Talking out loud here about ocap modules for Racket so I can organize my thoughts.
- All macros and values are *explicitly* and *intentionally* introduced into a module
- The default situation is that macros can exfiltrate surrounding information from even foreign surrounding code. However, we can create one-off code inspectors to prevent this nastiness.
- Currently modules are name-centric; that doesn't map to my needs. But I can create one-off registries and pull in modules from others.
I was so hopeful this morning
This forest used to be a mile inland. Now it is eroding away with every high tide and hurricane. The island of Botany Bay is vanishing.
I think #`'#,er qualifies as "quasiquote vomiting"
We've created a situation where this is a necessity, so a little responsibility and empathy is in order. The principle that "many eyes make bugs shallow" doesn't apply to the threat model that's evolved. People have reasons for making bad decisions. We distance ourselves and fix blame, but we do the same things and we caused this. So that's not fair
Fair is a value served by justice, which means doing the thing in our power to change outcomes
Now on to learning about type systems! https://school.racket-lang.org/2019/plan/thu-mor-lecture.html
@VyrCossont @astraluma Ocaps can be seen as a sandboxing mechanism, but rather a paradigm where everything is sandboxed and yet it isn't hell because it resembles the way we pass around arguments in our programs. One advantage that ocaps have over contemporary sandboxes is that they can acquire just-in-time authority also. But that sounds like nonsense without further explaination, which I will have to do at a future time.
I should probably blog explaining this stuff a bit more clearly :)
@VyrCossont @astraluma This is why the just-in-time acquirement of authority in ocaps is really key: in the fixed-set-of-authority model, it's so annoying and rigid that eventually you'd pass in way more authority than you need, rather than being able to acquire the authority you need when you need it.
- One where we list what documents you can access up-front. Now you can't access anything you shouldn't be able to, but you can't access *new* documents.
- One where you start with a set of documents you can access, but as the world moves and changes, we can also pass you access to new documents
Imagine the fediverse built with the former. You could never gain new friends!
chemical burn imagery
"margarita burn" can be cause some very severe injuries, and caused merely by lime juice exposed to sunlight https://boingboing.net/2019/07/11/that-next-cocktail-could-burn.html
I don't drink alcohol, but I'll take careful note the next time I'm making lemon-lime-ade to beat the heat....
@opal "object capabilities". It doesn't really have much to do with "objects" in that it doesn't require object oriented programming, and originally they were just called "capabilities", but "capabilities" got overloaded as a term (eg, what the Linux kernel calls capabilities are nothing like object capabilities). ocap is shorthand, refers to a specific paradigm: your security model isn't who you are, but what references you hold onto.
@liw Here's a good start: http://mumble.net/~jar/pubs/secureos/secureos.html
Imagine if instead of (solitaire) running with your full authority, you passed in the authority you need, eg (solitaire get-input write-to-screen read-write-score-file)
Instead of solitaire being able to exfiltrate your private keys and cryptolocker your data, now solitaire doesn't even have network and general file access (only to the one file), you simply didn't pass access to it.
Lambda is your new security model now.
Backdoor discovered in Ruby "strong password" library, takes your "strong passwords" and uploads them into a pastebin https://nakedsecurity.sophos.com/2019/07/09/backdoor-discovered-in-ruby-strong_password-library/
Hi, do you believe me when I say we need ocap security yet
Me: "What's the difference between syntax-parse and syntax-rules anyway?"
Matthias: "syntax-rules is so old and outdated I don't know how to spell it anymore. Use syntax-parse."
The base ISA for RISC-V has been ratified, so there's a stability promise! https://riscv.org/2019/07/risc-v-foundation-announces-ratification-of-the-risc-v-base-isa-and-privileged-architecture-specifications/