Synergy Nexus

Main Ideas

Siblings and Seals in Scheme, Provenance and Properties

Amplification

Rationale, Dynamic Classes, Debugging Obscured Objects, Collusion & Synergy

Tangential Issues

Synergy vs. Wrapping, Synergy of Conventional Classes, no Synergy in λ-calculus, Synthetic Primitives in Keykos, Keepers

Controversy

eq? Considered Harmful, Recognizing Siblings

Mail List Discussions

Cap Talk, e lang

Scheme Lobbying

Nascent SRFI

Some Languages

Synergy

Synergy is a general pattern in capability systems. It takes several forms: rights amplification, sibling communication and sealing — even the equality operator.

Synergy is a phenomenon where a program that holds two capabilities can do something by bringing these two capabilities together that it cannot do with them separately. In the systems we know the only way to bring capabilities together is to send one to the other in a message, or alternatively to send both to the some other object, but then that other object must either send one to the other or send both to a yet more fundamental object. By “fundamental” I mean older in the sense described here.

We consider first an example of rights amplification in Keykos. (See this for a more generic introduction to amplification.) A domain service key to a particular domain D is stronger than a start key to D. (Here is all you need to know about domains to understand this note.) This is because there is an order on the domain service key that yields the start key to the same domain and there are things that you can do with the domain service key that you can’t do with the start key. By invoking the particular domain creator that made the domain one can retrieve the domain service key from the start key. This operation is an example of rights amplification; given the weaker start key we have amplified those rights to include the rights conveyed by the stronger domain service key (to the same domain!). (The synergy is between the domain creator key and the start key.) Most programs can not perform this amplification for they lack a key to this particular domain creator.

There are two important questions to answer:

• why is this a good design?
• how is it accomplished?

Why is rights amplification a good idea?

• is it harmful?
• is it useful?

• Accept a start key,
• For each retained domain service key, produce all 256 possible start keys,
• Compare each of these with the given start key for equality,
• Return the domain service key that produced the matching start key.

The reader may have felt a flaw in the above argument. Without the amplification feature two holders of the same domain creator key are unable to amplify start keys for domains from the other holder. This may be important if the two do not trust each other. The presence of the amplification feature in the domain creator means the domain creators should not be shared across trust boundaries. There are other reasons for this policy however and it is not expensive. This is generally the case with rights amplification.

Some will see another flaw here: “How do you compare keys for equality?”. Such an operation sends two keys to a primitive comparator (via a key to the comparator). Indeed this is a form of synergy. Capability system designers in good standing differ on how widely access to a comparator should be spread. Here is a description of a solution for a large class of synergy problems without EQ?.

As to whether synergy is useful there are several uses. Here are two:

• If a domain obeys a program with a bug it may be important to be able to debug the program starting from the state of the broken domain. This requires the domain service key to the domain. The start key is likely to be available but the domain service key is generally not required after domain launch. With rights amplification the domain creator together with the start key can reproduce the required domain service key at less cost than always keeping the domain service key.
• It is often required that an object be able to communicate with siblings in ways that others cannot. One example is money objects. Mondex cards use a combination of obscurity and crypto to communicate between themselves to prevent counterfeiting Mondex money. Capability systems with synergy can do the same without crypto. Here is a sample design in Keykos. Another example of sibling communication is to optimize computation by taking advantage of state representation. It might indeed be more than an optimization such as proprietary data formats.

How is synergy accomplished?

The domain creator holds the domain tool which is a one-of-a kind object implemented by the kernel. An order on the domain tool takes a start key and another key x. If x matches the key in slot 0 of the node, D, designated by the start key, then the domain tool returns the node key to D. The domain creator then produces, again, the domain service key that designates D, which is returned to the caller of the domain creator.

In summary the domain creator performs synergy by invoking a synergy function of a more primitive object. In general this pattern continues until an object, such as a kernel object, is reached that is not constrained by capability discipline. Such programs are generally entrusted to enforce such discipline.

Sibling Communication

To do this the bank retains from birth a key to its creator. When asked to vouch for a sibling it asks its creator to whom the question is merely a matter of rights amplification. The creator may return a special start key to the sibling bank so that inter bank messages can pass efficiently with the recipient knowing that the message is from a true sibling. Banks can then engage in bank-talk.

C++ code of some class can directly access members of another object of the same class. This provides efficient primitive sibling communication.

Seals

See how to define types of synergy in Scheme starting from “eq?” and a proposed new Scheme primitive called the box for efficient Scheme synergy.

Cookies