[cap-talk] Re: "capabilities" as data vs. as descriptors -OS security discussion, restricted access processes, etc.

Norman Hardy norm at cap-lore.com
Wed May 12 16:04:52 EDT 2004

On May 12, 2004, at 4:14 AM, Jonathan S. Shapiro wrote:

> On Tue, 2004-05-11 at 16:56, Norman Hardy wrote:
>> I am very curious on the difference you see between Lampson's
>> confinement problem
>> and what the Factory solves.
>> Quoting Lampson (at
>> http://research.microsoft.com/lampson/11-Confinement/WebPage.html):
>> We want to be able to confine an arbitrary program. This does not mean
>> that any program which works when free will still work under
>> confinement, but that any program, if confined, will be unable to leak
>> data.
> One difference is that the Lampson paper is widely viewed as including
> covert channels within the set of "unauthorized channels" that must be
> closed.

You may be right on the perception of Lampson's paper but I think the  
scheme described at
<http://cap-lore.com/CapTheory/KK/Derwent.html> is well within the  
scope of potential applications
that prompted Lampson's paper. I think we should not say that  
confinement is an unsolved problem when the factory supports  
applications such as this very well.

I read the 1996 patent at  
some years ago.
It addresses perhaps all of the covert channels especially for a kernel  
as small as Keykos or Eros.
It does not eliminate them but helps to greatly minimize and quantify  
It provides for a trade-off between confinement overhead and allowed  
covert bandwidth.

There may be applications where capability confinement thwarts synergy.
Alan Karp observed that proxying does not bring two synergistic  
capabilities together from across a barrier.

> shap
> _______________________________________________
> cap-talk mailing list
> cap-talk at mail.eros-os.org
> http://www.eros-os.org/mailman/listinfo/cap-talk

More information about the cap-talk mailing list