►
Description
This is talk 2/2 in a Lecture Series on Web Security by Google Research Scientist Mark S. Miller. It took place on October 7th at the Vrije Universiteit Brussel in Brussels, Belgium. Full details at: http://mobicrant-talks.eventbrite.com
Abstract:
Just as we should not expect our base programming language to provide all the data types we need, so we should not expect our security foundation to provide all the abstractions we need to express security policy. The answer to both is the same: We need foundations that provide simple abstraction mechanisms, which we use to build an open ended set of abstractions, which we then use to express policy. We show how to use EcmaScript 5 to enforce the security latent in object-oriented abstraction mechanisms: encapsulation, message-passing, polymorphism, and interposition. With these secured, we show how to build abstractions for confinement, rights amplification, transitive wrapping and revocation, and smart contracts.
Slides:
http://soft.vub.ac.be/events/mobicrant_talks/talk2_OO_security.pdf
A
So
yesterday
mark
took
us
on
a
tour
throughout
the
history
of
computer
security
and
talking
about
security
as
an
extreme
form
of
modularity,
and
today
that's
going
to
be
sort
of
the
main
focus
of
this
car.
So
he's
going
to
talk
about
starting
from
the
foundation
of
object-oriented
programming,
how
you
can
build
secure
systems
of
art
for
resource
okay,.
B
B
That's
fundamental
kind
of
extraction
mechanism
alongside
the
familiar
procedural
data
and
control
abstraction,
and
talk
about
some
of
the
logic
by
which
these
abstractions
compose
and
then
patterns
of
safe
cooperation.
At
that
point,
I'll
be
going
through
the
money
example
that
I
mentioned
yesterday,
going
through
explaining
how
it
works,
and
then
with
with
money
as
an
example
and
with
object
references
as
the
other
example
I'll
be
teasing
apart.
B
A
B
B
And
then
I'm
going
to
talk
about
throughout
the
theme
will
be
abstraction
and
composition,
ascending
levels
of
abstraction
and
then
at
each
level
of
abstraction,
how
the
abstractions
compose
with
each
other,
to
lead
us
to
the
next
level
of
abstraction.
So
I'm
going
to
close
with
an
example
of
the
composition
of
contracts
to
form
networks
of
networks
of
contracts.
B
B
B
If
bob
already
exists
and
carol
does
not,
then,
if
bob
creates
carol
at
the
moment
of
creation,
bob
holds
the
only
point
of
account
if
carol
already
exists
and
bob
does
not,
then
if
there
exists
a
third
object,
such
as
alice,
that
creates
bob,
she
can
create
bob.
She
can
choose
to
create
bob
so
that
bob
comes
into
existence
already
endowed
with
the
pointed
account.
B
He
can't
forge
a
pointer
to
carol
by,
for
example,
casting
an
integer
like
they
can
in
c
plus
plus
many
languages
once
again
job
as
an
example
have
real
encapsulation,
where,
if
bob
has
appointed
carol,
he
can
make
your
own
carol's
public
interface
to
make
use
of
the
services
that
carol
was
designed
to
offer.
That
cannot
reach
through
her
public
interface
to
a
private
instance
variables
and
manipulate
state
that
carol's
author
did
not
intend
bob
to
access
for
these
two
elements.
B
We
only
need
to
add
two
further
restrictions
to
get
from
objects
to
object,
capabilities,
the
restriction
that
an
object
can
only
cause
effects
outside
of
itself
by
using
references
that
it
holds
and
that
an
object
is
not
given
any
powerful
references
by
default
and
by
powerful
reference.
What
I
mean
is
a
reference
through
which
it
is
enabled
to
cause
effects,
so
references
to
transitively
immutable
trees
of
objects
that
don't
lead
to
any
io
devices
or
mutable
locations.
B
B
B
B
B
B
Here's
the
graphical
notation,
I'll
use
throughout
the
talk,
lexical
scoping
is
reflected
as
spatial
nesting
make
counters
in
scope
throughout
this
piece
of
code,
multiplicity
of
layers
represents
multiple
instantiation.
Every
time
the
counter
is
called.
It
makes
a
new
such
triple
neutral
with
an
ink
or
a
decor,
and
the
count
variable
that
shows
access
to
anchor
and
decker
are
shown
on
the
surface
of
the
layer,
because
they're
accessible
outside
the
layer
count
is
shown
internal
because
only
inker
and
decker
can
access
count.
There's
no
direct
access
to
this
variable
that
can
escape
from
this
player.
B
B
To
build
in
ecmascript
5
brings
us
two
new
constructs
that
I'll
only
mention
briefly
today.
Today's
talk
is
not
really
about
javascript.
It's
about
object,
capabilities
in
the
abstract
and
just
touching
on
javascript.
The
extent
needed
to
explain
the
notation
this
new
strict
is
a
feature
that
came
in
with
equi
strip
5
that
repairs
all
the
scoping
issues,
so
we
just
have
genuine
lexical
scoping
and
functions
become
truly
encapsulated.
B
This
def
from
scs
built
on
something
from
ecosystem
5
just
makes
this
record
tamper-proof
and
the
result
of
these
things
together
in
ecmascript,
5
and
in
secure
ecmascript,
give
us
objects
that
are
able
to
defend
their
integrity.
It's
a
hamper
proof
record
of
lexical
closures,
truly
encapsulating
state
that
gives
us
a
a
properly
defensive
object.
B
B
It
just
means
that
we
can
guarantee
true
lexical
scoping,
and
we
leverage
that
lexical
scoping
guarantee
by
having
our
wrapper
for
the
original
about
safe
valve,
guarantee
that
the
only
variables
the
only
global
variables
that
the
evaluated
expression
can
reference
are
the
ones
on
our
white
list,
all
of
which
frozen
and
need
only
to
transit
of
the
immutable
state.
So
all
the
pre-existing
objects,
all
pre-existing
values
that
the
evaluated
expression
can
access
simply
by
naming
them
are
all
ones
that
that
that
are
completely
harmless,
that
don't
lead
to
any
ability
to
cause
any
effects.
B
B
Over
here
on
the
code
on
the
right,
we
have
a
restricted
form
of
it,
restricted
just
for
expository
purposes.
It's
a
functioning
caretaker.
What
the
caretaker
is
about
is
a
pattern
of
revocability.
The
function
caretaker
creates
a
revocable
wrapper
of
a
function.
The
full
caretaker
creates
a
revocability
both
for
off
for
functions
and
for
records,
but
the
the
means
needed
to
do
that
for
records
is
complicated
in
ways
that
are
distraction
from
the
point
of
talk.
B
B
Why
is
this
useful?
Well
recall
our
connectivity
by
introduction,
when
alice
sends
the
message
through
to
bob
she's,
giving
bob
full
unconditional
access
to
carol
forever?
Typically
in
object-oriented
programming,
that's
actually
the
typical
thing
that
you
want,
but
sometimes
it
isn't
for
some
purposes.
This
might
be
more
authority
than
alice
wishes.
Bob
to
have
might
be
more
authority
than
bob
needs
to
have.
B
So
the
caretaker
is
a
particular
kind
of
attenuator
which
attenuates
authority
and
temporal
dimension
bob
by
being
given
access
to
the
wrapper.
So,
okay,
so
carol
instantiates
an
instance
of
the
caretaker
holds
on
to
the
revoke
method
of
the
caretaker
gives
bob
the
wrapper
and
then
bob
when
receiving
the
wrapper.
Bob
can
now
use
the
wrapper
effectively
using
carol
using
carol
services.
B
So
bob
at
this
point
has
professional
access
to
apparel,
but
not
unconditional,
full
access
forever.
He
has
full
access
to
carol
until
alice
changes.
Her
mind
and
alice
does
change
her
mind.
She
invokes
the
revoke
that
drops
the
target
variable
and
now
the
base
relationship,
which
is
the
primitive
pointing
to
relationship,
is
not
revocable
but
notice
that
the
irrevocability
of
the
primitive
relationship
did
not
prevent
us
from
revoking
what
we
were
interested
in
revoking
bob
still
has
unconditional
full
access
to
the
rapper
forever,
but
the
wrapper
is
now
fully
useless
forever.
A
B
A
A
B
B
Our
machine
instruction
sets
and
the
the
the
basic
elements
of
our
programming
languages
give
us
various
primitive
operators
for
operating
on
data
addition
field,
lookup
grain
indexing
whatever
and
by
procedural
abstraction.
We
extend
our
vocabulary
of
operators.
We
build
new
operators
for
ourselves
that
we
can
use
alongside
the
built-in
operators
like
over.
Here
is
a
foo
operator
that
can
operate
on
a
bar
and
a
bath,
and
it
just
in
addition
to
having
a
plus
operator
that
can
operate
on
numbers.
B
B
Our
machines,
give
us
primitive
control.
Structures
of
go-to
and
conditional
go
to
our
languages,
give
us
control
structures
like
if
switch
and
while
and
by
control
abstraction
we
build
other
other
means
of
manipulating
and
profile.
Other
control
abstractions,
like
atlas
and
visitor,
and
finally,
our
machines
with
the
basic
addressing
logic
and
the
our
languages
by
abstracting.
The
addressing
logic
into
pointers
and
unforgivable
pointers,
give
us
one
kind
of
points
to
relationship
by
building
access.
Abstractions
like
the
caretaker
and
the
membrane
we
give
ourselves.
B
B
The
code
on
the
right
is
once
again
a
simplification
of
the
membrane
idea
as
applied
just
to
functions
for
expository
purposes.
In
this
case,
I
won't
walk
through
the
code,
but
the
basic
idea
of
the
membrane
is:
it
starts
off.
Acting
like
a
caretaker
bob
has
revocable
access
to
carol,
but
if
bob
makes
use
of
that
revocable
access
by
sending
a
message
through
the
membrane,
all
the
arguments
of
the
message
get
threaded
back
through
the
membrane.
B
The
result
of
sending
the
message
gets
threaded
through
the
membrane
and
then
any
messages
that
are
sent
on
those
references
in
turn
get
threaded
through
the
membrane.
So
the
membrane
represents
a
cut
point
in
the
graph
and
all
further
connectivity.
That's
bootstrapped
through
the
cut
point,
gets
threaded
through
the
membrane
so
that,
when
alice
revokes
the
membrane
she
cuts.
All
of
those
references
at
once
so
now
to
emphasize
the
point.
Instead
of
holding
scissors
alice
is
shown
holding
a
much
more
powerful
dynamite
pointer.
B
Access
abstractions
compose
very
naturally
over
here
we
see
our
first
type
specific
attenuator,
which
is
make
read-only
file,
given
a
system
in
which
there's
a
file
abstraction,
which
is
an
object
that
has
various
methods
for
reading
and
writing
a
file.
The
read
only
file
abstraction
makes
and
returns
a
record
containing
only
the
query
methods,
not
the
right,
not
the
update,
not
the
writing.
B
Methods
from
the
underlying
file
object,
giving
us
a
read-only
view
on
the
underlying
file,
but
no
ability
to
modify
them
even
if
the
make-read-only
file,
abstraction
and
the
caretaker
abstraction
were
written
completely
without
knowledge
of
each
other.
They
nevertheless
composed
very
naturally-
and
this
is
actually
very
common,
which
is,
if
we're
given
a
revocable
file
that
was
given
to
us
by
somebody
who
used
a
caretaker
to
make
it
and
we
wrap
it
and
turn
with
make
read-only
file.
B
B
She
evaluates
the
bob
expression
using
our
safe
evaluator
and
the
bob
expression
would
evaluate
just
creates
whatever
the
sub
graph
is
according
to
that
piece
of
code,
but
because
it's
evaluated
by
our
safe
evaluator,
this
subgraph
has
no
pointers
out
that
enable
it
to
cause
any
effects.
It's
effectively
completely
isolated,
so
bob
at
this
point
has
no
ability
to
cause
effects
on
the
world
outside
of
himself
and
likewise
for
carol.
B
In
fact,
bob's
only
connectivity
to
the
outside
world
is
that
the
event
returning
the
value
of
the
expression
is
returning
some
root
of
the
subgraph.
That
bob
creates,
which
alice
stores
into
our
bob
variable
and
likewise
for
carol.
So
at
this
point,
alice
and
bob
are
both
completely
confined
and
only
alice
controls.
How
they
might
interact
or
get
more
connected.
B
Alice
is
in
a
position
of
complete
power
over
bob
and
carol
at
this
point.
What
might
alice
do
with
this
with
this
position
of
great
power?
Let's
move
alice
out
of
the
way,
so
we
can
see
the
effects
of
what
she
does
if
she
instantiates
her
counter
gives
bob
access
to
incremented
gives
carol
access
to
decrement
method,
zeroes
out
her
bottom
carol.
Variables
holds
on
to
the
counter,
then,
from
this
point
forward
the
only
possible
interactions
among
these
three
parties,
even
if
they,
even
if,
after
this
they
would
they
would
wish.
B
B
B
B
The
valve
source
code
makes
it
through
to
the
underlying
the
valve,
which
evaluates
it,
giving
us
the
subgraph,
but
then,
when
confining
a
vowel
returns,
a
pointer
to
the
root
object
that
pointer
gets
threaded
through
the
membrane,
so
alice
doesn't
receive
a
direct
pointer
to
the
root
of
bob.
She
receives
only
a
point,
a
pointer
that
she
can
revoke
with
her
diamond
plunger.
To
this
root
of
bob
alice
can
now
engage
in
normal
object-oriented
patterns.
Passing
bob
to
other
collaborators
occurs,
bob
the
can.
B
B
B
A
B
Reduce
your
rights
without
remapping
your
api
right,
that's
the
distinction.
All
the
attenuators
reduce
your
rights,
a
thinning
attenuator
is
one
which
it
reduces
the
rights
only
by
removing
possibilities,
the
possibilities
it
allows
are
presented
through
the
same
api
by
which
they
were
originally
presented.
B
You
can
have
something
to
also
remaps
the
api,
providing
a
subset
of
authority,
but
where
the
presented
api
is
different,
and
at
that
point,
if
these
two
attenuators
are
remapping
attenuators,
then
the
only
thing
you
can
say
about
this
is
functional
composition.
You
don't
have
any
further
ability
to
reason.
If
these
are
both
thinning
attenuators,
then
their
serial
composition
becomes
simply
intersection
of
the
subsets
that
they
allow
and
the
the
serial
composition
is
in
fact
commutative.
If
you
do
it
in
either
order,
it
has
the
same
effect.
B
Okay,
so
the
interesting
one
is
what
happens
that
you
can
think
of
this
as
joint
points
in
the
graph
of
authority?
What
happens
when
an
object
holds
two
references?
Making
two
references
directly
to
two
other
objects
might
be
two
references
through
two
attenuators
to
other
objects,
so
if
alice
holds
references
to
bob
and
carol
clearly
alice
holt
has
all
the
authority
that
she
has,
by
virtue
of
holding
reference
to
bob
and
clearly
alice,
has
all
the
authority
that
she
has
by
virtue
of
holding
a
reference
to
carol.
B
B
B
B
Alice
ii
has
the
abilities
to
do
what
you
can
do
with
only
a
can
opener,
which
is
very
level,
and
the
analyst
organization
clearly
has
the
union
of
those
two
abilities.
Does
the
ellis
organization
have
any
more
than
that?
Does
the
alice
organization
have
the
ability
to
get
the
tuna?
Well,
there's
a
strange
thing
about
a
phone
line
which
is
no
matter
how
much
alice
ii
describes
over
the
phone.
The
characteristics
of
the
can
opener
to
alice
one
alice.
One
cannot
use
that
description
to
open
the
pan
and
get
the
tune.
B
B
B
B
Every
time
you
call
make
brand
it
makes
a
new
amplifier
table.
Weak
map
here
is
just
a
key
value.
Mapping
from
object,
identity
to
arbitrary
values
of
the
weakness
for
those
who
know
about
harsh
collection
will
know
what
that
means.
The
garbage
collection
issues
are
really
irrelevant
to
the
to
the
point
of
this
talk
so
just
consider
this
to
be
a
key
value:
mapping
where
the
keys
are
indexed
by
object,
identity.
B
So
that's
what
the
amplifier
is
and
make
brand
also
makes
and
returns.
This
object
this
record,
consisting
of
the
seal
method
and
an
unseal
method,
so
every
quad
to
make
brand
creates
this
triple
with
a
seal
method
and
unseal
method
and
an
amplifier
table.
So
each
of
these
layers
represents
one
of
those
calls
to
make
brand.
B
Let's
see
what
the
seal
function
does
if
alice
calls
seal,
if
alice
has
the
seal
method
and
she
calls
seal
with
some
payload,
then
the
seal
method
creates
an
empty
object,
an
that
has
no
methods
at
all
and
is
therefore
completely
useless.
Except
that
it
has
a
unique
identity,
so
it's
only
utility
is
that
it's
an
unforgeable
token.
B
B
B
So
why
is
this
useful?
Well,
it's
useful
for
the
same
reasons
that
public
key
cryptography
is
useful,
independent,
ignoring
how
these
these
systems
are
implemented,
the
logic
of
of
these
systems.
They
could
have
public
key
photography
considered
as
an
abstract
data
type
from
the
point
of
view
of
those
using
it
is
identical
to
the
brand
as
an
abstract
data
type.
The
the
implementation
of
the
brand
is
taking
advantage
of
the
fact
that
we
were
within
one
address
space
on
top
of
a
language
implementation.
B
We
can
make
use
of
the
mutual
trust
of
the
underlying
language
implementation
to
avoid
the
overhead
of
crypto.
That's
that's!
Why
there's
no
magic
keys,
don't
need
to
do
crypto
when
you're
going
over
network,
but
every
call
to
make
brand
is
equivalent
to
generating
a
key
pair.
I
sealed
each
seal
method
from
that.
From
from
that,
each
key
pair
each
care
pair
is
one
of
those
planes.
B
So
in
a
cryptographic
system,
if
alice
says
to
bob
some
ciphertext,
then
if
bob
has
the
right
decryption,
please
has
given
bob
access
to
the
plain
text.
If
bob
does
not
know
the
right
decision,
then
alice
has
only
enabled
bob
to
enable
someone
that
does
know
the
decryption
key
to
see
if
the
plaintext.
B
B
So
now,
let's
walk
through.
Let's
actually
explain
the
money
example
from
yesterday.
The
scenario
here
is
that
alice
bob
and
the
bank
are
threatening
to
assist
the
parties
alice
and
bob
do
not
trust
each
other.
The
bank
does
not
trust
allison,
bob
alice
and
bob
trust
the
bank
with
their
money
and
nothing
else.
B
In
the
scenario,
we're
going
to
walk
through
alice
wishes
to
pay
bob
to
buy
something
that
when
bob
is
paid,
bob
is
expected
to
release
an
exchange.
So
she
does
this
by
first
sending
a
make
her
message
to
her
main
purse.
Her
pre-existing
trust
relationship
with
the
bank
is
represented
by
a
object.
Reference
to
a
purse
object
in
her
main
bank
who's,
whose
current
balance
represents
her
account
at
the
bank
and
likewise
to
bob
the
bank
here
for
those
who
attended
the
talk.
B
Yesterday
knows
this
is
an
asynchronous
message
sent
for
those
who
didn't
attend
the
talk
yesterday.
Don't
worry
about
that
everywhere.
You
see
a
ban
just
think
dot.
It's
for
purposes
of
this
talk.
This
might
as
well
just
be
a
normal
object
message
sent
so
in
response
to
sending
the
make
purse
message
to
her
purse.
B
The
her
main
purse
creates
a
new
payment
person
with
a
zero
balance
returns.
A
reference
to
that
alice
then
tells
her
payment
first
deposit,
ten
dollars
into
yourself
from
my
main
purse,
giving
payment
purse
access
to
her
main
curse
when
the
deposit
message
is
received
her
payment
first.
Does
the
transfer
acknowledges
successful
transfer
by
not
throwing
an
exception?
That's
all.
It
means
to
acknowledge.
Success
is
going
to
deposit
returns
without
throwing
an
exception,
and
then
knowing
that
the
deposit
succeeded,
alice
now
sends
a
buy
message
to
bob
with
the
payment
purses.
B
B
Although
from
alice's
point
of
view
at
this
point,
bob's
been
paid
not
from
bob's
point
of
view,
bob
has
received
some
object
from
somebody.
He
doesn't
trust.
He
has
no
idea
what
he's
receiving
okay,
even
if
bob
knew
that
what
he
received
was
a
purse
implemented
by
this
bank.
He
doesn't
know
that
it's
a
person
the
same
currency,
even
if
he
knew
it
was
a
person
the
same
currency.
He
doesn't
know
that
has
an
adequate
balance,
even
if
he
knows
that
the
same
currency
with
the
adequate
balance.
B
So
how
does
he
deal
with
all
of
these
heart
problems,
combined
with
all
the
heart
problems
of
the
integrity
of
the
money
system
that
I
mentioned
yesterday?
Well,
he
doesn't
solve
these
problems
themselves.
He
delegates
all
of
these
problems
to
the
bank
to
solve
by
simply
sending
a
deposit
message
to
his
main
purse
with
the
payment
purse
as
an
argument
and
says
basically
to
the
bank.
Look
you
deal
with
it.
Here's
that
here's
that
that
alleged
payment
first,
I
have
no
idea
what
it
is.
B
If
the
deposit
message
completes
successfully
returns
without
throwing
an
exception
or
the
asynchronous
equivalent,
which
I
explained
yesterday,
then
the
success
block
of
the
lane
catch
runs
in
which
bob
returns
the
good.
So
if
bob's
execution
arrives
at
the
success
block,
then
bob
knows
that
he's
gotten
the
money
and
you
can
safely
release
the
game
so
with
alice's
alice's
actions.
Being
this
simple
and
bob's
actions
being
that
simple,
how
does
the
bank
take
care
of
all
of
the
problems
since
we've
left
all
the
heart
problems
for
the
bank
to
take
care
of?
B
B
B
Every
call
to
make
mint
creates
a
pair
of
the
mint
function
and
the
amplifier
table.
Every
time
mint
is
called.
It
makes
a
new
purse,
object,
decrement
function
and
balance
triple
here's
the
object,
here's
the
decrement
function
and
the
balance
variable
is
the
parameter
variable
of
the
call
to
min
and
it
stores
into
the
amplifier
table
a
mapping
from
the
purse
as
key
to
the
decrement
function
of
value.
B
So,
in
the
scenario
we're
talking
about
alice's
main
purse
is
this:
is
the
purse
over
here
in
the
back
letter?
Bob's
main
purse?
Is
the
person
over
here
in
the
front
layer
and
payment
purse?
Is
the
purse
over
here
in
the
middle
layer
get
balance
just
returns?
The
current
value
of
balance
make
purse
calls
mint
with
a
zero.
B
So
since
that
means
that
everybody
with
that
has
access
to
a
purse
has
indirect
access
to
the
mint,
but
they
still
can't
violate
conservation
of
currency.
They'll
only
do
that
if
you
have
direct
access
to
them,
because
through
this
indirect
access
to
the
mint,
you
can
only
call
cause
the
person
to
call
the
mint
with
a
zero
and
creating
a
new
person
with
a
zero
balance
does
not
change
the
total
amount
of
currency.
B
When
bob
tells
his
main
purse
to
deposit
ten
dollars
from
this
payment
purse,
what
happens?
Well,
this
nap
function
is
a
simple
helper
function
that
verifies
that
its
argument
is
a
non-negative
integer
within
a
range
of
consecutively,
representable
non-reg,
non-negative
integers
in
javascript,
and
if
so,
it
returns
that
integer.
Otherwise
it
throws
an
exception.
B
So
if
balance
plus
amount
would
not
be
representable
within
that
range,
that
will
throw
an
exceptional
terminating
protocol
there.
Otherwise
this
alleged
payment
purse
this
object,
we
don't
know
what
it
is.
We
just
look
it
up
in
our
amplifier,
the
amplifier
table
being
an
object.
Identity
table
doesn't
interact
with
the
object
at
all.
It
just
looks
up
its
identity,
and
only
if
it's
a
purse
of
this
currency
will
this
lookup
succeed
under
all
other
conditions,
any
other
kind
of
object
or
a
couple
of
things.
B
If
local
fails,
this
get
returns
undefined
during
the
function
call
on
the
returned.
Undefined
will
throw
an
exception
once
again,
terminating
the
protocol
there,
if
the
amount
that
we're
transferring
is
not
a
non-negative
integer.
We
terminate
the
protocol
there
and
finally,
if
we've
looked
up
the
payment,
purse's
decker
function,
which
is
what
happens
if
the
lookup
succeeds,
would
be
this
detective
function
over
here
at
the
middle
layer.
B
Then
we
invoke
that
with
the
amount
having
verified
the
amount
as
a
representative
non-negative
integer,
what
the
payment
person's
decker
function
does.
Is
it
verifies
again
using
that
that
the
account
that
that
the
that
the
purse
has
adequate
funds
that
once
a
month
is
subtracted
from
it?
The
the
resulting
balance
will
not
go
negative
and
at
that
at
this
point,
we've
passed
all
of
the
gating
checks
and
we
have
not
yet
done
any
side
effects,
and
this
is
a
general
pattern
which
is
do
all
of
your
gating
checks.
B
First,
before
you
do
any
of
your
irrevocable
side
effects
and
then,
once
you
start
doing,
your
revocable
side
effects
make
sure
to
do
them
to
completion.
If
you
don't
have
any
error
cases
left,
so
we
assign
the
decrement
the
payment
person
signs,
decremented
balance
returns
and
then
bob's
main
purse
increments
its
own
balance
by
the
same
amount,
then
we
return
and
bob
releases
the
bid
to
alex
okay.
B
B
B
Money
is
a
is,
is
a
is
a
kind
of
right
with
certain
particular
properties
and
object.
Reference
is
a
kind
of
right
with
very
different
properties,
and
by
by
comparing
and
contrasting
them,
we
realize
that
the
differences
teach
us
about
four
dimensions:
four
of
the
dimensions
on
which
electronic
rights
can
differ
from
each
other
and
by
teasing
apart
these
four
dimensions.
B
B
The
the
reference
the
payment
person
designates
that
particular
payments.
It
doesn't
just
designate
some
general
payment,
some
some
payment
person
first,
whereas
money
is
fungible
one
one
dollar
bill
is
as
good
as
another,
because
this
isn't
just
a
property
of
money.
Barrels
of
oil
were
traded.
This
way
people
traded
barrels
of
oil
they're,
creating
a
certain
quantity
of
a
certain
grade
of
oil
they're,
not
trading
specific
physical
barrels.
B
This
is
a
property
that
economists
call
fungi
object.
References
are
opaque.
The
only
thing
you
know
when
you
receive
an
object.
Reference
is
here's
something
you
can
send
messages
to.
You
might
know
something
by
context
for
by
virtue
of
the
fact
you
received
it
in
a
particular
position
of
a
particular
parameter
from
one
of
your
clients,
but
as
far
as
the
object
itself
is
concerned,
it's
just
something
that
you
send
messages
does
whatever
it
does
in
response
to
messages.
B
Bob
doesn't
consider
himself
to
be
paid
until
he
knows
he's
gotten
some.
Some
particular
thing
in
this
case
money
of
a
particular
a
certain
quantity
of
money
of
a
certain
currency,
and
it's
that
assay
ability,
which
is
just
a
fancy
term
for
measurability
of
bob's
ability
to
know
what
it
is
he's
received.
B
B
B
When
you
and
I
negotiate
a
contract,
what
we're
doing
is
we're
jointly
designing
the
rules
for
a
game
that
we
would
both
be
willing
to
play,
we're
both
willing
to
play
it,
because
we
both
expect
to
win
because
the
games
the
contracts
represent,
are
generally
positive.
Some
there's
no
paradox
for
both
of
us
expecting
to
win
generally.
Both
parties
in
fact
do
win,
which
is
why
they
commit
themselves
in
contract.
B
Once
they
commit
themselves
to
the
contract,
they're
now
playing
the
game
and
they're
playing
the
game
according
to
the
rules
that
they've
already
agreed
to
so
as
each
player
makes
a
move,
the
moves
can
only
be
the
moves
allowed
by
the
contract
while
allowed
by
the
rules
of
the
game.
Each
move
changes
the
state
of
the
board
and
what
moves
are
legal
depends
on
the
current
board
states
in
each
move.
Changing
the
board
of
state
changes,
what
moves
illegal
next
and
finally,
the
rights
themselves.
B
We
can
view
them
as
the
pieces
placed
on
the
board
when
we
place
the
pieces
on
the
board,
as
each
party
is
escorting,
various
rights
with
the
rules
of
the
game,
just
placing
various
rights
of
theirs
under
control
by
the
game
no
longer
under
their
own
control,
and
now
they
can
obtain
rights
back
from
the
game.
Only
according
to
the
rules
of
the
game
that
they've
agreed
to.
B
Over
here
we
have
a
simple
exchange
game
shown
as
a
state
state
transition
buying
land.
This
is
the
initial
state.
This
gold
bar
represents
alice's
money.
The
knight
represents
bob's,
stock
and
and
alison
barber.
Don't
use
this
to
go
to
to
negotiate,
having
negotiated
that
we're
playing
the
exchange
game
they're
not
going
to
use
the
exchange
game
to
negotiate
a
trade
of
money
for
stock.
B
B
B
The
house
might
remove
it
place,
a
different
amount
of
money
and,
finally,
bob
might
accept
alice's
offer
take
the
money
and
show
the
money
on
the
right
side
of
the
board
here,
meaning
that
bob
has
removed
the
money
and
that's
the
unidirectional
commitment
there.
That's
the
irrevocable
step
once
bob
picks
up
alice's
money.
The
only
remaining
possibility
is
for
alice
to
pick
up
bob's
stock.
B
To
implement
this,
we
need
five
players.
So
these
this
pattern
of
five
players
arises
over
and
over
again,
the
five
players
are
the
dollar
issuer,
which
follows
the
logic
exactly
of
the
bank,
because
the
stock
issuer
which
follows
exactly
the
same
logic,
can
be
implemented
with
exactly
the
same
code.
But
now
the
units
represent
stock
in
a
particular
company
rather
than
units
of
a
particular
currency.
B
In
this
situation,
the
dollar
issue
doesn't
have
to
trust
any
of
the
other
four
parties.
The
stock
issuer
does
not
trust
any
for
other
four
parties.
The
contract
house
doesn't
have
to
trust
any
of
the
four
parties
alice
and
bob
don't
have
to
trust
each
other,
but
alice
and
bob
both
have
to
trust
all
of
the
other
three
parties
or
this
arrangement
is
meaningless.
B
B
Having
that
choice
until
the
deadline
expires,
has
something
valuable
well,
since
it's
something
that
alice
has,
which
is
valuable,
alice
might
like
to
trade
it
well.
If
she
wants
to
trade
it,
she
might,
for
example,
instantiate
the
exchange
game
over
here
in
a
game
with
fred
to
sell
fred
the
option
and
what
the
option.
What
what
she's
selling
to
fred
is
the
right
to
sit
in
this
chair.
B
B
A
B
A
B
B
It's
a
lexical
reference,
it's
a
free,
it's
a
free
reference
within
the
text
of
the
function
and
it's
a
free
reference
whose
corresponding
definition
is
is
in
alice's,
scope
and
and
with
when
bob
is
textually
authored
by
alice
in
that
fashion.
By
basically,
when
the
source
code
of
bob
is
part
of
the
source
code
of
alice,
then
it's
a
part
of
alice
to
express
what
bob's
endowment
should
be
now.
So
this
pattern
where
bob's
code
is,
is
itself
part
of
alice's
code
and
therefore
is
itself
part
of
alice's
expressed
intention.
B
We
call
that
closed
creation.
You
vow,
we
call
open
creation
in
which
the
code
is
not
part
of
the
instantiators
expressed
intention,
it's
gotten
from
elsewhere,
and
in
that
case
we
don't
simply
allow
naming
to
implicitly
acquire
references
from
the
containing
environment.
We
require
those
be
explicitly
provided
by
other
actions
and.
A
B
B
You
you
end
up
with
a
pattern
where
every
object
with
interesting
state
every
object
has
a
flag
that
says:
am
I
initialized
yet
the
init
method
refuses
to
checks
the
flag
and
refuses
to
run
if
it
has
been
initialized
yet
and
all
other
methods
refuse
to
run
it
if
it
has
not
been
initialized
yet
once
you
once
all
objects
have
followed
that
pattern
to
understand
the
resulting
system.
The
resulting
system
is
now
at
a
level
of
abstraction,
has
created
again
the
level
of
abstraction
where
effectively
you
have
endowment,
but
you
but
you're
correct.
B
B
The
the
creator
of
the
concept
of
smart
contracts,
there's
a
guy
named
nick
zaba,
who
has
been
pursuing
very
different
cryptographic
names
and
very
interesting
cryptographic,
means
multi-party,
secure,
complication.
All
sorts
of
interesting
fancy
cryptography
for
achieving
a
very
overlapping
set
of
goals,
and
the
whole
idea
is
very
inspired
about
his
idea
of
small
contracts,
which
got
me
started
in
more
of
these
directions.
B
Get
of
doing
it
with
fancy
cryptography
rather
than
the
techniques
I'm
showing
here,
is
over
and
over.
Here
you
see
these.
These
mutually
trusted.
Third
parties,
they're
only
mutually
trusted
per
interaction
and
alice
and
bob
want
to
pray.
They
need
a
mutually
trusted
escrow
exchange
agent,
each
time
they
want
to
do
that
it
can
be
different
parties
there's!
No,
it's
not
it's
not
like
pki,
where
you
have
a
globally
trusted
third
party.
It
becomes
a
central
point
of
value
for
the
system,
but
still
with
fancier
crypto.
A
B
There
are
the
work
that
I
mentioned
on
bitcoin
yesterday
is
a
fascinating
piece
of
work
on
creating
a
decentralized
money
system
and
inspired
by
among
other
people,
nick
zabo
again,
the
bitcoin
system
actually
has
in
it
some
built
into
it
some
mechanisms
for
expressing
smart
contracts,
in
addition
to
just
simple
money
exchange.
They
don't
know
that
anybody
has
actually
made
use
of
that
mechanism
in
the
bitcoin
context,
but
don't
mean
if
they
haven't
not
familiar
enough
with
the
actual
practice
of
bitcoin
to
know,
but
the
fact
that
those
enablers
are
there
is
very
exciting.
B
That's
the
extent
of
what
I
know,
but
it
might
vary.
Oh,
and
actually
I
should
mention
there
is
a
variety
of
essentially
automated
contractual
systems
where
some
contractual
arrangement
is
is
is
represented
in
automated
mechanisms
by
which
parties
interact
and
nick
zabo
when
he
introduces
the
content
of
smart
contract.
I
think
he
does
a
great
job
of
saying
the
simplest.
Smart
contract
is
the
vending
machine,
the
vending
machine
you
put
in
money.
You
get
out
the
code.
B
If
you
don't
put
the
money,
you
don't
get
the
coke,
it's
it's
essentially
an
escargot.
You
first
escrow
only
once
it
knows
and
successfully
escort
the
money
and
notice.
There's
an
interesting
asymmetry
in
which
you
learn
a
lot
about
smart
contracting,
which
is
the
trade,
is
money
for
cutting
there's
an
escrowing.
That
needs
to
be
done.
B
B
B
A
B
B
B
Where
you
need
more
parties,
the
the
reason
why
five
parties
arise
so
often
is
when
there
are
two
parties
in
the
contract
when
there
are
two
kinds
of
rights
being
exchanged,
then
there's
the
two
parties
in
contract:
there's
the
issuer
for
each
of
the
kinds
of
rights
and
then
there's
the
contractors.
So
that's
that's
a
very
general
pattern
and
you
know
quite
often
in
contracts
you
have
that
pair
of
twos,
which
is
why
this
arises
a
lot,
but
certainly
you
have
a
multi-way
contract.
They
have
contract
dynamic,
number
of
participants.
B
B
But
when
you
recognize
you
know
certain
set
of
repeating
patterns
that
seem
to
arise.
As
you
go
about
expressing
yourself
in
this
meet
in
this
in
this
media,
then
you
try
to
figure
out
what
are
some
reusable
abstractions
that
you
can
create
for
expressing
these
patterns
and
then,
once
you
realize
okay,
this
is
a.
This
is
a
reusable
pattern
that
I
can
provide.
Some
help
with
by
providing
these
abstractions,
then
you
start
asking
well
how
do
they
compose
each
other?
A
Yeah
in
the
money
system
example
you
well,
the
main
part
was
the
weak
map
that
actually
held
the
references.
Okay,
now
I'll,
let
you
know,
are
there
no
vulnerabilities
to
the
system?
I
mean
other
ways.
One
can
access.
I
know
about
the
extension
firefox,
let's
say,
but
is
there
something
let's
say?
Is
there
a
tribulus
anatomy
where
this
would
be
exposed
to
vulnerability
in
the
week
matter?
A
B
Whenever
we're
doing
security,
we
have
to
be
very,
very
careful
about
our
assumptions.
What
what
what
security
people
call
by
your
threat
to
be
very
specific
about
what
your
threat
model
is,
what
problem
you're
solving
and
what
set
problems
do
not
solve
in
doing
this
work
in
javascript
we're
sitting
on
top
of
a
tremendous
pile
of
software,
and
there
can
be
vulnerabilities
that
blow
our
security
at
any
of
the
layers
below
us.
B
Whenever
you
engineer
a
secure
system,
you're
doing
it
on
top
of
some
platform
and
whatever
that
platform
is
you're,
doing
a
secure
operating
system.
Your
platform
is
the
hardware
if
you're
doing
a
secure
application.
Your
platform
is
the
operating
system.
Whatever
your
platform
is
you're,
making
some
assumptions
about
that
platform
operating
correctly.
B
You
can't
continue
so
you
proceed
to
do
your
your
secure
operating
system,
not
knowing
if
your
hardware
is
secure
but
you've
got
to
start
somewhere
and
if
you
arrive
at
the
point
where
you've
secured
something
at
some
upper
layer
and
people
find
that
security
useful,
except
that
sometimes
the
security
gets
subverted
through
an
attack
coming
into
the
lower
layer.
Then
what
you've
done
is
the
usefulness
of
the
security
you've
delivered
to
customers
at
the
upper
layer
and
creates
a
market
demand
to
fix
the
vulnerabilities
by
which
the
system
was
attacked
in
the
lower
layer.
B
If
you
start
on
top
of
the
whole
pile
of
stuff
that
the
computer
industry
has
created
according
to
a
different
security
theory,
deliver
some
security.
That
would
be
valuable.
If
everything
below
you
is
non-corrupted,
then
you
should.
Then
I'm
hoping
that
starts
dynamic
and
you
can
propagate
the
defense
against
corruption,
down
the
stack
rather
than
trying
to
propagate
it
up
the
stack.
A
Actually,
if
you
use
actual
public
encryption,
is
there
a
way
to
make
sure
that
we
also
have
some
sort
of
bottom-up
security
sense
that
okay,
now
I'm
using
a
hash
map
there?
And
if
I
use
publications,
I
know
it
takes
time.
But
if
I
use
that,
then
I
know
for
sure
that
I
am
99
secure,
not
yeah.
The
all
almost.
B
Cryptography
makes
essentially
the
same
kind
of
weak
assumption
that
I'm
making
about
the
local
platform
security
of
the
user
of
their
cryptography
right.
If
your
machine
has
a
key
walker
when
you
type
in
the
pass
phrase
that
unlocks
your
private
key,
it's
gone.
Okay,
the
so
using
a
standard
machine,
running
standard
operating
system,
on
top
of
which
we've
installed
applications
and
browser
extensions,
etc,
and
using
that
as
the
machine
on
which
you're
going
to
engage
in
public
key
cryptography,
you
have
exactly
the
same
kind
of
weakness
as
the
weakness
that
I'm
admitting
to.
A
So
you
have,
you
have
introduced
secure,
ecmascript
sort
of
the
vehicle
in
which
you
expose
these
ideas.
Do
you
think
it's
feasible
today
already
to
build
these
kinds
of
systems
in
secure
ecmascript
or,
if
not,
what
technologies
would
be
required
in
order
to
get
there
and
to
express
these
in
both
these
patterns
in
a
comfortable
way
yeah.
So.
A
B
A
B
And
given
a
good
solution
to
the
persistence
problem,
all
of
this
there's
there's
one
major
technological
hurdle
that
I've.
That
now
is
a
good
time
to
be
very
clear
about,
which
is,
I
didn't
explain
how
these
objects
survive,
machine
crashes
and
power,
outages
and
etc,
so
that
all
of
the
all
of
the
state
needs
to
somehow
be
backed
by
non-volatile
storage,
so
that
these
so
that
these
objects
can
roll
forward
over
time,
and
there
are
solutions
to
that.
B
There's
a
system
that
has
a
very
similar
logic
to
what
I'm
talking
about
here
called
water
ken,
where
the
logic
is
in
terms
of
an
object
capability,
subset
of
java
name
joey
rather
than
javascript.
But
it
has
a
system
of
like
five
millimeters
orthogonal
distributed
persistence
among
mutually
suspicious
machines.
That
has
all
the
persistence
properties
that
you
need
to
support
this.
That
kind
of
resistance
has
not
yet
been
brought
to
javascript
and
therefore
you
need
to
give
persistence
by
some
other
meetings
and
that
adds
mechanism.