[cap-talk] Re: "capabilities" as data vs. as descriptors - OS security discussion, restricted access processes, etc.

David Hopwood david.nospam.hopwood at blueyonder.co.uk
Thu May 6 20:11:23 EDT 2004


Ian Grigg wrote:
> Hello David,
> 
> David Hopwood wrote:
> 
>> I have to ask: why is another definition of capabilities needed?
>> Aren't the definitions in
>>  - Paradigm Regained <http://www.erights.org/talks/asian03/index.html>,
> 
> That paper seems to define *a* model of object
> capabilities.  For capabilities itself, it seems
> to refer to DVH.

There's no essential difference between object capabilities and what
people usually mean by "capabilities" in general.

(Split capabilities are different, and Posix capabilities are related
only in name.)

>>  - the "Ode" <http://www.erights.org/elib/capability/ode/index.html>,
> 
> Can you point to the definition of capabilities
> in that paper?

There are several (basically equivalent), but the one I prefer is the
section "Patterns of Cooperation Without Vulnerability" in
<http://www.erights.org/elib/capability/ode/ode-capabilities.html>.

> The impression I get from reading
> that paper is that anyone who understands what
> capabilities are will understand very well what
> the paper is talking about.  But, to someone
> coming in from the cold, there is a feeling of
> too much inner knowledge needed.
>
>>  - or on the C2 wiki <http://c2.com/cgi/wiki?CapabilitySecurityModel>,
>> sufficient?
> 
> All I could see there was:
> 
>   "A capability is similar to an object reference in
>   ObjectOrientedProgramming, an actor name (or mailbox)
>   in the ActorsModel, or a closure in the LambdaCalculus
>   (with local state), provided that any deviations from
>   pure object, actor, or lambda calculus computation
>   are prohibited."
> 
> That's not a definition, that's a reference to
> other definitions.

I suppose I consider it more useful to explain how capabilities relate to
other concepts than to imply that they are something new. This description
obviously assumes that the reader knows something about at least one of OO
programming, the actor model, or the lambda calculus.

In any case, before that there is

# A security model (CategorySecurityModel) in which all resources are
# referenced by "capabilities" that both designate the resource, and
# authorize access to it.

which is about as concise a definition as you're likely to find.

>  > This is not meant as a criticism: it would be really useful to know why
>  > "the capabilities people (them) and the nym people (us) haven't really
>  > seen eye to eye on the lucidity of each other's documentation."
> 
> I can't get much of a picture reading the above
> papers.  I can't sink my teeth into the words
> that come out.  I can't sit down and build it.
> (I've actually read them a few times each, I
> suspect.)
> 
> Jed's definition was clear, simple and something
> that I know that your average programmer could
> deal with.  Those papers mentioned above are for
> academics who are prepared to start at DVH and
> then read every paper thereafter 3 times.  I'm
> stuck in the world of average programmers,
> unfortunately.

Well, there are also introductory articles like:
   <http://www.eros-os.org/essays/capintro.html>
   <http://www.skyhunter.com/marcs/capabilityIntro/index.html>

-- 
David Hopwood <david.nospam.hopwood at blueyonder.co.uk>



More information about the cap-talk mailing list