[cap-talk] Re: "capabilities" as data vs. as descriptors - OS security discussion, restricted access processes, etc.

Jonathan S. Shapiro shap at eros-os.org
Tue May 4 06:59:54 EDT 2004

On Tue, 2004-05-04 at 05:33, David Wagner wrote:
> David Hopwood writes:
> >If
> >we assume that all programs outside the TCB are maximally hostile, then there
> >is no point in limiting direct transfer of authority, because a hostile
> >program would bypass this by proxying the authority.
> Personally, I find this a much more convincing line of reasoning

I do too, but I think there is also an important weakness.

First, the notion of a single TCB is flawed. MarkM and I have long since
stopped using this term in this way. There does exist in any given
system a "universal TCB" (the set of stuff on which all programs
depend), but this TCB is rarely the one we care about.

TCB is something that should be defined from an application perspective.
It consists of the set of stuff on which that application depends.

Saying that "programs outside the TCB are maximally hostile" fails to
recognize that programs in distinct applications operate with different
incentives. They may all be hostile, but they may nontheless not be
cooperatively hostile.


More information about the cap-talk mailing list