Re: implementing sandboxes with capabilities

[lex@cc.gatech.edu (Lex Spoon)]

I didn't follow everything, sorry, but I can reply to this:

> 
> A better, cleaner approach seems to be one of composition.  If we can
> guarantee a break in the pointer such that instVarAt: and friends can't
> get to it, then we can guarantee isolation.

Yes.  The primary characteristic of a proxy, in the scheme I've
sketched, is that it doesn't allow outsiders to traverse past it
in the object graph.  Thus, the two sides are isolated from each
other, and must use the proxy's methods to communicate.  Making
Proxy a new root class which defines hardly anything, seems like
a  good approach for implementing them.

The majority of non-proxy objects, which I've been calling "sandbox
safe" for lack of a better term, are much freer, and can safely do
instVarAt: and instVarAt:put: as much as they want.  They can really
mess each *other* up, but they can't do any real harm without going
through one of the proxies.  The goal here, is that the vast majority
of the image can be left as is.  To be honest, I'm not *completely*
sure that it will fall out that way, but that is certainly the goal.



Lex