559:
currency, and any holder of two purses of the same currency can securely transfer money between the purses. By quick examination of the source code, an E programmer can easily verify that only mints may change the amount of money in circulation, that money can only be created and not destroyed, that mints can only create money of their own currency, and that only the holder of a purse can change its balance.
269:
design philosophy throughout in order to help programmers build secure software and to enable software components to co-operate even if they don't fully trust each other. In E, object references serve as capabilities, hence capabilities add no computational or conceptual overhead costs. The language
558:
Since E is intended to support secure co-operation, the canonical example for E programs is the mint, a simple electronic money system in just a few lines of E. The following code defines a function that makes mints, where each mint has its own currency. Each mint can make purses that hold its
953:
creates two associated objects, a sealer and an unsealer, such that the sealer can seal an object in a box and the unsealer is the only object that can retrieve the contents of the box. See the E website for a more detailed explanation of this money example.
325:. An immediate call is just like a typical function or method call in a non-concurrent language: a sender waits until a receiver finishes and returns a value. An eventual send sends a message while producing a placeholder for a result called a
1131:
Before presenting the following simple example of capability-based money, we must attempt to head off a confusion this example repeatedly causes. We are not proposing to actually do money this way! A desirable money system must also provide
329:. A sender proceeds immediately with the promise. Later, when a receiver finishes and yields a result, the promise resolves to a result. Since only eventual sends are allowed when communicating with remote objects,
260:
and secure computing. This is performed mainly by strict adherence to the object-oriented computing model, which in its pure form, has properties that support secure computing. The E language and its standard
547:
that constrains the argument and result of the function. A guard is not quite the same thing as a type declaration; guards are optional and can specify constraints. The first
182:
555:
above, the function would not be able to return a value. Being able to see up front that information escapes out of the function is helpful for security auditing.
314:
by the E runtime. Arriving messages are placed into the vat's event queue; the vat's event loop processes the incoming messages one by one in order of arrival.
1178:
1475:
1048:
1495:
1455:
1490:
1450:
1171:
1003:
1470:
274:
limits the amount of code that must be examined for its effects on a given variable. As another example, the language uses the
1465:
1083:
1164:
310:
is just a matter of sending messages to remote objects (objects in other vats). All communication with remote parties is
145:
44:
1460:
934:
keyword begins each method. The guard expressions in this example illustrate how to specify a value constraint (as in
1013:
384:
Here is a recursive function for computing the factorial of a number, written in E. Functions are defined using the
1322:
1485:
333:
cannot happen. In distributed systems, the promise mechanism also minimizes delays caused by network latency.
350:
346:
1114:
1370:
1202:
221:
162:
1480:
1238:
342:
330:
295:
245:
229:
194:
170:
48:
1275:
1223:
1089:
551:
ensures that the body of the function will only have to handle an integer argument. Without the second
225:
1312:
1262:
1233:
266:
23:
1302:
362:
237:
1228:
1208:
1187:
963:
307:
224:
and from
Original-E, a set of extensions to Java for secure distributed programming. E combines
1500:
233:
220:
and others at
Electric Communities in 1997. E is mainly descended from the concurrent language
326:
241:
201:
123:
1347:
1063:
270:
syntax is designed to be easy for people to audit for security flaws. For example, lexical
39:
8:
1243:
358:
303:
271:
262:
1067:
984:
1429:
1293:
298:
and computation is performed by sending messages to objects. Each object belongs to a
1213:
1079:
1009:
257:
213:
198:
1258:
1071:
217:
117:
105:
1270:
1218:
306:). Each vat has a single thread of execution, a stack frame, and an event queue.
59:
52:
1424:
1331:
205:
110:
98:
64:
1444:
1419:
1156:
209:
94:
282:
operator for assignment; to avoid the possibility of confusion, there is no
1414:
1409:
1355:
1380:
166:
89:
1075:
1388:
1337:
311:
1327:
1307:
354:
1029:
1248:
1297:
1289:
1285:
1280:
19:
1365:
1317:
1047:
Miller, Mark S.; Tribble, E. Dean; Shapiro, Jonathan (2005).
27:
945:
The mint example makes use of a built-in mechanism called a
361:. Unlike Java or Python, however, E is composed entirely of
1404:
1005:
Coders at Work: Reflections on the Craft of
Programming
1149:
134:
1046:
1442:
930:keyword, and within the object definition, the
1186:
1172:
1115:"From Objects To Capabilities - Simple Money"
519:"invalid argument to factorial: "
345:, though it also bears some resemblance to
1179:
1165:
1112:
365:. Here is an extremely simple E program:
1476:Dynamically typed programming languages
1443:
1001:
336:
289:
1496:Programming languages created in 1997
1456:Object-oriented programming languages
1160:
1113:Rees, Jonathan; Miller, Mark (2001).
1058:. Lecture Notes in Computer Science.
982:
317:E has two ways to send messages: an
13:
1002:Seibel, Peter (21 December 2009).
926:Objects in E are defined with the
14:
1512:
1141:
985:"The future of software security"
1491:High-level programming languages
1451:Concurrent programming languages
983:Handy, Alex (14 November 2016).
278:operator for comparison and the
256:The E language is designed for
1106:
1040:
1022:
995:
976:
341:E's syntax is most similar to
1:
1471:Dynamic programming languages
1049:"Concurrency Among Strangers"
969:
251:
1466:Secure programming languages
1203:Principle of least privilege
1056:Trustworthy Global Computing
7:
1239:Capability-based addressing
957:
195:object-oriented programming
76:; 27 years ago
10:
1517:
1008:. Apress. pp. 95–96.
17:
1461:JVM programming languages
1397:
1379:
1346:
1257:
1234:Capability-based security
1195:
950:
939:
935:
931:
927:
552:
548:
540:
385:
376:"Hello, world!"
181:
176:
161:
156:
151:
143:
129:
116:
104:
88:
70:
58:
38:
24:e (verification language)
561:
390:
367:
228:-based computation with
18:Not to be confused with
1229:Object-capability model
1209:Confused deputy problem
964:Object-capability model
308:Distributed programming
122:Portions in different
1486:Programming languages
1348:Programming languages
294:In E, all values are
202:distributed computing
1398:Specialised hardware
1076:10.1007/11580850_12
1068:2005LNCS.3705..195M
539:In the first line,
337:Syntax and examples
290:Computational model
71:First appeared
35:
1481:Capability systems
1430:Plessey System 250
152:E-on-Java, E-on-CL
33:
1438:
1437:
1259:Operating systems
1214:Ambient authority
1188:Object-capability
1085:978-3-540-30007-6
355:dynamically typed
258:computer security
248:can never occur.
214:Douglas Crockford
188:
187:
90:Typing discipline
1508:
1244:Zooko's triangle
1181:
1174:
1167:
1158:
1157:
1153:
1152:
1150:Official website
1135:
1134:
1128:
1126:
1110:
1104:
1103:
1101:
1100:
1094:
1088:. Archived from
1053:
1044:
1038:
1037:
1026:
1020:
1019:
999:
993:
992:
980:
952:
941:
937:
933:
929:
922:
919:
916:
913:
910:
907:
904:
901:
898:
895:
892:
889:
886:
883:
880:
877:
874:
871:
868:
865:
862:
859:
856:
853:
850:
847:
844:
841:
838:
835:
832:
829:
826:
823:
820:
817:
814:
811:
808:
805:
802:
799:
796:
793:
790:
787:
784:
781:
778:
775:
772:
769:
766:
763:
760:
757:
754:
751:
748:
745:
742:
739:
736:
733:
730:
727:
724:
721:
718:
715:
712:
709:
706:
703:
700:
697:
694:
691:
688:
685:
682:
679:
676:
673:
670:
667:
664:
661:
658:
655:
652:
649:
646:
643:
640:
637:
634:
631:
628:
625:
622:
619:
616:
613:
610:
607:
604:
601:
598:
595:
592:
589:
586:
583:
580:
577:
574:
571:
568:
565:
554:
550:
542:
535:
532:
529:
526:
523:
520:
517:
514:
511:
508:
505:
502:
499:
496:
493:
490:
487:
484:
481:
478:
475:
472:
469:
466:
463:
460:
457:
454:
451:
448:
445:
442:
439:
436:
433:
430:
427:
424:
421:
418:
415:
412:
409:
406:
403:
400:
397:
394:
387:
380:
377:
374:
371:
353:. Variables are
302:(analogous to a
285:
281:
277:
267:capability-based
232:-like syntax. A
218:Chip Morningstar
139:
136:
84:
82:
77:
60:Designed by
36:
32:
1516:
1515:
1511:
1510:
1509:
1507:
1506:
1505:
1441:
1440:
1439:
1434:
1393:
1375:
1342:
1253:
1219:File descriptor
1191:
1185:
1148:
1147:
1144:
1139:
1138:
1124:
1122:
1111:
1107:
1098:
1096:
1092:
1086:
1051:
1045:
1041:
1034:www.erights.org
1028:
1027:
1023:
1016:
1000:
996:
981:
977:
972:
960:
949:. The function
924:
923:
920:
917:
914:
911:
908:
905:
902:
899:
896:
893:
890:
887:
884:
881:
878:
875:
872:
869:
866:
863:
860:
857:
854:
851:
848:
845:
842:
839:
836:
833:
830:
827:
824:
821:
818:
815:
812:
809:
806:
803:
800:
797:
794:
791:
788:
785:
782:
779:
776:
773:
770:
767:
764:
761:
758:
755:
752:
749:
746:
743:
740:
737:
734:
731:
728:
725:
722:
719:
716:
713:
710:
707:
704:
701:
698:
695:
692:
689:
686:
683:
680:
677:
674:
671:
668:
665:
662:
659:
656:
653:
650:
647:
644:
641:
638:
635:
632:
629:
626:
623:
620:
617:
614:
611:
608:
605:
602:
599:
596:
593:
590:
587:
584:
581:
578:
575:
572:
569:
566:
563:
537:
536:
533:
530:
527:
524:
521:
518:
515:
512:
509:
506:
503:
500:
497:
494:
491:
488:
485:
482:
479:
476:
473:
470:
467:
464:
461:
458:
455:
452:
449:
446:
443:
440:
437:
434:
431:
428:
425:
422:
419:
416:
413:
410:
407:
404:
401:
398:
395:
392:
382:
381:
378:
375:
372:
369:
339:
292:
283:
279:
275:
254:
236:model based on
146:implementations
133:
80:
78:
75:
53:message passing
49:object-oriented
31:
12:
11:
5:
1514:
1504:
1503:
1498:
1493:
1488:
1483:
1478:
1473:
1468:
1463:
1458:
1453:
1436:
1435:
1433:
1432:
1427:
1425:Intel iAPX 432
1422:
1417:
1412:
1407:
1401:
1399:
1395:
1394:
1392:
1391:
1385:
1383:
1377:
1376:
1374:
1373:
1368:
1363:
1358:
1352:
1350:
1344:
1343:
1341:
1340:
1335:
1332:HarmonyOS NEXT
1325:
1320:
1315:
1310:
1305:
1300:
1283:
1278:
1273:
1267:
1265:
1255:
1254:
1252:
1251:
1246:
1241:
1236:
1231:
1226:
1221:
1216:
1211:
1206:
1199:
1197:
1193:
1192:
1184:
1183:
1176:
1169:
1161:
1155:
1154:
1143:
1142:External links
1140:
1137:
1136:
1105:
1084:
1039:
1021:
1014:
994:
974:
973:
971:
968:
967:
966:
959:
956:
936::(int >= 0)
562:
391:
368:
357:and lexically
338:
335:
319:immediate call
291:
288:
253:
250:
206:Mark S. Miller
186:
185:
179:
178:
174:
173:
159:
158:
154:
153:
149:
148:
141:
140:
131:
127:
126:
120:
114:
113:
111:Cross-platform
108:
102:
101:
92:
86:
85:
72:
68:
67:
65:Mark S. Miller
62:
56:
55:
45:Multi-paradigm
42:
9:
6:
4:
3:
2:
1513:
1502:
1501:1997 software
1499:
1497:
1494:
1492:
1489:
1487:
1484:
1482:
1479:
1477:
1474:
1472:
1469:
1467:
1464:
1462:
1459:
1457:
1454:
1452:
1449:
1448:
1446:
1431:
1428:
1426:
1423:
1421:
1420:IBM System/38
1418:
1416:
1413:
1411:
1410:Cambridge CAP
1408:
1406:
1403:
1402:
1400:
1396:
1390:
1387:
1386:
1384:
1382:
1378:
1372:
1369:
1367:
1364:
1362:
1359:
1357:
1354:
1353:
1351:
1349:
1345:
1339:
1336:
1333:
1329:
1326:
1324:
1321:
1319:
1316:
1314:
1311:
1309:
1306:
1304:
1301:
1299:
1295:
1291:
1287:
1284:
1282:
1279:
1277:
1274:
1272:
1269:
1268:
1266:
1264:
1260:
1256:
1250:
1247:
1245:
1242:
1240:
1237:
1235:
1232:
1230:
1227:
1225:
1222:
1220:
1217:
1215:
1212:
1210:
1207:
1204:
1201:
1200:
1198:
1194:
1189:
1182:
1177:
1175:
1170:
1168:
1163:
1162:
1159:
1151:
1146:
1145:
1133:
1120:
1116:
1109:
1095:on 2022-03-31
1091:
1087:
1081:
1077:
1073:
1069:
1065:
1061:
1057:
1050:
1043:
1035:
1031:
1030:"E's History"
1025:
1017:
1015:9781430219491
1011:
1007:
1006:
998:
990:
986:
979:
975:
965:
962:
961:
955:
951:makeBrandPair
948:
943:
940::(0..balance)
594:makeBrandPair
560:
556:
546:
389:
366:
364:
360:
356:
352:
348:
344:
334:
332:
328:
324:
323:eventual send
320:
315:
313:
309:
305:
301:
297:
287:
273:
268:
264:
259:
249:
247:
244:ensures that
243:
239:
235:
231:
227:
223:
219:
215:
211:
210:Dan Bornstein
207:
204:, created by
203:
200:
197:language for
196:
192:
184:
180:
175:
172:
168:
164:
160:
157:Influenced by
155:
150:
147:
142:
138:
132:
128:
125:
124:free licenses
121:
119:
115:
112:
109:
107:
103:
100:
96:
93:
91:
87:
73:
69:
66:
63:
61:
57:
54:
50:
46:
43:
41:
37:
29:
25:
21:
16:
1381:File systems
1360:
1130:
1123:. Retrieved
1118:
1108:
1097:. Retrieved
1090:the original
1059:
1055:
1042:
1033:
1024:
1004:
997:
988:
978:
946:
944:
925:
557:
544:
538:
383:
340:
322:
318:
316:
299:
293:
255:
190:
189:
15:
1119:erights.org
1062:: 195–229.
363:expressions
238:event loops
234:concurrency
1445:Categories
1389:Tahoe-LAFS
1338:Phantom OS
1099:2021-03-05
970:References
714:getBalance
286:operator.
252:Philosophy
177:Influenced
167:Original-E
1328:HarmonyOS
1121:. ERights
765:makePurse
618:makePurse
486:factorial
396:factorial
388:keyword.
331:deadlocks
312:encrypted
265:employ a
1308:iMAX 432
1271:Capsicum
1249:Petnames
1196:Concepts
1190:security
989:SD Times
958:See also
858:unsealer
567:makeMint
246:deadlock
242:promises
40:Paradigm
1276:Fuchsia
1263:kernels
1064:Bibcode
888:balance
876:getDecr
825:deposit
783:getDecr
732:balance
690:balance
675:balance
627:balance
370:println
327:promise
321:and an
304:process
296:objects
272:scoping
263:library
226:message
135:erights
130:Website
118:License
99:dynamic
79: (
1356:Cajita
1313:Midori
1298:CapROS
1290:KeyKOS
1286:GNOSIS
1281:Genode
1224:C-list
1205:(PoLP)
1132:for...
1125:8 July
1082:
1012:
947:sealer
915:return
903:return
894:amount
882:amount
864:unseal
831:amount
801:sealer
798:return
756:return
741:sprout
729:return
696:amount
663:amount
477:return
444:return
359:scoped
351:Pascal
347:Python
199:secure
193:is an
144:Major
95:Strong
20:AmigaE
1371:Joule
1366:Joe-E
1318:NLTSS
1303:Hydra
1093:(PDF)
1052:(PDF)
906:purse
705:purse
636:>=
545:guard
543:is a
513:throw
222:Joule
163:Joule
28:GNU E
26:, or
1415:Flex
1405:BiiN
1323:seL4
1294:EROS
1127:2014
1080:ISBN
1060:3705
1010:ISBN
918:mint
879:())(
852:void
813:decr
807:seal
759:mint
684:void
657:decr
609:mint
600:name
573:name
553::int
549::int
541::int
507:else
465:>
453:else
349:and
343:Java
240:and
230:Java
183:Pony
171:Java
137:.org
81:1997
74:1997
1072:doi
942:).
938:or
928:def
870:src
843:src
837:int
792:any
750:any
723:int
702:def
654:def
648:any
633:int
624:var
606:def
588:def
582:any
564:def
417:int
408:int
393:def
386:def
300:vat
1447::
1296:→
1292:→
1288:→
1261:,
1129:.
1117:.
1078:.
1070:.
1054:.
1032:.
987:.
932:to
891:+=
822:to
786:()
780:to
744:()
738:to
717:()
711:to
693:-=
678:))
669:0.
666::(
642:))
630::(
615:to
591::=
456:if
432:==
423:if
280::=
276:==
216:,
212:,
208:,
169:,
165:,
106:OS
97:,
51:,
47::
22:,
1361:E
1334:)
1330:(
1180:e
1173:t
1166:v
1102:.
1074::
1066::
1036:.
1018:.
991:.
921:}
912:}
909:}
900:}
897:}
885:)
873:.
867:(
861:.
855:{
849::
846:)
840:,
834::
828:(
819:}
816:)
810:(
804:.
795:{
789::
777:}
774:)
771:0
768:(
762:.
753:{
747::
735:}
726:{
720::
708:{
699:}
687:{
681::
672:.
660:(
651:{
645::
639:0
621:(
612:{
603:)
597:(
585:{
579::
576:)
570:(
534:}
531:}
528:)
525:n
522:+
516:(
510:{
504:}
501:)
498:1
495:-
492:n
489:(
483:*
480:n
474:{
471:)
468:0
462:n
459:(
450:}
447:1
441:{
438:)
435:1
429:n
426:(
420:{
414::
411:)
405::
402:n
399:(
379:)
373:(
284:=
191:E
83:)
34:E
30:.
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.