[cap-talk] Re: keys to capabilities?
toby.murray at dsto.defence.gov.au
Thu Nov 4 18:26:28 EST 2004
Sandro Magi wrote:
> Sandro Magi wrote:
>> Jed at Webstart wrote:
>>> How then can I interpret the above statement that a process "doesn't
>>> have the capabilities, it merely has keys to them."?
>>> Does it have the right to access the resource? If so
>>> then it has the "capability." If not, then not.
>> It has the capabilities, it simply does not have access TO the
>> capabilities. In cap-as-data systems, the process has the capability
>> and also has access to the capability. In cap-as-descriptors, it does
>> not have the latter.
>> In both systems, the process has the capabilities. At least, this is
>> how I currently see it.
> Forgot to mention that this is why I think the XOR approach is not a
> cap-as-data system. What the process holds is not the designator that
> actually grants access to the resource. Since, the process does not
> have access TO the actual capability, it is not a cap-as-data system.
My view on this is it is simply another level of indirection. In a
partitioned system, indirect references to caps are held (eg. inidces
into c-list or whatever). Note in the Monash system, the confinement
mechanism didn't have to be used -- a process could hold the capability
directly. Using the XOR encryption of the capability's password ("random
nonce") just adds a level of indirection (I believe). In this sense,
when holding a confined cap. the process doesn't hold the cap itself (I
suppose), but an indirect reference. I guess its an example of
partitioning in a caps-as-data system, where the key is partitioned, not
I have heard this referred to as a "taxonomy-breaking example" (I think
it was MarkM but Jonathan but I can't remember) and I think it sums it
up quite aptly. It is a caps-as-data system, but with mechanisms to do
confinement and auditabilty by partitioning.
> cap-talk mailing list
> cap-talk at mail.eros-os.org
Advanced Computer Capabilities Unit
Information Networks Division
IMPORTANT: This e-mail remains the property of the Australian Defence
Organisation and is subject to the jurisdiction of section 70 of the
Crimes Act 1914. If you have received this e-mail in error, you are
requested to contact the sender and delete the e-mail.
More information about the cap-talk