[cap-talk] Re: "capabilities" as data vs. as descriptors -OS
security discussion, restricted access processes, etc.
norm at cap-lore.com
Wed May 12 16:04:52 EDT 2004
On May 12, 2004, at 4:14 AM, Jonathan S. Shapiro wrote:
> On Tue, 2004-05-11 at 16:56, Norman Hardy wrote:
>> I am very curious on the difference you see between Lampson's
>> confinement problem
>> and what the Factory solves.
>> Quoting Lampson (at
>> We want to be able to confine an arbitrary program. This does not mean
>> that any program which works when free will still work under
>> confinement, but that any program, if confined, will be unable to leak
> One difference is that the Lampson paper is widely viewed as including
> covert channels within the set of "unauthorized channels" that must be
You may be right on the perception of Lampson's paper but I think the
scheme described at
<http://cap-lore.com/CapTheory/KK/Derwent.html> is well within the
scope of potential applications
that prompted Lampson's paper. I think we should not say that
confinement is an unsolved problem when the factory supports
applications such as this very well.
I read the 1996 patent at
some years ago.
It addresses perhaps all of the covert channels especially for a kernel
as small as Keykos or Eros.
It does not eliminate them but helps to greatly minimize and quantify
It provides for a trade-off between confinement overhead and allowed
There may be applications where capability confinement thwarts synergy.
Alan Karp observed that proxying does not bring two synergistic
capabilities together from across a barrier.
> cap-talk mailing list
> cap-talk at mail.eros-os.org
More information about the cap-talk