[cap-talk] Re: "capabilities" as data vs. as descriptors - OS security discussion, restricted access processes, etc.

Jonathan S. Shapiro shap at eros-os.org
Thu Apr 29 22:20:40 EDT 2004


On Mon, 2004-04-26 at 23:18, Jed Donnelley wrote:

> >What *can* be leaked is the ability to proxy.
> 
> I don't think this is substantively different that the sort of mis-handling
> that can happen with capabilities as descriptors.

It is different because of programmer behavior. It is true that
programmers *can* manage cryptographic capabilities correctly. It is
also true that in practice they do not, because it is too easy to break
the type system in current programming languages. Hell, programmers
cannot be relied on not to inspect private implementation state -- ask
anyone who has actually built a large system.

So: one reason that I prefer the descriptor architecture is that type
enforcement is a useful thing in robust programs.

This point is, I think, largely orthogonal to the rest of the
discussion.

shap



More information about the cap-talk mailing list