bringing object-orientation to security...
TRANSCRIPT
![Page 1: Bringing Object-orientation to Security Programmingsoft.vub.ac.be/events/mobicrant_talks/talk2_OO_security.pdf · 2011. 10. 11. · Bringing Object-orientation to Security Programming](https://reader033.vdocuments.mx/reader033/viewer/2022051903/5ff4355a9113206a0c12d96b/html5/thumbnails/1.jpg)
Bringing Object-orientation to Security Programming
Mark S. Miller and the Cajadores
![Page 2: Bringing Object-orientation to Security Programmingsoft.vub.ac.be/events/mobicrant_talks/talk2_OO_security.pdf · 2011. 10. 11. · Bringing Object-orientation to Security Programming](https://reader033.vdocuments.mx/reader033/viewer/2022051903/5ff4355a9113206a0c12d96b/html5/thumbnails/2.jpg)
Overview: Bottom up by Layers
Composing Networks of Games Smart Contracts as Games Dimensions & Taxonomy of Electronic Rights Patterns of Safe Cooperation Access Abstractions and Compositions Object-capabilities (ocaps) Objects, References, Messages
![Page 3: Bringing Object-orientation to Security Programmingsoft.vub.ac.be/events/mobicrant_talks/talk2_OO_security.pdf · 2011. 10. 11. · Bringing Object-orientation to Security Programming](https://reader033.vdocuments.mx/reader033/viewer/2022051903/5ff4355a9113206a0c12d96b/html5/thumbnails/3.jpg)
How do I designate thee?
by Introduction ref to Carol ref to Bob decides to share
by Parenthood by Endowment by Initial Conditions
How might object Bob come to know of object Carol?
![Page 4: Bringing Object-orientation to Security Programmingsoft.vub.ac.be/events/mobicrant_talks/talk2_OO_security.pdf · 2011. 10. 11. · Bringing Object-orientation to Security Programming](https://reader033.vdocuments.mx/reader033/viewer/2022051903/5ff4355a9113206a0c12d96b/html5/thumbnails/4.jpg)
How do I designate thee?
by Introduction ref to Carol ref to Bob decides to share
by Parenthood by Endowment by Initial Conditions
Alice says: bob.foo(carol)
![Page 5: Bringing Object-orientation to Security Programmingsoft.vub.ac.be/events/mobicrant_talks/talk2_OO_security.pdf · 2011. 10. 11. · Bringing Object-orientation to Security Programming](https://reader033.vdocuments.mx/reader033/viewer/2022051903/5ff4355a9113206a0c12d96b/html5/thumbnails/5.jpg)
How do I designate thee?
by Introduction ref to Carol ref to Bob decides to share
by Parenthood by Endowment by Initial Conditions
Alice says: bob.foo(carol)
![Page 6: Bringing Object-orientation to Security Programmingsoft.vub.ac.be/events/mobicrant_talks/talk2_OO_security.pdf · 2011. 10. 11. · Bringing Object-orientation to Security Programming](https://reader033.vdocuments.mx/reader033/viewer/2022051903/5ff4355a9113206a0c12d96b/html5/thumbnails/6.jpg)
How do I designate thee?
by Introduction ref to Carol ref to Bob decides to share
by Parenthood by Endowment by Initial Conditions
Alice says: bob.foo(carol)
![Page 7: Bringing Object-orientation to Security Programmingsoft.vub.ac.be/events/mobicrant_talks/talk2_OO_security.pdf · 2011. 10. 11. · Bringing Object-orientation to Security Programming](https://reader033.vdocuments.mx/reader033/viewer/2022051903/5ff4355a9113206a0c12d96b/html5/thumbnails/7.jpg)
How do I designate thee?
by Introduction ref to Carol ref to Bob decides to share
by Parenthood by Endowment by Initial Conditions
Alice says: bob.foo(carol)
![Page 8: Bringing Object-orientation to Security Programmingsoft.vub.ac.be/events/mobicrant_talks/talk2_OO_security.pdf · 2011. 10. 11. · Bringing Object-orientation to Security Programming](https://reader033.vdocuments.mx/reader033/viewer/2022051903/5ff4355a9113206a0c12d96b/html5/thumbnails/8.jpg)
How do I designate thee?
by Introduction ref to Carol ref to Bob decides to share
by Parenthood by Endowment by Initial Conditions
Alice says: bob.foo(carol)
![Page 9: Bringing Object-orientation to Security Programmingsoft.vub.ac.be/events/mobicrant_talks/talk2_OO_security.pdf · 2011. 10. 11. · Bringing Object-orientation to Security Programming](https://reader033.vdocuments.mx/reader033/viewer/2022051903/5ff4355a9113206a0c12d96b/html5/thumbnails/9.jpg)
How do I designate thee?
by Introduction ref to Carol ref to Bob decides to share
by Parenthood by Endowment by Initial Conditions
Bob says: var carol = { ... };
![Page 10: Bringing Object-orientation to Security Programmingsoft.vub.ac.be/events/mobicrant_talks/talk2_OO_security.pdf · 2011. 10. 11. · Bringing Object-orientation to Security Programming](https://reader033.vdocuments.mx/reader033/viewer/2022051903/5ff4355a9113206a0c12d96b/html5/thumbnails/10.jpg)
How do I designate thee?
by Introduction ref to Carol ref to Bob decides to share
by Parenthood by Endowment by Initial Conditions
Alice says: var bob = { ... carol ... };
![Page 11: Bringing Object-orientation to Security Programmingsoft.vub.ac.be/events/mobicrant_talks/talk2_OO_security.pdf · 2011. 10. 11. · Bringing Object-orientation to Security Programming](https://reader033.vdocuments.mx/reader033/viewer/2022051903/5ff4355a9113206a0c12d96b/html5/thumbnails/11.jpg)
How do I designate thee?
by Introduction ref to Carol ref to Bob decides to share
by Parenthood by Endowment by Initial Conditions
At t0:
![Page 12: Bringing Object-orientation to Security Programmingsoft.vub.ac.be/events/mobicrant_talks/talk2_OO_security.pdf · 2011. 10. 11. · Bringing Object-orientation to Security Programming](https://reader033.vdocuments.mx/reader033/viewer/2022051903/5ff4355a9113206a0c12d96b/html5/thumbnails/12.jpg)
OCaps: Small step from pure objects
Memory safety and encapsulation + Effects only by using held references + No powerful references by default
![Page 13: Bringing Object-orientation to Security Programmingsoft.vub.ac.be/events/mobicrant_talks/talk2_OO_security.pdf · 2011. 10. 11. · Bringing Object-orientation to Security Programming](https://reader033.vdocuments.mx/reader033/viewer/2022051903/5ff4355a9113206a0c12d96b/html5/thumbnails/13.jpg)
OCaps: Small step from pure objects
Memory safety and encapsulation + Effects only by using held references + No powerful references by default Reference graph ≡ Access graph Only connectivity begets connectivity OO expressiveness for security patterns
![Page 14: Bringing Object-orientation to Security Programmingsoft.vub.ac.be/events/mobicrant_talks/talk2_OO_security.pdf · 2011. 10. 11. · Bringing Object-orientation to Security Programming](https://reader033.vdocuments.mx/reader033/viewer/2022051903/5ff4355a9113206a0c12d96b/html5/thumbnails/14.jpg)
Objects as Closures
function makeCounter() { var count = 0; return { incr: function() { return ++count; }, decr: function() { return --count; } }; }
makeCounter
count
incr
decr
count
incr
decr
count
incr
decr
![Page 15: Bringing Object-orientation to Security Programmingsoft.vub.ac.be/events/mobicrant_talks/talk2_OO_security.pdf · 2011. 10. 11. · Bringing Object-orientation to Security Programming](https://reader033.vdocuments.mx/reader033/viewer/2022051903/5ff4355a9113206a0c12d96b/html5/thumbnails/15.jpg)
Objects as Closures
function makeCounter() { var count = 0; return { incr: function() { return ++count; }, decr: function() { return --count; } }; }
makeCounter
count
incr
decr
count
incr
decr
count
incr
decr
A record of closures hiding state is a fine representation of an
object of methods hiding instance vars
![Page 16: Bringing Object-orientation to Security Programmingsoft.vub.ac.be/events/mobicrant_talks/talk2_OO_security.pdf · 2011. 10. 11. · Bringing Object-orientation to Security Programming](https://reader033.vdocuments.mx/reader033/viewer/2022051903/5ff4355a9113206a0c12d96b/html5/thumbnails/16.jpg)
Objects as Closures in SES on ES5
“use strict”; function makeCounter() { var count = 0; return def({ incr: function() { return ++count; }, decr: function() { return --count; } }); }
makeCounter
count
incr
decr
count
incr
decr
count
incr
decr
A tamper-proof record of lexical closures encapsulating state
is a defensive object
![Page 17: Bringing Object-orientation to Security Programmingsoft.vub.ac.be/events/mobicrant_talks/talk2_OO_security.pdf · 2011. 10. 11. · Bringing Object-orientation to Security Programming](https://reader033.vdocuments.mx/reader033/viewer/2022051903/5ff4355a9113206a0c12d96b/html5/thumbnails/17.jpg)
Turning EcmaScript 5 into SES
<script src=“initSES.js”></script>
Monkey patch away bad non-std behaviors Remove non-whitelisted primordials Install leaky WeakMap emulation Make virtual global root Freeze whitelisted global variables • Replace eval & Function with safe alternatives Freeze accessible primordials
![Page 18: Bringing Object-orientation to Security Programmingsoft.vub.ac.be/events/mobicrant_talks/talk2_OO_security.pdf · 2011. 10. 11. · Bringing Object-orientation to Security Programming](https://reader033.vdocuments.mx/reader033/viewer/2022051903/5ff4355a9113206a0c12d96b/html5/thumbnails/18.jpg)
Revocable Function Forwarder
function makeFnCaretaker(target) { return def({ wrapper: function(…args) { return target(…args); }, revoke: function() { target = null; } }); }
makeCaretaker
target
wrapperrevoke
target
wrapperrevoke
target
wrapperrevoke
target
wrapperrevoke
target
wrapperrevoke
target
wrapperrevoke
![Page 19: Bringing Object-orientation to Security Programmingsoft.vub.ac.be/events/mobicrant_talks/talk2_OO_security.pdf · 2011. 10. 11. · Bringing Object-orientation to Security Programming](https://reader033.vdocuments.mx/reader033/viewer/2022051903/5ff4355a9113206a0c12d96b/html5/thumbnails/19.jpg)
Alice
Unconditional Access
Alice says: bob.foo(carol);
Bob
Carol
foo
Grants Bob full access to Carol forever
![Page 20: Bringing Object-orientation to Security Programmingsoft.vub.ac.be/events/mobicrant_talks/talk2_OO_security.pdf · 2011. 10. 11. · Bringing Object-orientation to Security Programming](https://reader033.vdocuments.mx/reader033/viewer/2022051903/5ff4355a9113206a0c12d96b/html5/thumbnails/20.jpg)
Alice
Revocability ≡ Temporal attenuation
Alice says: var ct = makeCaretaker(carol); bob.foo(ct.wrapper);
target
wrapperrevoke
Bob
Carol
foo
![Page 21: Bringing Object-orientation to Security Programmingsoft.vub.ac.be/events/mobicrant_talks/talk2_OO_security.pdf · 2011. 10. 11. · Bringing Object-orientation to Security Programming](https://reader033.vdocuments.mx/reader033/viewer/2022051903/5ff4355a9113206a0c12d96b/html5/thumbnails/21.jpg)
Alice
Revocability ≡ Temporal attenuation
Alice says: var ct = makeCaretaker(carol); bob.foo(ct.wrapper); //…
target
wrapperrevoke
Bob
Carol
![Page 22: Bringing Object-orientation to Security Programmingsoft.vub.ac.be/events/mobicrant_talks/talk2_OO_security.pdf · 2011. 10. 11. · Bringing Object-orientation to Security Programming](https://reader033.vdocuments.mx/reader033/viewer/2022051903/5ff4355a9113206a0c12d96b/html5/thumbnails/22.jpg)
Alice Alice says: var ct = makeCaretaker(carol); bob.foo(ct.wrapper); //… ct.revoke();
target
wrapperrevoke
Bob
Carol
Revocability ≡ Temporal attenuation
![Page 23: Bringing Object-orientation to Security Programmingsoft.vub.ac.be/events/mobicrant_talks/talk2_OO_security.pdf · 2011. 10. 11. · Bringing Object-orientation to Security Programming](https://reader033.vdocuments.mx/reader033/viewer/2022051903/5ff4355a9113206a0c12d96b/html5/thumbnails/23.jpg)
Alice Alice says: var ct = makeCaretaker(carol); bob.foo(ct.wrapper); //… ct.revoke();
target
wrapperrevoke
Bob
Carol
Revocability ≡ Temporal attenuation
![Page 24: Bringing Object-orientation to Security Programmingsoft.vub.ac.be/events/mobicrant_talks/talk2_OO_security.pdf · 2011. 10. 11. · Bringing Object-orientation to Security Programming](https://reader033.vdocuments.mx/reader033/viewer/2022051903/5ff4355a9113206a0c12d96b/html5/thumbnails/24.jpg)
Alice
Attenuators ≡ Access Abstractions
Alice says: var ct = makeCaretaker(carol); bob.foo(ct.wrapper);
Bob
Carol
Express security policy by the behavior of the objects you provide
foo
![Page 25: Bringing Object-orientation to Security Programmingsoft.vub.ac.be/events/mobicrant_talks/talk2_OO_security.pdf · 2011. 10. 11. · Bringing Object-orientation to Security Programming](https://reader033.vdocuments.mx/reader033/viewer/2022051903/5ff4355a9113206a0c12d96b/html5/thumbnails/25.jpg)
Abstractions extend vocabulary
Primitives Abstraction Forms Extended Vocabulary
+, ., [] procedural abstraction foo(bar, baz), …
int, struct, array data abstraction Point, Window, …
if, while, switch control abstraction addListener, visitor, …
points-to access abstraction caretaker, membrane, …
![Page 26: Bringing Object-orientation to Security Programmingsoft.vub.ac.be/events/mobicrant_talks/talk2_OO_security.pdf · 2011. 10. 11. · Bringing Object-orientation to Security Programming](https://reader033.vdocuments.mx/reader033/viewer/2022051903/5ff4355a9113206a0c12d96b/html5/thumbnails/26.jpg)
Alice
Membranes: Transitive Interposition
function makeFnMembrane(target) { var enabled = true; function wrap(wrapped) { if (wrapped !== Object(wrapped)) { return wrapped; } return function(…args) { if (!enabled) { throw new Error(“revoked”); } return wrap(wrapped(…args.map(wrap)); } } return def({ wrapper: wrap(target), revoke: function() { enabled = false; } }); }
Bob
Carol
Dave
![Page 27: Bringing Object-orientation to Security Programmingsoft.vub.ac.be/events/mobicrant_talks/talk2_OO_security.pdf · 2011. 10. 11. · Bringing Object-orientation to Security Programming](https://reader033.vdocuments.mx/reader033/viewer/2022051903/5ff4355a9113206a0c12d96b/html5/thumbnails/27.jpg)
Attenuators Compose
function makeROFile(file) { return def({ read: file.read, getLength: file.getLength }); } var rorFile = makeROFile(revocableFile);
![Page 28: Bringing Object-orientation to Security Programmingsoft.vub.ac.be/events/mobicrant_talks/talk2_OO_security.pdf · 2011. 10. 11. · Bringing Object-orientation to Security Programming](https://reader033.vdocuments.mx/reader033/viewer/2022051903/5ff4355a9113206a0c12d96b/html5/thumbnails/28.jpg)
No powerful references by default
Alice says: var bobSrc = //site B var carolSrc = //site C var bob = eval(bobSrc); var carol = eval(carolSrc);
bob
carol
Alice Bob
Carol
![Page 29: Bringing Object-orientation to Security Programmingsoft.vub.ac.be/events/mobicrant_talks/talk2_OO_security.pdf · 2011. 10. 11. · Bringing Object-orientation to Security Programming](https://reader033.vdocuments.mx/reader033/viewer/2022051903/5ff4355a9113206a0c12d96b/html5/thumbnails/29.jpg)
No powerful references by default
bob
carol
Alice
Bob and Carol are confined. Only Alice controls how they can interact or get more connected.
Bob
Carol
Alice says: var bobSrc = //site B var carolSrc = //site C var bob = eval(bobSrc); var carol = eval(carolSrc);
![Page 30: Bringing Object-orientation to Security Programmingsoft.vub.ac.be/events/mobicrant_talks/talk2_OO_security.pdf · 2011. 10. 11. · Bringing Object-orientation to Security Programming](https://reader033.vdocuments.mx/reader033/viewer/2022051903/5ff4355a9113206a0c12d96b/html5/thumbnails/30.jpg)
No powerful references by default
Alice says: Alice bob
carol
Bob
Carol
![Page 31: Bringing Object-orientation to Security Programmingsoft.vub.ac.be/events/mobicrant_talks/talk2_OO_security.pdf · 2011. 10. 11. · Bringing Object-orientation to Security Programming](https://reader033.vdocuments.mx/reader033/viewer/2022051903/5ff4355a9113206a0c12d96b/html5/thumbnails/31.jpg)
Bob
Carol
bob
carol
counter
Only connectivity begets connectivity
Alice says: var counter = makeCounter(); bob(counter.incr); carol(counter.decr); bob = carol = null; countcountcount
incr
decr
![Page 32: Bringing Object-orientation to Security Programmingsoft.vub.ac.be/events/mobicrant_talks/talk2_OO_security.pdf · 2011. 10. 11. · Bringing Object-orientation to Security Programming](https://reader033.vdocuments.mx/reader033/viewer/2022051903/5ff4355a9113206a0c12d96b/html5/thumbnails/32.jpg)
Bob
Carol
bob
carol
counter
Only connectivity begets connectivity
Alice says: var counter = makeCounter(); bob(counter.incr); carol(counter.decr); bob = carol = null; countcountcount
incr
decr
Bob can only count up and see result. Carol only down. Alice can only do both.
![Page 33: Bringing Object-orientation to Security Programmingsoft.vub.ac.be/events/mobicrant_talks/talk2_OO_security.pdf · 2011. 10. 11. · Bringing Object-orientation to Security Programming](https://reader033.vdocuments.mx/reader033/viewer/2022051903/5ff4355a9113206a0c12d96b/html5/thumbnails/33.jpg)
Membrane eval → compartment
var compartment = makeMembrane(eval); var vbob = compartment.wrapper(bobSrc);
Alice Bob
![Page 34: Bringing Object-orientation to Security Programmingsoft.vub.ac.be/events/mobicrant_talks/talk2_OO_security.pdf · 2011. 10. 11. · Bringing Object-orientation to Security Programming](https://reader033.vdocuments.mx/reader033/viewer/2022051903/5ff4355a9113206a0c12d96b/html5/thumbnails/34.jpg)
Membrane eval → compartment
var compartment = makeMembrane(eval); var vbob = compartment.wrapper(bobSrc); //…
Alice Bob
![Page 35: Bringing Object-orientation to Security Programmingsoft.vub.ac.be/events/mobicrant_talks/talk2_OO_security.pdf · 2011. 10. 11. · Bringing Object-orientation to Security Programming](https://reader033.vdocuments.mx/reader033/viewer/2022051903/5ff4355a9113206a0c12d96b/html5/thumbnails/35.jpg)
Membrane eval → compartment
var compartment = makeMembrane(eval); var vbob = compartment.wrapper(bobSrc); //… compartment.revoke();
Alice Bob GC
![Page 36: Bringing Object-orientation to Security Programmingsoft.vub.ac.be/events/mobicrant_talks/talk2_OO_security.pdf · 2011. 10. 11. · Bringing Object-orientation to Security Programming](https://reader033.vdocuments.mx/reader033/viewer/2022051903/5ff4355a9113206a0c12d96b/html5/thumbnails/36.jpg)
Composing Authority
∪?
Usually intersection
Subset
![Page 37: Bringing Object-orientation to Security Programmingsoft.vub.ac.be/events/mobicrant_talks/talk2_OO_security.pdf · 2011. 10. 11. · Bringing Object-orientation to Security Programming](https://reader033.vdocuments.mx/reader033/viewer/2022051903/5ff4355a9113206a0c12d96b/html5/thumbnails/37.jpg)
Rights Amplification
≥∪ ∪
Authority conditional on other possessions.
Enables more expressive power.
![Page 38: Bringing Object-orientation to Security Programmingsoft.vub.ac.be/events/mobicrant_talks/talk2_OO_security.pdf · 2011. 10. 11. · Bringing Object-orientation to Security Programming](https://reader033.vdocuments.mx/reader033/viewer/2022051903/5ff4355a9113206a0c12d96b/html5/thumbnails/38.jpg)
Rights Amplification
function makeBrand() { var amp = WeakMap(); return def({ seal: function(payload) { var box = def({}); amp.set(box, payload); return box; }, unseal: function(box) { return amp.get(box); } }); }
Alice Bob foo
makeBrand
amp
seal unseal seal unseal
payload
box
payload
box
payload
box amp
![Page 39: Bringing Object-orientation to Security Programmingsoft.vub.ac.be/events/mobicrant_talks/talk2_OO_security.pdf · 2011. 10. 11. · Bringing Object-orientation to Security Programming](https://reader033.vdocuments.mx/reader033/viewer/2022051903/5ff4355a9113206a0c12d96b/html5/thumbnails/39.jpg)
Rights Amplification
function makeBrand() { var amp = WeakMap(); return def({ seal: function(payload) { var box = def({}); amp.set(box, payload); return box; }, unseal: function(box) { return amp.get(box); } }); }
Crypto patterns without crypto
makeBrand() generate key pair
seal method encryption key
unseal method decryption key
payload plaintext
box cyphertext
![Page 40: Bringing Object-orientation to Security Programmingsoft.vub.ac.be/events/mobicrant_talks/talk2_OO_security.pdf · 2011. 10. 11. · Bringing Object-orientation to Security Programming](https://reader033.vdocuments.mx/reader033/viewer/2022051903/5ff4355a9113206a0c12d96b/html5/thumbnails/40.jpg)
Distributed Secure Currency
$100 $200
![Page 41: Bringing Object-orientation to Security Programmingsoft.vub.ac.be/events/mobicrant_talks/talk2_OO_security.pdf · 2011. 10. 11. · Bringing Object-orientation to Security Programming](https://reader033.vdocuments.mx/reader033/viewer/2022051903/5ff4355a9113206a0c12d96b/html5/thumbnails/41.jpg)
Distributed Secure Currency
$100 $200
var paymentP = myPurse ! makePurse();
![Page 42: Bringing Object-orientation to Security Programmingsoft.vub.ac.be/events/mobicrant_talks/talk2_OO_security.pdf · 2011. 10. 11. · Bringing Object-orientation to Security Programming](https://reader033.vdocuments.mx/reader033/viewer/2022051903/5ff4355a9113206a0c12d96b/html5/thumbnails/42.jpg)
Distributed Secure Currency
$100 $200
var paymentP = myPurse ! makePurse();
![Page 43: Bringing Object-orientation to Security Programmingsoft.vub.ac.be/events/mobicrant_talks/talk2_OO_security.pdf · 2011. 10. 11. · Bringing Object-orientation to Security Programming](https://reader033.vdocuments.mx/reader033/viewer/2022051903/5ff4355a9113206a0c12d96b/html5/thumbnails/43.jpg)
Distributed Secure Currency
$100
$0
$200
var paymentP = myPurse ! makePurse();
![Page 44: Bringing Object-orientation to Security Programmingsoft.vub.ac.be/events/mobicrant_talks/talk2_OO_security.pdf · 2011. 10. 11. · Bringing Object-orientation to Security Programming](https://reader033.vdocuments.mx/reader033/viewer/2022051903/5ff4355a9113206a0c12d96b/html5/thumbnails/44.jpg)
Distributed Secure Currency
$100
$0
$200
var paymentP = myPurse ! makePurse(); paymentP ! deposit(10, myPurse);
![Page 45: Bringing Object-orientation to Security Programmingsoft.vub.ac.be/events/mobicrant_talks/talk2_OO_security.pdf · 2011. 10. 11. · Bringing Object-orientation to Security Programming](https://reader033.vdocuments.mx/reader033/viewer/2022051903/5ff4355a9113206a0c12d96b/html5/thumbnails/45.jpg)
Distributed Secure Currency
$100
$0
$200
var paymentP = myPurse ! makePurse(); paymentP ! deposit(10, myPurse);
![Page 46: Bringing Object-orientation to Security Programmingsoft.vub.ac.be/events/mobicrant_talks/talk2_OO_security.pdf · 2011. 10. 11. · Bringing Object-orientation to Security Programming](https://reader033.vdocuments.mx/reader033/viewer/2022051903/5ff4355a9113206a0c12d96b/html5/thumbnails/46.jpg)
Distributed Secure Currency
$100
$0
$200
var paymentP = myPurse ! makePurse(); paymentP ! deposit(10, myPurse);
$90
$10
![Page 47: Bringing Object-orientation to Security Programmingsoft.vub.ac.be/events/mobicrant_talks/talk2_OO_security.pdf · 2011. 10. 11. · Bringing Object-orientation to Security Programming](https://reader033.vdocuments.mx/reader033/viewer/2022051903/5ff4355a9113206a0c12d96b/html5/thumbnails/47.jpg)
Distributed Secure Currency
$100
$0
$200
var paymentP = myPurse ! makePurse(); paymentP ! deposit(10, myPurse); var goodP = bobP ! buy(desc, paymentP);
$90
$10
![Page 48: Bringing Object-orientation to Security Programmingsoft.vub.ac.be/events/mobicrant_talks/talk2_OO_security.pdf · 2011. 10. 11. · Bringing Object-orientation to Security Programming](https://reader033.vdocuments.mx/reader033/viewer/2022051903/5ff4355a9113206a0c12d96b/html5/thumbnails/48.jpg)
Distributed Secure Currency
$100
$0
$200
var paymentP = myPurse ! makePurse(); paymentP ! deposit(10, myPurse); var goodP = bobP ! buy(desc, paymentP);
buy
$90
$10
![Page 49: Bringing Object-orientation to Security Programmingsoft.vub.ac.be/events/mobicrant_talks/talk2_OO_security.pdf · 2011. 10. 11. · Bringing Object-orientation to Security Programming](https://reader033.vdocuments.mx/reader033/viewer/2022051903/5ff4355a9113206a0c12d96b/html5/thumbnails/49.jpg)
Distributed Secure Currency
$100
$0
$200
var paymentP = myPurse ! makePurse(); paymentP ! deposit(10, myPurse); var goodP = bobP ! buy(desc, paymentP);
$90
$10
return Q(paymentP).when(function(p) {
![Page 50: Bringing Object-orientation to Security Programmingsoft.vub.ac.be/events/mobicrant_talks/talk2_OO_security.pdf · 2011. 10. 11. · Bringing Object-orientation to Security Programming](https://reader033.vdocuments.mx/reader033/viewer/2022051903/5ff4355a9113206a0c12d96b/html5/thumbnails/50.jpg)
Distributed Secure Currency
$100
$0
$200
var paymentP = myPurse ! makePurse(); paymentP ! deposit(10, myPurse); var goodP = bobP ! buy(desc, paymentP);
$90
$10
return Q(paymentP).when(function(p) { return Q(myPurse ! deposit(10, p)).when(function(_) {
![Page 51: Bringing Object-orientation to Security Programmingsoft.vub.ac.be/events/mobicrant_talks/talk2_OO_security.pdf · 2011. 10. 11. · Bringing Object-orientation to Security Programming](https://reader033.vdocuments.mx/reader033/viewer/2022051903/5ff4355a9113206a0c12d96b/html5/thumbnails/51.jpg)
Distributed Secure Currency
$100
$0
$200
var paymentP = myPurse ! makePurse(); paymentP ! deposit(10, myPurse); var goodP = bobP ! buy(desc, paymentP);
$90
$10
deposit
return Q(paymentP).when(function(p) { return Q(myPurse ! deposit(10, p)).when(function(_) {
![Page 52: Bringing Object-orientation to Security Programmingsoft.vub.ac.be/events/mobicrant_talks/talk2_OO_security.pdf · 2011. 10. 11. · Bringing Object-orientation to Security Programming](https://reader033.vdocuments.mx/reader033/viewer/2022051903/5ff4355a9113206a0c12d96b/html5/thumbnails/52.jpg)
Distributed Secure Currency
$100
$0
$200
var paymentP = myPurse ! makePurse(); paymentP ! deposit(10, myPurse); var goodP = bobP ! buy(desc, paymentP);
$90 $210
return Q(paymentP).when(function(p) { return Q(myPurse ! deposit(10, p)).when(function(_) {
![Page 53: Bringing Object-orientation to Security Programmingsoft.vub.ac.be/events/mobicrant_talks/talk2_OO_security.pdf · 2011. 10. 11. · Bringing Object-orientation to Security Programming](https://reader033.vdocuments.mx/reader033/viewer/2022051903/5ff4355a9113206a0c12d96b/html5/thumbnails/53.jpg)
Distributed Secure Currency
$100
$0
$200
var paymentP = myPurse ! makePurse(); paymentP ! deposit(10, myPurse); var goodP = bobP ! buy(desc, paymentP);
return Q(paymentP).when(function(p) { return Q(myPurse ! deposit(10, p)).when(function(_) { return good; }, …
$90 $210
![Page 54: Bringing Object-orientation to Security Programmingsoft.vub.ac.be/events/mobicrant_talks/talk2_OO_security.pdf · 2011. 10. 11. · Bringing Object-orientation to Security Programming](https://reader033.vdocuments.mx/reader033/viewer/2022051903/5ff4355a9113206a0c12d96b/html5/thumbnails/54.jpg)
Money as “factorial” of secure coding
function makeMint() { var amp = WeakMap(); return function mint(balance) { var purse = def({ getBalance: function() { return balance; }, makePurse: function() { return mint(0); }, deposit: function(amount, src) { Nat(balance + amount); amp.get(src)(Nat(amount)); balance += amount; } }); function decr(amount) { balance = Nat(balance – amount); } amp.set(purse, decr); return purse; } }
No explicit crypto
Alice Bob buy
makeMint
mint mint purse decr
purse decr purse decr
balance
amp
![Page 55: Bringing Object-orientation to Security Programmingsoft.vub.ac.be/events/mobicrant_talks/talk2_OO_security.pdf · 2011. 10. 11. · Bringing Object-orientation to Security Programming](https://reader033.vdocuments.mx/reader033/viewer/2022051903/5ff4355a9113206a0c12d96b/html5/thumbnails/55.jpg)
Dimensions of Electronic Rights
Object reference • Shared • Specific • Opaque • Exercisable
Money • Exclusive • Fungible • Assayable • Symbolic
![Page 56: Bringing Object-orientation to Security Programmingsoft.vub.ac.be/events/mobicrant_talks/talk2_OO_security.pdf · 2011. 10. 11. · Bringing Object-orientation to Security Programming](https://reader033.vdocuments.mx/reader033/viewer/2022051903/5ff4355a9113206a0c12d96b/html5/thumbnails/56.jpg)
Smart Contracts as Board Games
Negotiation Design a game both expect to win
Players make moves, but only “legal” ones Move changes state of board Board-state determines move “legality”
ERights are “pieces” placed on board Game escrows pieces, Pieces/ERights released only by play
![Page 57: Bringing Object-orientation to Security Programmingsoft.vub.ac.be/events/mobicrant_talks/talk2_OO_security.pdf · 2011. 10. 11. · Bringing Object-orientation to Security Programming](https://reader033.vdocuments.mx/reader033/viewer/2022051903/5ff4355a9113206a0c12d96b/html5/thumbnails/57.jpg)
A Simple Exchange Game
![Page 58: Bringing Object-orientation to Security Programmingsoft.vub.ac.be/events/mobicrant_talks/talk2_OO_security.pdf · 2011. 10. 11. · Bringing Object-orientation to Security Programming](https://reader033.vdocuments.mx/reader033/viewer/2022051903/5ff4355a9113206a0c12d96b/html5/thumbnails/58.jpg)
The Five Players
![Page 59: Bringing Object-orientation to Security Programmingsoft.vub.ac.be/events/mobicrant_talks/talk2_OO_security.pdf · 2011. 10. 11. · Bringing Object-orientation to Security Programming](https://reader033.vdocuments.mx/reader033/viewer/2022051903/5ff4355a9113206a0c12d96b/html5/thumbnails/59.jpg)
A Covered Call Option
![Page 60: Bringing Object-orientation to Security Programmingsoft.vub.ac.be/events/mobicrant_talks/talk2_OO_security.pdf · 2011. 10. 11. · Bringing Object-orientation to Security Programming](https://reader033.vdocuments.mx/reader033/viewer/2022051903/5ff4355a9113206a0c12d96b/html5/thumbnails/60.jpg)
Composing Networks of Games
![Page 61: Bringing Object-orientation to Security Programmingsoft.vub.ac.be/events/mobicrant_talks/talk2_OO_security.pdf · 2011. 10. 11. · Bringing Object-orientation to Security Programming](https://reader033.vdocuments.mx/reader033/viewer/2022051903/5ff4355a9113206a0c12d96b/html5/thumbnails/61.jpg)
Questions?
Composing Networks of Games Smart Contracts as Games Dimensions & Taxonomy of Electronic Rights Patterns of Safe Cooperation Access Abstractions and Compositions Object-capabilities (ocaps) Objects, References, Messages