hijacked). While Adrienne and I mostly focused on the web application scenario in our Object Views paper about extending a library that does (1) to also do (2), it equally applies to a browser security kernel employing the pattern. Indeed, one of our ultimate goals was for browser extensions!

There's also a fun implementation tidbit that popped out. Andreas implemented proxies using an indirection table similar to that for the 'becomes' operator in Smalltalk. For our approach to incorporating policies into wrappers in both a succinct and safe way, we used aspects as the interface. I previously showed 'becomes' and (ocap-style) aspects are the same thing. While not much is known in popular communities about 'becomes', aspects are fairly close to the ability to import antigravity. As noted on Brendan's blog, a world of known language abstractions are now possible for these objects: perhaps using regular objects should be considered harmful?

Finally, as I'm now apparently a performance person -- it would be interesting to compare the efficiency of Ben Lerner's JS aspect implementation for Spur (a tracing JS VM from MSR) to Gal's proxys. I'm still curious, especially once one takes tracing optimizations into account and typical boundary crossing rates, which is more efficient. As promoted in Joel's 2010 Usenix paper, objects should be closely associated with origins (i.e., taint field), and, as suggested in our W2SP paper, I'm particularly curious about creating origin-indexed views: putting 1 + 1 together, can we get dynamic security primitives for multiprincipal programming at no runtime overhead (modulo policy logic)?

Anyways, I've been mostly quiet about my work recently: I've stumbled upon a couple of big algorithm and related programming model results at MSR this fall so, once able, I'm looking forward to describing them. I'm starting again with the socio-PLT stuff so we'll see where that goes as well. Back in Berkeley in January; the next couple of months will be busy!
Post a Comment