SEC: object security

Mike Prince
Mon, 31 Oct 1994 16:42:35 -0800 (PST)

On Mon, 31 Oct 1994, Francois-Rene Rideau wrote:

> To me we only need one security scheme:
> "if you can access the object, you can access it",
> i.e. if you were given a handler for an object, you can use it
> as you like. If an object is to be secure, just don't give away
> handles to it, but handles of objects that will filter accesses to it.
> Lazy evaluation and optimization will automatically resolve levels of
> indirections when possible, so no performance loss is present.
> But with this protection scheme, we need be sure binaries won't forge
> object handles. That's why the system should only run binaries with
> some secure PGP signature, that only a safe compiler can produce.

In my version binaries cannot forge anything.  Because there's no such 
thing distributed, only our LLL which has it's final compile tightly 
controlled.  Another issue to consider is that of transport between 
machines.  I send an agent with a bunch of "secure data" including access 
code to get back into my system to a remote computer.  It's hijacked 
(bitjacked?), return codes stolen, data compromised, and "returned" to 
its sender, you.  That's the kind of security I'm worried about.  
Problems that arise in a distributed environment.  How do we solve those 
problems (besides the obvious answers).