[cap-talk] Re: "capabilities" as data vs. as descriptors -OS security discussion, restricted access processes, etc.

Karp, Alan alan.karp at hp.com
Tue May 11 17:29:47 EDT 2004

> -----Original Message-----
> From: cap-talk-bounces at mail.eros-os.org 
> [mailto:cap-talk-bounces at mail.eros-os.org] On Behalf Of Norman Hardy
> Sent: Tuesday, May 11, 2004 2:21 PM
> To: General discussions concerning capability systems.
> Subject: Re: [cap-talk] Re: "capabilities" as data vs. as 
> descriptors -OS security discussion, restricted access processes, etc.
> On May 11, 2004, at 10:15 AM, Karp, Alan wrote:
> > Ian Grigg wrote:
> >>
> >> Who else agrees that design requirements for
> >> a capability system should include audits?
> >>
> >
> > The ability to audit is an important feature of any 
> commercial system. 
> >  It's hard to manage a system if you don't know what it's 
> doing.  It's 
> > hard to find an error if you don't know what process did what when.
> It is very difficult to design the authority (capabilities) 
> with which 
> to access an audit trail produced by the foundations. There is a 
> bottoming out problem.
> On the other hand it is possible to hand out capabilities whose 
> invocation leaves a record accessible to whoever handed out such a 
> capability. This does not involve hooks in the foundation.

Unless the foundation is there for other purposes.  In a capability as designators system, all capability transfer within a machine must be mediated by the TCB.  In a distributed environment like CU, where not proxying requires an explicit introduction, you also have the opportunity to audit capability transfers.

> _______________________________________________
> cap-talk mailing list
> cap-talk at mail.eros-os.org
> http://www.eros-os.org/mailman/listinfo/cap-talk

Alan Karp
Principal Scientist
Technical Computing Research Group
Hewlett-Packard Laboratories
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029

-------------- next part --------------
A non-text attachment was scrubbed...
Name: Alan H Karp.vcf
Type: application/octet-stream
Size: 774 bytes
Desc: not available
Url : http://www.eros-os.org/pipermail/cap-talk/attachments/20040511/41d1f0bb/AlanHKarp.obj

More information about the cap-talk mailing list