[cap-talk] ... enforcement - hope? Capabilities as clumsy, not
jed at nersc.gov
Mon Sep 27 18:23:12 EDT 2004
At 01:17 PM 9/27/2004, you wrote:
>Jed Donnelley writes:
> >I'm starting to wonder if there are some sort of capability
> >implementations that I'm unaware of that are raising this
> >concern about the cost for use of capabilities.
>For me, it's the converse: insufficient empirical evidence about the
>costs of object capabilities.
>(There are some reasons to wonder what the cost of capabilities might be,
>since capability design does require changing interfaces. For instance,
>as has been mentioned earlier, the standard Unix interface to programs
>would have to be changed.
Is that so? In what ways? On one of the capability based systems
I worked on (NLTSS) we went to a great deal of trouble to insure
that the existing interface to the older OS that programs had been
written to didn't have to change. We made new interfaces available
for the few cases where people might want to manipulate capabilities
directly, but generally the old interfaces worked just fine. We also
went pretty far in an analysis of Unix circa 1985 and believed that
we could have done a similar thing for the Unix API. Of course if
the program you are writing is initiated with restricted rights (as
one hopes is typical) then it's a little like running chrooted. That
is, you have fewer resources directly available. If for some reason
a particular application needs more resources than it is nominally
given then of course it must get them somehow.
Still, the above seems a bit orthogonal to this issue:
>The standard C prototype for main() inherently
>fails to follow capability discipline. Of course, while anecdotes
>like these might suggest that we haven't yet quantified the cost of
>capabilities, they shouldn't be interpreted to mean that capabilities
>are a bad idea.)
I'd like to get a bit of clarification on the above. I have of course
programmed in C under both a c-list and a capabilities as data
model. I didn't have a problem with the standard C prototype for main().
Can you describe more specifically how the standard C prototype
for main() fails to follow a 'capability discipline'?
More information about the cap-talk