[cap-talk] Re: keys to capabilities?

Toby Murray toby.murray at dsto.defence.gov.au
Thu Nov 4 18:26:28 EST 2004 

Sandro Magi wrote:

> Sandro Magi wrote:
>
>> Jed at Webstart wrote:
>>
>>> How then can I interpret the above statement that a process "doesn't 
>>> ...
>>> have the capabilities, it merely has keys to them."?
>>>
>>> Does it have the right to access the resource?  If so
>>> then it has the "capability."  If not, then not. 
>>
>>
>>
>> It has the capabilities, it simply does not have access TO the 
>> capabilities. In cap-as-data systems, the process has the capability 
>> and also has access to the capability. In cap-as-descriptors, it does 
>> not have the latter.
>>
>> In both systems, the process has the capabilities. At least, this is 
>> how I currently see it.
>
>
>
> Forgot to mention that this is why I think the XOR approach is not a 
> cap-as-data system. What the process holds is not the designator that 
> actually grants access to the resource. Since, the process does not 
> have access TO the actual capability, it is not a cap-as-data system.
>
My view on this is it is simply another level of indirection. In a 
partitioned system, indirect references to caps are held (eg. inidces 
into c-list or whatever). Note in the Monash system, the confinement 
mechanism didn't have to be used -- a process could hold the capability 
directly. Using the XOR encryption of the capability's password ("random 
nonce") just adds a level of indirection (I believe). In this sense, 
when holding a confined cap. the process doesn't hold the cap itself (I 
suppose), but an indirect reference. I guess its an example of 
partitioning in a caps-as-data system, where the key is partitioned, not 
the capability.
I have heard this referred to as a "taxonomy-breaking example" (I think 
it was MarkM but Jonathan but I can't remember) and I think it sums it 
up quite aptly. It is a caps-as-data system, but with mechanisms to do 
confinement and auditabilty by partitioning.

> Sandro
> _______________________________________________
> cap-talk mailing list
> cap-talk at mail.eros-os.org
> http://www.eros-os.org/mailman/listinfo/cap-talk



-- 
Toby Murray
Software Engineer
Advanced Computer Capabilities Unit
Information Networks Division
DSTO, Australia

IMPORTANT: This e-mail remains the property of the Australian Defence
Organisation and is subject to the jurisdiction of section 70 of the
Crimes Act 1914. If you have received this e-mail in error, you are
requested to contact the sender and delete the e-mail.

More information about the cap-talk mailing list