[cap-talk] Re: "capabilities" as data vs. as descriptors - OS
security discussion, restricted access processes, etc.
David Hopwood
david.nospam.hopwood at blueyonder.co.uk
Tue May 4 13:30:52 EDT 2004
Jonathan S. Shapiro wrote:
> On Tue, 2004-05-04 at 05:33, David Wagner wrote:
>>David Hopwood writes:
>>
>>>If we assume that all programs outside the TCB are maximally hostile, then
>>>there is no point in limiting direct transfer of authority, because a hostile
>>>program would bypass this by proxying the authority.
>>
>>Personally, I find this a much more convincing line of reasoning
>
> I do too, but I think there is also an important weakness.
>
> First, the notion of a single TCB is flawed.
The argument doesn't depend in any way on there being a single TCB. It is
the assumption I was criticising that depends on there being a single TCB.
Maybe it would have been clearer to say: "If we assume that there is a single
TCB and all programs outside it are maximally hostile, then there is no point
in limiting direct transfer of authority, [...]".
--
David Hopwood <david.nospam.hopwood at blueyonder.co.uk>
More information about the cap-talk
mailing list