►
From YouTube: Secure Distributed Programming with Object-capabilities in JavaScript (Mark S. Miller, Google)
Description
This is talk 1/2 in a Lecture Series on Web Security by Google Research Scientist Mark S. Miller. It took place on October 6th at the Vrije Universiteit Brussel in Brussels, Belgium. Full details at: http://mobicrant-talks.eventbrite.com
Abstract:
Until now, browser-based security has been hell. The object-capability (ocap) model provides a simple and expressive alternative. Google's Caja project uses the latest JavaScript standard, EcmaScript 5, to support fine-grained safe mobile code, solving the secure mashup problem. Dr. SES -- Distributed Resilient Secure EcmaScript -- extends the ocap model cryptographically over the network, enabling RESTful composition of mutually suspicious web services. We show how to apply the expressiveness of object programming to the expression of security patterns, solving security problems normally thought to be difficult with simple elegant programs.
Slides:
http://soft.vub.ac.be/events/mobicrant_talks/talk1_ocaps_js.pdf
A
B
So
I
start
to
talk
by
explaining
what
object
capability
security
is
and
why
you
should
want
it.
Then
I'll
explain
how
to
use
JavaScript
as
a
local
educate
billion,
how
to
extend
from
there
to
support
flexible
and
secure
local
code
in
JavaScript,
then
the
owner
global
code,
how
to
extend
onto
the
network
objects
and
still
keep
the
virtues
of
the
security
model
you're
about
to
see,
as
we
extend
going
to
the
nether
by
using
topography,
then
I'll
bring
this
I'll
bring
all
of
these
elements
together
to
paint
a
picture.
B
There
have
been
two
fundamental
access:
control
models,
identity
based
access
control
has
come
to
be
known
as
access
control
disease,
in
which
all
security
questions
start
with
the
question
who
is
making
this
request
and
whatever
identities
presented
as
the
result
of
that
answer,
identically
associated
with
the
request?
The
decision
about
whether
the
request.
B
B
Security
question
would
begin
with
the
question:
is
this
request
authorized
and
if
the
request
is
authorized,
then
you
can
allow
it
to
proceed
and
you
don't
need
to
know
or
Tara
who
is
making
the
request.
So
a
question
like
that
doesn't
even
need
to
have
a
prepared
answer.
Don't
read
the
global
coherence,
theory
of
identity
or
if
it's
a
seed
with
superiors
in
the
1970s
decades
before
the
lives
of
knowledge,
industry
prolly
effectively
face
choices
fork
in
the
road
and
through
various
accidents
of
history.
B
It
chose
the
Apple
path,
the
aquifer
for
the
road
and
then
in
the
90s.
We
start
to
have
to
see
the
real
rise
of
malware
and
the
security
situation
has
gotten
worse
ever
since
ministry.
Overall,
the
history
of
the
computer
screen
of
computer
science
in
this
glorious
history,
things
keep
getting
better
and
better
and
better,
except
for
security.
We
seem
to
be
stopped
and
in
fact,
if
you
look
at
the
statistics
and
many
ways,
things
keep
getting
worse.
B
So
what's
the
problem,
why
is
it
that,
despite
such
glorious
progress
or
taller
dimensions,
we
can't
progress
on
computer
security?
Well,
the
problem
you
see
is
that
there's
this
program
there's
this
very
powerful
cover.
There
is
this
program,
that's
so
powerful
that
it
can
scan
through
all
of
your
files
to
find
their
secrets
and
sell
them
on
eBay
to
the
highest
order,
it's
so
powerful
that
it
can
delete
all
of
your
files.
What
is
this
very
powerful
product?
Well,
this
powerful
program
is
solid
data
and
it's
every
application
installed
with
conventional
operating
system.
B
Solitaire
you'll
need
thority
that
it
needs
is.
The
third
is
to
be
able
to
render
to
the
user,
receive
user
interface
events.
Some
of
the
things
doing
is
interacting
with
the
user.
However,
our
current
operating
systems
by
design,
given
the
authority
to
delete
all
of
your
files.
Why
is
that?
It's
because
of
identity
center
and
access
control,
but
solitaire
would
try
to
delete
your
file.
The
operating
system
asks
well,
who
is
making
the
request
by
the
theory
of
identity
that
the
operating
systems
are
built
in
the
answer
is
you
are
making
the
request?
B
B
B
So
the
interactivity
was
that
when
a
user
clicks
on
a
form
or
form
button
or
a
link,
the
browser
sends
an
HTTP,
GET
or
post
to
the
server.
The
server
is
often
renders
of
a
through
the
process,
a
single
event
that
punt
and
then
return
a
new
HTML
page
for
the
browser
to
render
the
Ajax
revolution
was
really
the
revolution
of
safe
mobile
code
as
protocol.
B
Now
that
we
had
JavaScript
running
in
the
browser
as
well,
the
the
JavaScript,
the
browser
can
also
directly
issue
HTTP
cuts
imposed
to
the
server
independent
of
user
action
to
deal
with
the
security
issues,
their
rows,
the
browser's
instituted.
This
bizarre
security
model
called
the
same
origin
policy,
and
we
see
meaning
of
it
on
the
slide.
Its
policy
that
expense
to
enforce
the
restriction
that
javascript
will
be
given
pager
frame
can
only
speak
back
to
the
server
of
orange
separately
servers
found.
B
Programmers
needs
to
speak
along
the
other
pathway
as
long
as
picture
was
so
great
that
they
found
in
various
holes
in
the
browser
security
model
and
made
use
of
them
to
speak
on
these
other
pathways.
The
this
abuse
of
those
holes
was
so
valuable
that
the
existence
of
those
hole
became
entrenched
and
nobody
can
any
longer
fix.
The
primary
hole
JSONP
over
here
is
yet
another
inform
with
mobile
coders
protocol.
This
time
is
really
terrible.
Security.
B
Modern
web
standards
provide
better
engineer
alternatives
to
those
closures,
and
the
result
is
that,
because
we
evolved
here
gradual
invite
by
by
overcoming
the
limitations
of
the
original
design
architecture.
The
result
is
that
these
different
pathways
have
different.
Api
seem
like
different
technologies,
but
really
what's
going
with
the
the
end
result,
is
a
uniform
symmetric
picture
of
objects
in
event,
loops
sending
these
synchronous
messages
to
be
processed
by
objects
of
other
events.
B
Carry
of
messages,
code
objects
and
references;
okay,
so
once
we
have
once
we
build
up
to
this
picture,
then
one
of
the
main
benefits
are
thinking
about
your
distributed
system.
Is
that
for
many
purposes
of
analysis,
not
for
all
purposes,
you
can
focus
just
on
the
Internet
as
a
big
distributed
heap
of
objects,
a
big
distributed
object,
and
you
change
your
focus
from
folks
from
thinking
about
the
Essenes
and
the
machine-man
reason
and
the
process
boundaries
to
the
objects
and
their
relationships
to
other
objects.
B
Right
now
many
web
applications
or
web
applications
that
convey
third-party
content.
An
example
of
this
is,
if
I
send
you
an
email
message:
I
can
say
new
HTML
email
message:
I
can
send
you
an
email
message
that
has
embedded
JPEG
images
or
whatever,
and
the
email
systems
will
invade
the
content
of
that
message,
including
the
the
rich
text,
the
markup
and
the
images
through
the
email
system
present
them
to
you
to
the
web-based
email
is
a
read
based
resent
them
through
your
web-based
email
interface.
B
However,
if
HTML
that
I'm
sending
the
HTML
that
contains
a
script
over
here
is
perfectly
innocent
script,
what
it's
doing
is
this
is
the
markup
content
of
the
email
data,
just
as
particular
phrase,
and
this
little
script
is
just
something
that
the
author
of
this
phrase
wanted
to
do
to
enhance
the
experience
of
the
reader.
All
it
does.
Is
it
animates
the
phrase
it
provides
a
little
bit
of
interactivity,
but
every
web-based
email
system
the
world
would
strip
out
the
script
and
only
present
the
data
leaving
the
data
dead.
All
the
interactivities
gone
sooner.
B
It's
not
just
webmail
its
blogs
and
wikis,
and
a
thousand
other
web
applications
will
do
this
well.
This
is
a
bizarre
result,
because
the
Ajax
revolution
was
the
revolution
of
safe
mobile
coders
protocol.
If
javascript
is
safe
mobile
code,
then
why
is
it
you
can't
send
new
JavaScript
and
I
can
experience
the
interactivity
with
that
JavaScript.
B
B
If
your
web-based
email
16
did
not
strip
out
the
scrap,
then,
when
the
script
ran
within
your
email,
interface
or
web-based
email
interface,
it
would
run
as
you
at
that
email
provider.
That's
better
than
running,
simply
as
you
being
able
to
do
everything
you
can
do,
it
can
no
longer
manipulate
the
Facebook
account
forever,
but
everything
that
you
can
do
as
your
account
with
your
email
provider.
If
this
script
were
not
stripped
out,
we
could
also
do-
and
that
includes
to
leading
all
of
your
email
messages
so
yep.
B
B
B
The
overall
picture
is
that
back
in
the
70s,
the
computer
industry
made
a
choice
before
they
knew
what
the
search
space
looked
like.
Having
made
control
we're
now
in
the
maze
down
here
in
the
search
space,
we
keep
searching
for
some
way
to
organize
computation
such
that
we
end
up
meeting
the
goal
of
convenient
expressive,
flexible
and
secured
computation
and
keeps
our
emails.
B
We
keep
not
making
progress
and
one
of
the
things
we
know
in
the
computer
science
of
search
algorithms
is,
if
you
make
a
speculative
choice
and
then
you
start
exploring
the
search
space
that
descends
from
that
part
of
this
type
of
choice
and
you're,
not
making
progress
to
the
goal.
You
should
at
least
consider
the
possibility
that
you're
stuck
in
a
cul-de-sac.
You
should
at
least
consider
the
possible
and
even
think
that
we
should
do-
is
backtrack
to
the
previous
choice
point
and
explore
the
other
part
of
the
search
space.
B
It
might
still
not
lead
to
an
answer,
but
one
thing
we
should
be
confident
of
after
spending
a
trillion
dollars
is
that
it's
at
least
hard,
if
not
impossible,
to
find
an
answer
just
moving
forward
from
where
we
are
there's
a
problem,
though,
which
is,
we
have
spent
well
over
twenty
dollars,
building
up
the
computer
security
and
strength,
we
really
don't
have
the
option
of
just
saying
bones
built
on
the
wrong
premise:
let's
throw
the
whole
thing
out.
Sorry,
okay,
so
seems
like
you're
stuck.
We
can't
go
forward
and
we
can't
go
back.
B
What
can
we
do
well
go
sideways?
What
we
need
to
do
is
we
need
to
find
a
tunnel
that
takes
us
back
one
to
the
other
path
takes
us
to
project
how
he
would
have
constructed
things
on
the
other
path,
while
preserving
the
investment
in
building
up
the
computer
industry
that
we've
got.
This
seems
like
a
hard
thing,
but
turns
out
we're
in
luck
for
the
reasons
having
nothing
to
do
with
security.
B
B
What
is
this?
Well,
what
is
modularity?
It
means
that
that
modules
components
are
as
loosely
coupled
as
possible,
while
still
being
able
to
interact
the
way
they
need
to.
It
means
that,
needless
dependencies
between
these
these
components,
we
avoid
them
and
their
dependence
on
each
other.
Only
to
the
extent
they
need
to
be
talked
to
to
accomplish
what
they're
trying.
B
Security
is
designed
frameworks
of
interaction
such
that
the
components
interacting
with
each
other
can
can
attempt
to
interact
operatively
but
where
each
is
is
not
needlessly
vulnerable
to
the
other,
they
can
attempt
to
cooperate
while
generally
being
safe
from
the
possibility
of
the
other
ones.
Misbehavior
vulnerability
is
a
form
of
dependency
if
I'm
vulnerable
to
you
that
my
correct
operation
is
depend
on
your
lack
of
malice,
so
significant
computer
security
done
right.
Anything
that
decreases
vulnerability
decreases.
Dependencies
increases
modularity
and
that's
what
we've
seen
in
practice.
B
The
main
tool
we
have
for
building
one
modular
systems
is
the
is
the
principle
of
information
kind
of
going
back
to
david
harness
in
the
seventies
and
that's
the
principle.
You
should
build
interfaces
of
components
such
that
they
pride
it
as
much
the
implementation
detail
as
possible
and
both
releases
with
their
customers
to
the
clients
at
the
interface
and
demand
from
their
customers.
Only
the
information
needed.
B
And
security
may
told
me
how
their
development
is
the
principle
at
least
florida.
The
idea
that
that
included
that
interface,
the
component
should
be
designed
so
that
it
releases
to
its
customers
and
the
matters
from
its
customers.
Only
the
minimum
authority
needed
for
the
component
to
do
its
job.
The
authority
is
only
provided
what
we
need
to
do
bases.
A
B
If
we're
going
to
rebuild
computer
security
sorting
objects,
we
need,
if
underspend,
objects,
here's
the
central,
important
fact
about
objects.
From
our
point
of
view,
which
is
the
points
to
relationship
points,
to
relationship
to
the
foundation
of
object
under
perfect
objects,
point
to
each
other
and
some
objects
don't
point
at
certain
other
objects.
The
initial
conditions
of
the
cybermen
Bob
does
not
point
to
Carol
found
spotting
Carol
three
objects.
B
If
Alice,
who
does
point
at
Bob
and
does
point
the
camera
says:
Bob
Carol,
she's,
passing
to
Bob
and
Bob
as
result
of
receiving
the
message
now
has
him
in
objects.
If
you
have
pointer
to
some
other
object,
you
can
use
that
other
objects,
public
interface.
Now
that
bob
has
a
pointer
to
Carol
you
can
make
use
of
that
cares
publicly.
B
So
many
programming
languages
like
Java,
for
example,
have
real
memory
safe.
These
pointers
are
in
fortunately,
nope.
It
gives
you
or
your
the
Carol
can't
just
make
it
up
out
of
thin
air
by
casting
an
integer
and
have
real
encapsulation.
The
camera
pointed
to
Carol
and
using
the
public
interface.
If
you
can't
reach
inside
and
grab
private
instances
to
these
two,
this
constraint,
we
need
to
only
add
two
more
constraints
to
turn
objects
into
object.
B
It
delivers
that
the
object
should
only
be
able
to
cause
effects
on
the
world
outside
of
itself
by
using
references
that
it
holds,
and
then
an
object
should
be
given
no
powerful
references
by
default.
As
a
result,
up
to
each
individual
object
comes
into
existence,
naturally
sandbox
it.
It
comes
into
existence
without
any
possibility
of
causing
effect
outside
of
itself
other
those
explicitly
granted
to
the
other
object
passing
it.
B
So
the
reason
I
say
the
only
reason
I
qualified
this
with
powerful
is
that
a
very
common
kind
of
object.
Object
very
prevalent
is
the
transitively
in
unit.
The
object
is
completely
stateless.
It
does
not
lead
to
other
devices
and
does
not
have
any
any
statements
that
can
be
assigned
to
these
things.
So
purely
functional
programming
has
is
an
example
where
you
have
only
purely
functional,
but
much
good
object.
B
Rogers
programming
has
has,
has
large
numbers
of
individual
objects
and
feasel
objects
that
are
eternally
purely
functional,
because
no
effects,
because
a
pointer
from
purely
functional
object,
does
not
contain
the
positive
any
effects
of
trilliant
intrinsically
beautiful.
It
was
not
an
evening
the
positive
ending
effects,
it's
okay.
If
objects
are
born
with
implicit
references
with
under
granted,
references
to
trim
to
purely
amenable
objects
and
the
techniques
that
you'll
see
later
in
the
talk,
the
securing
javascript
take
advantage.
Thought
of
that
possible.
B
Okay,
with
these
three
constraints,
taken
together,
we
get
the
following
four
benefits:
the
reference
graph
familiar
from
the
object
parameter
becomes
identical
to
the
access
graph
from
the
access
control
manager.
We
have
this
wonderful
graph
connectivity
property
that
we
refer
to
as
only
connectivity
against
connectivity.
For
this.
This
is
best
understood
by
example.
So,
for
example,
if
you
have
two
isolated
supplements,
they
can
own
no,
but
they
can.
They
remain
forever
isolated,
because
no
object
can
ever
be
in
a
position
to
introduce
it.
B
This
is
the
reason
why
garbage
collection
is
generally
a
little
more
interesting.
If
you
have
to
almost
isolated
somewhere
else,
then
they
can
only
interact
or
become
further
connected
according
to
the
decisions
of
the
objects
that
have
afflicted
us
and
therefore
those
are
the
positions
in
the
graph
topology
that
are
the
strategic
locations
to
place.
The
objects
whose
behavior
expresses
security
policy
we'll
see
an
example
of
that
shortly.
B
Javascript
for
all
the
irregularities
is
actually
built
on
a
very
beautiful,
simple
set
of
ideas.
There's
really
two
fundamental
abstractions
in
JavaScript,
neither
of
which
is
the
plastic
object
from
object-oriented
programming.
I'll
call
you
I'll
call
these
two
abstractions
the
function
and
the
record
so
make
counter
as
a
function
and
every
time
it's
called
it
creates
a
temp
variable,
initializes
it
to
different,
and
it
creates
and
returns
the
record.
That's
that
begins
from
this
open,
curly
and
ends
at
this
possibility.
This
is
a
record
with
two
fields
they
occur
and
enter.
B
Right,
that's
right.
So
what
Peter
said
is
that
this
pattern
of
composing
functions
and
records
gives
us
the
classic
of
the
equivalent
of
the
object
marketing
program.
So
you
can
just
think
of
this
pattern
as
how
you
express
classic
objects
in
JavaScript,
a
record
of
closures,
hiding
state
the
state
being
more
variable.
Closures
are
just
a
fancy
name
for
the
functions
that
these
function,
expressions
evaluated.
So
a
record
of
closures.
Hiding
state
is
a
fine
representation
of
an
object
of
methods
hiding
instances
the
object
being
returned,
which
is
this
record.
B
B
The
in
current
deckard
methods
are
shown
at
the
edge
of
the
layer
because
they're
potentially
accessible
outside
the
level.
The
count
variable
is
shown
internal
to
the
record,
because
it's
encapsulated
can't
escape
only
things
that
can
possibly
get
access
to
this
we
can
tell
by
simple
inspection
of
heaven,
are
using
for
injectables.
B
So
if
this,
if
this
cutter
has
simply
had
the
properties
that
I
just
explained,
would
be
a
wonderful
starting
place
for
security,
however,
only
started
him
on
this
mission.
The
occurrence
JavaScript,
because
the
JavaScript
stand
another
second
script
3
and
it's
the
one
that
we've
had
on
all
the
browsers
for
most
of
the
last
ten
years
until
very
recently.
So
we
started
doing
this
in
Ekta
script.
3,
we
built
a
translator
from
the
secure
subset
of
JavaScript
into
at
the
script
thread.
B
I
had
turned
out
to
be
much
harder
than
we
thought
because
of
essentially
of
these
three
problems,
which
is
echo
script.
3
was
not
statically.
Scoped
scoping
was
this
crazy
confusion
of
static
scoping
concepts
in
some
dynamic
scoping
concepts
and
some
structural
context.
Even
aside
from
the
scoping
problems,
it
had
other
encapsulation
of
functions,
weren't
fully
encapsulated
functions.
Don't
you
absolutely
became
variable?
You
don't
have
a
starting
point
for
security
and
your
records
were
more
pervasive
immutable.
Nothing.
You
could
do
in
return
such
a
record
due
to
your
users.
B
B
B
B
And
when
I
say
to
secure
that
mr.
find
itself
is
not,
this
is
pure
language,
not
an
option
capability.
However,
this
trivial
security
that
I'll
be
explaining
allows
us
to
build
an
infamous
can
find
where
we're
pulling
security
system
or
ICS,
so
in
SDS,
but
this
or
that
pandemic
is
for
private.
Suffice
you,
strict
directive
repairs
all
the
code,
that's
within
EU,
strict
directed
so
by
just
putting
that
at
the
top
of
your
program,
you've
repaired,
all
the
scope
abilities.
You
now
have
genuine
lexical,
scoping
and
you've
also
repaired.
B
All
the
additional
encapsulation
links
these
scientists
openings,
so
you're
prepared.
All
of
that,
and
then
this
death
fear
is
an
SES
abstraction
over
a
primitive
cult,
object
up
trees
in
that
mr.
clause
that
allows
you
to
make
this
record
tamper
proof.
So
the
clients
of
the
record
can
read
and
invoked
its
methods,
but
they
can't
change
what
the
methods
of
the
object.
B
So
in
JavaScript
is
that
the
question
was:
is
that
run
timer
at
compile
time
and
in
JavaScript?
The
answer
to
both
such
questions,
independent
of
subject
matter
is
at
run
time,
but
just
if
it
would
be
the
scoping
preparing
the
captain,
the
encapsulation
here.
That's
that
the
the
freezing
making
a
tamper-proof
that's
tight.
B
So
I
don't
have
internet
access.
I
cannot
refresh
this
page
and
therefore
I'm
only
going
to
refer
through
static
picture
of
the
interactivity
and
women
seem
almost
prepared
for
this
possible.
So
over
here
we
have
a
a
blog
like
application
that
we've
written
using
this
using
the
illness
loosing
written
in
Colorado
called
the
cop.
The
cop
project
is
the
project
that
includes
the
old
translator
that
includes
SES
but
also
concludes
elements
for
securing
and
virtualizing
the
HTML,
DOM
and
CSS
and
other
elements.
B
B
B
So
so
the
important
starting
point
is
that
echo
script
5
has
built
into
it.
A
new,
primitive
called
object
on
phrase.
So
if
the
purpose
of
this
talk,
wherever
you
see
death,
if
you
simply
brought
a
direct
call
to
object
dot,
freeze
these
objects
would
have
enough
integrity
to
sustain
everything.
I'm
talking
about
in
this
talk,
the
additional
functionality
to
death
provides
over
object
up
freeze.
Is
it
freezes
the
objects
deeper
than
just
the
top
global
object,
object
out
freezes
of
shallow
foods,
death.
A
B
B
The
point
here
is:
is
that
enclosing
the
object
capability?
Restrictions
on
that
the
code
that
was
accepted
is
in
some
sense
of
form
of
sanitization.
It's
analogous
to
the
sanitization
that
existing
blogs
and
wikis
etc
do,
except
that
they
don't
pay
the
price
of
sanitizing
the
patient
not
no
longer
to
kill
the
patient
and
leave
the
dead
corpse.
B
So
with,
if
all
you're
concerned
about
is
the
language
part,
not
the
HTML
and
CSS
etc,
you
can
turn
a
web
page
into
an
SES
page,
this
Security's
web
page
simply
by
loading
this
particular
script.
First,
putting
this
this
script
tag
at
the
top
of
your
position.
It
will
initialize
the
page
use,
use
atmosphere
pod
on
itself,
essentially
to
secure
it
and
constrain
it.
If
you
want
your
capability,
so
this
will
work,
nothing.
A
B
The
web
application
closing
web
application,
which
is
the
cop,
puts
this
at
the
top
of
each
page,
and
now
it
can
safely
lower
with
third-party
content
and
present
it
to
the
user
without
needing
to
press
ENTER.
So
you've
been
able
code
to
be
treated
as
media
with
regard
to
the
containing
page
itself
that
what
that
single,
one
composition,
first,
level
of
security,
the
bread,
the
existing
browser
sandbox,
has
already
dealt
with
securing
that.
B
What's
going
on
here
is
that
first,
local
security
was
done
in
a
non
compositional
manner
because
of
the
wine
or
this
finer
grained
notion
of
I
guess
same
version
policy
said:
we've
got
one
more
level
of
isolation,
because
we've
made
one
step
finer
notion
of
identity,
which
is
it's
no
longer
you.
It's
you
at
this
site
versus
you
with
that.
So
by
shifting
paradigms
completely,
we
didn't
add
just
one
more
level:
we've
had
it
as
many
levels
as
you
want.
This
third-party
content
can
load
the.
A
B
B
B
We
take
that
primitive
about
and
we
replace
it
as
part
of
the
unit,
ses,
initialism
changes
and
our
replacement
for
eval.
It
forces
only
two
restrictions
in
addition
to
these
two,
the
to
be
first
to
the
page,
wide
inspections,
initialization
steps,
the
additional
restriction
that
the
amount
of
the
analysis
is
that
all
the
code
didn't
value.
It
is
constrained
only
to
strengthen
and
therefore
Calexico
story
and
having
constrained
it,
the
lexical
scoping
it.
B
It
also
ensures
that
the
script
does
not
address
any
global
variables
that
are
not
on
our
whitelist
and
what
is
on
our
reckless.
Then
we
go
to
the
question
that
you
have,
which
is
objects
that
we
have
made
transitively
a
beautiful
and
therefore
harmless.
Like
object
array
now,
Jason
go
ahead
and
put
those
objects
or
the
building
all
of
us
on
the
whitelist,
so
they
can
be
addressed
but
could
be
evaluated,
but
the
objects
that
the
people
affect
like
window
document
XML
request,
object
the
Davis
communication
network.
None
of
those
are
waiters.
B
You
can
run
the
script,
the
scope
where,
when
it
says
window
it
doesn't
mean
the
real
window,
and
this
in
fact,
with
the
comic
book
or
does
when
this
application
says:
we've
never
knocking
not
getting
the
real
window
or
document.
Does
this
law
just
one
page,
there's
no,
my
friends
kept
on
said
giving
Maryland
the
document
we're
taking
the
the
our
virtualization
of
the
Dom
has
taken
a
subtree
is
enable
be
containing
application
to
take
a
subtree
of
that
Dom
and
say
present
access
to
this
subtree
as
a
virtual
window
adopted.
B
A
B
B
So,
with
regard
to
CSS,
we
rewrite
all
of
the
CSS
you're.
Basically,
a
set
of
renaming
price
and
way
to
think
about
our
Dom,
virtualization
or
CSS.
Virtualization
is
to
think
of
it
as
analogous
to
what
memory
management
and
you
guys
in
the
CPU
mapping
virtual
addresses
to
physical
addresses
the
application
address
memory,
just
as
if
they
were
addressing
virtual
addresses,
but
what
it's
doing
is
its
doing
a
mainly
matter.
B
So
when
it
says
one
name
is
not
too
differently
in
the
underlying
system,
so
mapping
the
Dom
access
into
neck
into
access
to
the
subtree
of
the
Dom
mapping,
the
CSS
file
names
and
his
findings
that
are
local
to
the
individual
components.
We're
doing
all
of
that
and
as
far
as
we
know,
we're
doing
it
successfully
deployed
at
scale
and
particular
pond
Yahoo,
and
you
know
what
seems
to
work.
B
B
Then
Bob
evaluates
into
some
sub
graph
of
objects
that
that
only
you
know.
Bob's
author
knows
it's
just
sub
graph,
according
to
whatever
Bob's
cuttings
and
the
root
that
sub
graph.
The
value
of
the
expression
that
Bob
with
other
weights
do
that's
returned
that
houses
stores
into
his
father.
So
at
this
point,
ignoring
the
transitively
mutable
objects,
bob
has
no
other
appointments.
Bob
can
cause
zero
effects
in
the
world
outside
of
himself.
At
this
moment,
the
length
master
calendar.
B
In
fact,
the
only
connectivity
that
bob
has
to
the
rest
of
the
graph
is
that
Carol
points
at
him.
He
doesn't
have
any
pointers
out.
So
at
this
moment
Bob
and
Carol
are
confined
and
Alice
is
in
complete
control
over
how
they
might
interact
or
get
further
connected.
What
can
almost
do
from
this
powerful
position?
B
Without
these
sites
we
have
ruthlessly-
let's
say,
Alice
instantiates
the
counter
by
calling
a
temperature
gives
Bob
access
to
be
incremented
gives
Carol
axis
and
decremented
knows
that
our
own
Bob
and
Carol
variables
that
holds
on
to
the
camera
having
pectus
situation
about
the
possibilities,
parties
for
actor
care
is
that
Bob
can
count
up
and
see
the
result.
Carol
can
count
down
and
see
the
result,
and
Alice
can
only
do
both.
B
This
contains
the
central
lesson
of
how
practicing
security
with
object
capabilities
differs
from
the
security,
reduce
with
object
capabilities.
You
express
policy
by
the
behavior
of
the
objects
that
you
provide
and
make
to
make
counter
code,
combined
with
this
code
over
here
for
instantiating
and
wiring
things
up
expressed
a
policy
expresses
and
enforces
the
policy
corresponding
to
pros.
A
B
B
The
unfortunate
pointer
concerns,
as
we
wanted
to
stretch
the
reference
graph
cryptographically
between
machines,
but
most
suspicion
is
suspicion,
not
a
code
running
on
my
machine,
the
suspicion
of
code
running
and
other
issues,
so
I'm
going
to
show
this
with
with
an
enhanced
security
script,
which
is
Penghu
script.
+
promise
library
moves
q+
a
little
bit
of
syntactic
sugar,
the
infant's
panic,
syntax,
we've
proposed
for
it
yet
another
future
version
of
Equis,
where
it's
not
present.
B
So
the
analog
of
our
object.
Reference
is
an
unbeliever,
oh,
and
why
is
this?
Why
does
this
actually
work
with
special
reference,
because
of
a
strong
analogy
between
the
nature
of
unguessable
secrets
and
the
logic
of
object?
References,
if
you
don't
know
Alan
castable
secret,
you
can
only
come
to
know
it.
If
someone
else
already
knows
it
how's
it.
B
Ok,
so
what
about
this
mysterious
bangable?
So
you
can
write
the
bang
everywhere
that
you
can
write
the
doc
and
it
means
something
analogous
to
the
doc
sort
of
an
enhanced.
So
what
is
doc?
What
doc?
The
way
things
have
got
is
it
takes
to
do
it
now
is
Alice
by
saying
Bob
dot.
Foo
Carol
is
saying:
I
wanted
I
want
Bob
latest
request.
Right
now
there
was
a
transfer
of
control
from
propel
us
to
Bob.
Bob
runs
to
completion
return,
some
value
to
Alice,
which
Alice
assigns
to
her
result.
B
B
By
contrast,
the
bedding
means
do
it
eventually.
That
means
cue
up
the
need
to
eventually
ask
Bob
to
do
the
food
request
with
Carol
is
an
argument,
and
now
Bob
might
be
local
or
he
might
be
remote,
but
no
matter
what
don't
do
it
right
now,
you're
queuing
it
for
liquor
and
since
you're
queuing
it
for
later.
What
you
do
is
right
now
you
return
promise
for
what
the
result
will
be.
B
Since
we're
from
here
out,
we
talk,
we
emphasize
the
distributed.
Programming
will
be
concerned
about
the
bank
and
we're
concerned
about
one
further
off
operation,
which
is
to
win,
which
is
analogous
to
the
try-catch,
which
registers
select
to
be
noted
for
notification
when
this
promise
results.
This
is
like
Detroit
the
try
block
of
the
try-catch.
B
B
Now
my
talk
on
Friday.
Well,
go
through
well,
it's
gonna
take
a
very
different
cut.
Through
this
event,
my
talk
on
Friday
December
3
o'clock.
The
successor
of
this
talk
will
actually
explain
this
is,
but
what
I
want
to
say
today
is
simply,
but
because
you
see
here
reduces
nothing
other
than
the
elements
that
are
worthy
in
commuters.
A
B
Before
deciding
to
release
the
good
analysis
of
entropy,
so
if
this
bank
in
front
of
us
to
solve
all
the
traditional
problems
prevent
on
spending
for
them
for
currency,
of
course,
conservation
currency,
this
is
realistically
everything
that
Alice
needs
to
say
here:
engagement
for
partners
with
protocol.
This
is
realistically
everything
Bob
Dinneen
society.
So,
with
all
these
problems
solved,
surely
the
code
for
the
bank
is
where
problems
are
taken?
Care
of
it
must
be
terribly
complex.
B
B
B
A
B
B
It
solves
the
problem
in
a
softer
fashion,
by
using
incentives
on
the
various
parties
to
approximately
solve
the
problem
and
create
a
stable
system
where
it's
nobody's
interest
violent,
it's
nobody's
interest,
but
if
they
violate
money
another
that
would
be
not
doing
decentralized,
most
distributed
cryptographically
chemicals
kind
of
simple
addiction.
So
much
you.
B
B
That
has
been
working
on
instrumenting
distributed
programs
and
creating
visualizations
from
the
traces
of
what
happened
when
the
execution
of
the
distributed
program
to
help
farmers
and
abundant
distributed
currents.
Paul
may
have
several
visualizations.
This
visualization
is
for
mr.
silica.
Each
of
these
dots
represents
a
different
kinds
of
events,
and
this
our
oscilloscope
is
so
named
because
it's
vertically
organizes
the
events
according
to
the
position
and
the
source
code
of
a
synchronous,
operation.
A
A
B
Yes,
so
I
like
to
think
of
explainin,
so,
as
we
know
from
lamport's
famous
building
paper
and
lengthwise
from
Hewitt's
paper
at
the
same
time,
that
said
the
same
thing:
that
kind
of
almost
we
didn't
either
we
can
think
of
distributing
causality,
Lampert's
happy
the
flow
relationship
as
being
the
union
of
two
workers
process
or
a
message.
A
message
order
is
the
order
as
messages
quote
back
and
forth.
These
asynchronous
messages
that
go
between
processes
in
the
order
of
how
receiving
1s
it's
doing
things
and
sending
out
other
messages
response
basic
ordering
process.
B
Server
is
the
sequence
of
things
that
happens
within
the
process
and
soso
stuff
the
process.
The
process
order
are
all
straight
ones
that
ready
to
be
straight
lines
message
order
of
these
purples
they'll.
Just
stop
there
description,
there's
another
visualization
Stanley
is
working
on
close
by
posts
are
called
the
causality
of
the
both
parts
of
prospect.
On
this
case,
the
visualization
is
more
directly
or
organized
in
terms
of
process.
B
B
B
Alice's
both
telling
Bob
what
object
she
wants,
Bob
to
operate,
she's
designated
but
she's
also
authorizing
the
same
price,
even
realize
that
our
current
user
interface
primitives,
for
example,
the
open
final
bottom
of
box,
provide
the
same
opportunity.
These
are
mechanisms
of
designation
but
they're
bringing
the
object
in
billing
perspective
to
it.
We
can.
We
can
reuse
the
speculative
designation
to
give
to
to
provide
the
information
needed
to
authorize
so
edit.
The
editor
that's
open.
This
dialog
box
is
asking
the
user
to
select
the
file
to
edit.
B
The
user
does
exactly
the
normal
interaction,
select
the
file
and
says
essentially
open
and
it,
but,
as
a
result,
cat
Bennett
is
not
just
hold
but
file
to
edit.
It's
giving
the
authority
can
edit
that
one
file,
it
doesn't
even
know
of
the
existence
of
any
of
the
other
fathers
that
are
care
here.
There's
something
file,
there's
a
current
research
on
this
style
of
authorization.
My
designation.
A
B
Assisting
working
on
a
Google
research
right
now
mark
Lesnar,
Arjun,
hoo-ha
and
jokl.
It's
we've
done
assistance,
don't
delay,
and
over
here
we
see
two
web
applications.
This
now
you
know
transposing
the
web
context.
There's
two
web
applications,
but
once
again,
the
user
playing
in
tell
us
with
this
web
application
playing
Carol.
Does
that
web
application
playing
Bob,
but
by
dragging
this
importance
over
here
and
dropping
it
over
there,
the
user
is
giving
this
web
application
access
to
the
to
the
portion
of
this
web
application
that
it
represents
by
metaphors.
A
A
B
In
the
admin
script
community,
when
the
design
strengthen,
we
designed
it
not
you
cannot
improve.
You
cannot
rationalize
the
scoping
or
being
strictly
of
legacy
choices,
and
it's
not,
however,
from
from
much
code
and
for
almost
all
code
that
was
written
well
with
all
those
drugs
for
best
practices.
That
code
should
be
compatible
description.
We've
seen
lots
of
code
very
painlessly,
porn
industry
that
sometimes
with
manual
intervention,
so
strict
mode
was
not
designed
to
be
completely
penis
or
are
you
just
accept
legacy
code
automatically?
B
It
is
designed
to
be
sufficiently
painless
that
any
volume
code
that's
being
actively
maintained.
The
better
scoping
rules
that
that
are
are
checking
are
should
be
nothing
than
incentive
that
everyone
should
from
here
on
out
the
new
suspect
at
the
top
of
their
program
in
game
that
those
syllables,
but
later.
B
Ses
imposes
a
further
restriction,
which
is
the
freezing
of
the
variables
and
all
the
objects
reachable
through
transit
freeze,
that's
a
restriction
that
we've
relaxed
we've
already
relaxed
it
for
kaha,
using
the
translator
for
legacy
systems
and
I.
Have
it
to
do
item
through
this
quarter
to
do
the
same
relaxation
for
the
SES.
B
B
Well,
the
necklace
could
find
the
answer
is
8
I'm
sure
you've
all
guessed
by
now.
What
the
answer
is
connect
the
script
ready
I
will
not
explain
why
this
is
the
answer
and
constrain
3.
It
turns
out
that
most
were
lucky
in
hecklers.
Got
three
days
on
this.
One
which
is
most
browsers,
did
not
implement
what
was
specified,
but
any
for
any
component
browser
Firefox
was
conforming
or
any
conformant
browser.
You
would
get
capturing
sort
of
the
browser
that
in
which
you've
got
8,
it
was
violating
dekma
script,
3,
okay,.
A
B
The
cane
page
users
about
our
to
create
a
system
of
wrappers
around
the
subtree
of
the
dawn
and
it's
those
wrapper
objects
that
are
provided
to
the
coding
become.
The
behavior
of
those
wrappers
is
behavior
that
we
wrote.
We
wrote
when
we
looked
a
lot
of,
and
you
do
get
parent
on,
that
it
stops
at
the
top
of
the
virtual
village,
which
corresponds
to
subtree
of
the
dog.
Doesn't
allow
you
to
send
each.
A
B
Absolutely
they
can
be
managed
on
the
containing
paper,
yes,
but
only
the
only
mutation
within
that
subtree
and
they
don't
even
you
tation.
If
what
they've
given
to
the
rapid,
what
they've
been
given
as
a
rapper
that
allows
me
to
one
of
the
operators
that
the
model
provides,
is
the
ability
to
put
to
to
spawn
a
system
of
records
around
the
sub
tree?
That's
a
read-only
view.
The
bottom
does
have
them.
B
You
know
with
all
the
mechanisms
for
the
Reno
review,
so
anybody
it's
not
just
a
containing
page
that
your
app
we've
built
on
the
3do
review.
Anybody
who
has
a
rewrite
view
who
wants
to
give
somebody
else
a
read-only
to
reflect
that
corresponds.
The
readwrite
per
unit
have
can
do
so,
so
you
can
always
downgrade
the
authority
that
we've
got
and
the
arena
who
needs
a
downgrading
that
we
support
on
the
Box.
A
B
So,
when
I
send
you
code,
if
you're
in
a
machine
I'm
sending
code
to
machine
that
I'm
suspicious
of
then
I
should
not
depend
on
the
fear
of
that
machine
being,
according
to
the
code
s,
okay,
it's
learning
machine
that
I
was
suspicious
of
so
it
can
do
three
things
that
it
can
do.
The
constraint
is
that
if
I'm
transferring
to
you
both
toad
and
some
let's
say
remote
references
over
objects
that
well,
you
know,
you're
a
machine
that
I,
don't
trust.
B
You
can
do
anything
with
references
that
you
can
read
those
agencies
unguessable
HTTP
URLs.
However,
any
references
that
you
have
not
been,
you
can't
do
anything.
So
you,
your
home
machine,
is
a
single
object.
The
techniques
are
getting
the
aggregate
there's
one
for
which,
when
I
say
new
code,
the
code
is
just
data
as
far
as
I'm
concerned
that
I've
been
advising
you
here's
a
way.
Here's
here's,
here's
information
taking
to
account
with
regard
to
how
you
might
behave
afterwards,
but
if
you
have
been
not.
A
B
B
A
B
Literally,
just
running
still
has
integrity
still
operates.
The
latest
edition
poster
for
what
we're
doing
that
assumption
is
a
special
planking,
because
we're
sitting
on
top
of
browsers
which
people
have
installed
plugins
Linux
and
extensions
sitting
on
the
cartridge
legacy
operating
systems
articulating
these
viruses
sitting
on
top
of
machines.
B
The
people
have
tried
the
bottom-up
approach.
Redis
Apprendi
say
what
we
really
are
concerned
about.
First
is
having
really
high
confidence
that
we
don't
have
any
funds
beneath
us.
Let's
build
secure
art
the
let's
build
a
secure,
microkernel
operating
system.
Maybe
build
rebuild
the
whole
thing
from
the
ground
up.
Ok,
that's
what
I
call
it!
That's,
that's,
essentially
what
I
mean
by
the
backtracking
and
those
things
have
failed,
not
technologically
those
are
generally
not
technological.
Tell
you.
Those
are
failures
to
get
resources
and
attention
and
adoption
because
they're
there
you.
B
B
Is
that
one
that,
by
starting
by
starting
at
the
at
the
attack
service,
by
which
marked
organizations
this
is
web
web
service
is
the
largest
and
most
quickly
growing
attack
service?
That
many
organizations
are
presenting
to
the
world
is
the
one
for
which
they're
most
hurting
for
lack
of
better
security,
better
security
mechanisms,
more
flexible
security
policies,
and
by
attaching
this
to
language
which
is
being?
Why
do
we
learn?
You
also
get
to
communicate
message
and
be
kept
people
more
aware.
B
This
has
an
alternate
way
of
securing
files
in
the
biggest
thing
that
we
lack
is
not
an
understanding
of
how
to
build
the
capability
technology.
The
biggest
thing
we
lack
is
an
appreciation
by
the
wider
world.
This
is
a
technology
and
I
think
this
is
the
right
strategic
technology
to
build
next.
To
address
that
delicious.