[cap-talk] Re: "capabilities" as data vs. as descriptors - OS
security discussion, restricted access processes, etc.
Jonathan S. Shapiro
shap at eros-os.org
Thu Apr 29 22:20:40 EDT 2004
On Mon, 2004-04-26 at 23:18, Jed Donnelley wrote:
> >What *can* be leaked is the ability to proxy.
> I don't think this is substantively different that the sort of mis-handling
> that can happen with capabilities as descriptors.
It is different because of programmer behavior. It is true that
programmers *can* manage cryptographic capabilities correctly. It is
also true that in practice they do not, because it is too easy to break
the type system in current programming languages. Hell, programmers
cannot be relied on not to inspect private implementation state -- ask
anyone who has actually built a large system.
So: one reason that I prefer the descriptor architecture is that type
enforcement is a useful thing in robust programs.
This point is, I think, largely orthogonal to the rest of the
More information about the cap-talk