Essays on Capabilities and Security
I've begun a set of small, introductory essays on
various aspects of the EROS design. These notes are
intended to be more explanatory than the design
Norm Hardy has also written a number of essays, which
you can find here.
Norm's tend more toward pondering of serious issues in
capability systems and security, while these notes tend
to be more introductory in nature.
These essays are intended for a beginning audience.
Their purpose is to define terms or explain concepts so
that people can join the discussion on capability
security and capability systems.
What is a Capability,
Provides a layman's introduction to capabilities,
describing what they are, what they do, and why they
result in better security than today's computer
Where Capabilities Come
One source of confusion about capability systems is
where capabilities come from. How does my program
get one? Where does the system get them from? This
note tries to answer such questions.
EROS: A Platform
for Reliable Applications
Describes why EROS provides a better platform for
building reliable applications than POSIX-based
systems. Identifies some of the reasons that
EROS-based applications tend to be both more
reliable and more testable than their POSIX
Notes on Specific Issues
These essays address some specific topics about the
design of the EROS system, often with an eye toward
explaining why EROS is structured in a particular way.
My hope is that documenting these thoughts will make it
easier to translate these ideas to other systems, or
make it clear why such translation is difficult.
Explains why EROS uses transparent checkpointing as
its basic approach to persistence, and what issues
are raised by this choice. This note also discusses
some of the implications of this choice for the
structure of the operating system, which may be
helpful to people contemplating persistence designs
for other systems.
Comparing ACLs and Capabiliies
Many people seem to think that capabilities and
access control lists are simply two ways of looking
at the same thing. They are not. This note
provides a description of how capabilities and
access control lists actually work, and why the two
are not equivalent.
Other Sources of Interest
Copyright 1998 by Jonathan Shapiro. All rights reserved. For terms of
redistribution, see the
GNU General Public License