SEC: object security
Mon, 31 Oct 94 21:00:46 MET
To me we only need one security scheme:
"if you can access the object, you can access it",
i.e. if you were given a handler for an object, you can use it
as you like. If an object is to be secure, just don't give away
handles to it, but handles of objects that will filter accesses to it.
Lazy evaluation and optimization will automatically resolve levels of
indirections when possible, so no performance loss is present.
But with this protection scheme, we need be sure binaries won't forge
object handles. That's why the system should only run binaries with
some secure PGP signature, that only a safe compiler can produce.