[cap-talk] Re: "capabilities" as data vs. as descriptors -OS
security discussion, restricted access processes, etc.
alan.karp at hp.com
Tue May 11 17:29:47 EDT 2004
> -----Original Message-----
> From: cap-talk-bounces at mail.eros-os.org
> [mailto:cap-talk-bounces at mail.eros-os.org] On Behalf Of Norman Hardy
> Sent: Tuesday, May 11, 2004 2:21 PM
> To: General discussions concerning capability systems.
> Subject: Re: [cap-talk] Re: "capabilities" as data vs. as
> descriptors -OS security discussion, restricted access processes, etc.
> On May 11, 2004, at 10:15 AM, Karp, Alan wrote:
> > Ian Grigg wrote:
> >> Who else agrees that design requirements for
> >> a capability system should include audits?
> > The ability to audit is an important feature of any
> commercial system.
> > It's hard to manage a system if you don't know what it's
> doing. It's
> > hard to find an error if you don't know what process did what when.
> It is very difficult to design the authority (capabilities)
> with which
> to access an audit trail produced by the foundations. There is a
> bottoming out problem.
> On the other hand it is possible to hand out capabilities whose
> invocation leaves a record accessible to whoever handed out such a
> capability. This does not involve hooks in the foundation.
Unless the foundation is there for other purposes. In a capability as designators system, all capability transfer within a machine must be mediated by the TCB. In a distributed environment like CU, where not proxying requires an explicit introduction, you also have the opportunity to audit capability transfers.
> cap-talk mailing list
> cap-talk at mail.eros-os.org
Technical Computing Research Group
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Alan H Karp.vcf
Size: 774 bytes
Desc: not available
Url : http://www.eros-os.org/pipermail/cap-talk/attachments/20040511/41d1f0bb/AlanHKarp.obj
More information about the cap-talk