Strawman: Module Keys

# Mike Samuel (6 years ago)

I'm looking for other criticism of mikesamuel/tc39-module-keys and for interested parties who might have time to refine it.

This adds public/private key analogues to ModuleBodies along with some associated operators.

As background, we on Google's security engineering group have had a lot of success hooking into build systems, linkers and using static analyzers to identify problematic code patterns, guide developers towards safe ones, and make sure we find out about things that we want to know about. This has let a small group of security engineers manage the security of a much larger group of application developers without us-vs-them dynamics.

I hope that some machinery like this might enable similar dynamics within open-source projects that don't have monolithic code repos.

I'm looking for other criticism of
https://github.com/mikesamuel/tc39-module-keys and for interested parties
who might have time to refine it.

This adds public/private key analogues to ModuleBodies along with some
associated operators.

As background, we on Google's security engineering group have had a lot of
success hooking into build systems, linkers and using static analyzers to
identify problematic code patterns, guide developers towards safe ones, and
make sure we find out about things that we want to know about.  This has
let a small group of security engineers manage the security of a much
larger group of application developers without us-vs-them dynamics.

I hope that some machinery like this might enable similar dynamics within
open-source projects that don't have monolithic code repos.

cheers,
mike
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20180227/e5bb7459/attachment.html>

# Alex Vincent (6 years ago)

On Wed, Feb 28, 2018 at 4:00 AM, <es-discuss-request at mozilla.org> wrote:

From: Mike Samuel <mikesamuel at gmail.com>I'm looking for other criticism of mikesamuel/tc39-module-keys and for interested parties who might have time to refine it.

I'm just taking a bit of time to read over it. Keep in mind, I'm no security expert.

In the spec, you write,

We use the name frenemies below. This is a terrible name.

I suggest "counterparties". www.investopedia.com/terms/c/counterparty.asp

What's a Box? (I'm serious. You really don't define what it is in this context.) You also talk about boxed values and unboxed values, but I may have missed the paragraphs explaining the difference.

In your example code sections, you imply these properties are directly named as properties of alice and bob, respectively... do we want all of those as such, or maybe under a namespace (alice[someNameOrSymbol].publicKey)? Particularly with such generic names as box and unbox... I'd feel more comfortable if they were under a predefined Symbol.MODULE_KEYS namespace.

That's my two cents - and they're worth exactly that much after inflation. :-)

Alex

On Wed, Feb 28, 2018 at 4:00 AM, <es-discuss-request at mozilla.org> wrote:

> From: Mike Samuel <mikesamuel at gmail.com>I'm looking for other criticism
> of https://github.com/mikesamuel/tc39-module-keys and for interested
> parties who might have time to refine it.

I'm just taking a bit of time to read over it.  Keep in mind, I'm no
security expert.

In the spec, you write,

> We use the name frenemies below. This is a terrible name.

I suggest "counterparties".
https://www.investopedia.com/terms/c/counterparty.asp

What's a Box?  (I'm serious.  You really don't define what it is in this
context.)  You also talk about boxed values and unboxed values, but I may
have missed the paragraphs explaining the difference.

In your example code sections, you imply these properties are directly
named as properties of alice and bob, respectively... do we want all of
those as such, or maybe under a namespace
(alice[someNameOrSymbol].publicKey)?  Particularly with such generic names
as box and unbox...
I'd feel more comfortable if they were under a predefined
Symbol.MODULE_KEYS namespace.

That's my two cents - and they're worth exactly that much after inflation.
:-)

Alex

-- 
"The first step in confirming there is a bug in someone else's work is
confirming there are no bugs in your own."
-- Alexander J. Vincent, June 30, 2001
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20180302/81b15755/attachment.html>

# Mike Samuel (6 years ago)

On Fri, Mar 2, 2018 at 8:29 PM, Alex Vincent <ajvincent at gmail.com> wrote:

On Wed, Feb 28, 2018 at 4:00 AM, <es-discuss-request at mozilla.org> wrote:

From: Mike Samuel <mikesamuel at gmail.com>I'm looking for other criticism of mikesamuel/tc39-module-keys and for interested parties who might have time to refine it.

I'm just taking a bit of time to read over it. Keep in mind, I'm no security expert.

Thanks for giving it a read.

In the spec, you write,

We use the name frenemies below. This is a terrible name.

I suggest "counterparties". www.investopedia.com terms/c/counterparty.asp

What's a Box? (I'm serious. You really don't define what it is in this context.) You also talk about boxed values and unboxed values, but I may have missed the paragraphs explaining the difference.

Good point. A "box" is an instance of class Box. The important thing about Boxes is that if frenemies0 and frenemies1 are outputs from makeFrenemies then

  value === frenemies0.unbox(
      frenemies1.box(value, (k) => true),
      (k) => true)

so the unbox function reverses the box function when things are permissive.

Where this becomes useful is when we use a predicate less permissive than (k => true).

The value associated with a box can only be accessed if both the box caller and the unbox caller agree.

  value === frenemies0.unbox(
      frenemies1.box(value, (k) => k === frenemies0.publicKey && k()),
      (k) => k === frenemies1.publicKey && k())

Public keys can be passed to predicates. The private key is used within unbox to ensure that the public key only returns true when checked on behalf of the module that owns it.

The first ((k) => ...) predicate lets frenemies1 ensure that only

frenemies0.unbox can open the value. The second predicate lets frenemies0 ensure that the box came from frenemies1

In your example code sections, you imply these properties are directly named as properties of alice and bob, respectively... do we want all of those as such, or maybe under a namespace (alice[someNameOrSymbol].publicKey)? Particularly with such generic names as box and unbox... I'd feel more comfortable if they were under a predefined Symbol.MODULE_KEYS namespace.

The only frenemies property that is implicitly exported is publicKey. Having a well-known symbol for the public key seems reasonable.

On Fri, Mar 2, 2018 at 8:29 PM, Alex Vincent <ajvincent at gmail.com> wrote:

> On Wed, Feb 28, 2018 at 4:00 AM, <es-discuss-request at mozilla.org> wrote:
>
>> From: Mike Samuel <mikesamuel at gmail.com>I'm looking for other criticism
>> of https://github.com/mikesamuel/tc39-module-keys and for interested
>> parties who might have time to refine it.
>
>
> I'm just taking a bit of time to read over it.  Keep in mind, I'm no
> security expert.
>

Thanks for giving it a read.

> In the spec, you write,
>
>> We use the name frenemies below. This is a terrible name.
>
>
> I suggest "counterparties".  https://www.investopedia.com/
> terms/c/counterparty.asp
>
> What's a Box?  (I'm serious.  You really don't define what it is in this
> context.)  You also talk about boxed values and unboxed values, but I may
> have missed the paragraphs explaining the difference.
>

Good point.  A "box" is an instance of `class Box`.
The important thing about Boxes is that if frenemies0 and frenemies1 are
outputs from makeFrenemies then

      value === frenemies0.unbox(
          frenemies1.box(value, (k) => true),
          (k) => true)

so the unbox function reverses the box function when things are permissive.

Where this becomes useful is when we use a predicate less permissive than
(k => true).
The value associated with a box can only be accessed if both the box caller
and the unbox caller
agree.

      value === frenemies0.unbox(
          frenemies1.box(value, (k) => k === frenemies0.publicKey && k()),
          (k) => k === frenemies1.publicKey && k())

Public keys can be passed to predicates.  The private key is used within
unbox to ensure
that the public key only returns true when checked on behalf of the module
that owns it.

The first ((k) => ...) predicate lets frenemies1 ensure that only
frenemies0.unbox can open the value.
The second predicate lets frenemies0 ensure that the box came from
frenemies1

> In your example code sections, you imply these properties are directly
> named as properties of alice and bob, respectively... do we want all of
> those as such, or maybe under a namespace (alice[someNameOrSymbol].publicKey)?
> Particularly with such generic names as box and unbox...
> I'd feel more comfortable if they were under a predefined
> Symbol.MODULE_KEYS namespace.
>

The only frenemies property that is implicitly exported is publicKey.
Having a well-known symbol for the public key seems reasonable.

> That's my two cents - and they're worth exactly that much after
> inflation.  :-)
>
> Alex
>
> --
> "The first step in confirming there is a bug in someone else's work is
> confirming there are no bugs in your own."
> -- Alexander J. Vincent, June 30, 2001
>
> _______________________________________________
> es-discuss mailing list
> es-discuss at mozilla.org
> https://mail.mozilla.org/listinfo/es-discuss
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20180305/ed7cb7e3/attachment.html>