[cap-talk] POLA and Mungi / Iguana style APIs
toby.murray at dsto.defence.gov.au
Mon May 16 20:27:36 EDT 2005
I'm writing to see if I can get the list's opinion on APIs that attempt
to "hide" capabilities from the programmer.
The specific examples I have in mind are the Mungi / Iguana systems from
Uni NSW (http://www.disy.cse.unsw.edu.au/Software/Iguana/).
In the Iguana API (which I believe inherits a lot from Mungi), the
programmer presents an "Object ID" which designates the target of a
method invocation. The kernel then searches the c-lists of the caller to
find a capability that might grant the access. I believe that this is
done to hide the capabilities form the programmer in the common case
where operations on the protection domain aren't required (eg. to
achieve confinement or whatever)
With this system, has designation and authorisation been separated? Does
this separation reduce the ability to provide /enable POLA? More
specifically, does it allow the application to become "confused" and use
the wrong authority at the wrong time.
My suspicion is that it does allow the application to become confused
and as a result, reduces the ability of the capability system to promote
That said, I'd be interested in the opinions of others here with more
experience. Particularly those of Professor Heiser, who I believe is the
main architect of these systems.
While I understand the potential benefits of hiding the capabilities
form the programmer in order to provide a more comfortable system, I
believe that if the API instead called capabilities "object pointers"
(or some equivelent) then we get the familiarity without fear of losing
POLA. (I'm thinking Joe-E).
As an aside, I believe that Shap and Gernot has some discussion during
the early stages of the development of the ideas surrounding Iguana and
Coyotos that ultimately led to an "agreement to disagree" and to pursue
separate projects. I'm curious to know if this issue was discussed and
any conclusions that may have been reached by either party.
At the moment, I tend to feel that the only real way to get the benefits
of capabilities is by having the application handle them explicitly.
Furthermore, these benefits can be endhanced if the capabilities (or the
objects they address) themselves are reified in the user interface, such
that individual user actions map to capability (method) invocations. But
that's just me...
Advanced Computer Capabilities Unit
Information Networks Division
IMPORTANT: This e-mail remains the property of the Australian Defence
Organisation and is subject to the jurisdiction of section 70 of the
Crimes Act 1914. If you have received this e-mail in error, you are
requested to contact the sender and delete the e-mail.
More information about the cap-talk