[cap-talk] POLA and Mungi / Iguana style APIs

[Toby Murray]

I'm writing to see if I can get the list's opinion on APIs that attempt 
to "hide" capabilities from the programmer.
The specific examples I have in mind are the Mungi / Iguana systems from 
Uni NSW (http://www.disy.cse.unsw.edu.au/Software/Iguana/).

In the Iguana API (which I believe inherits a lot from Mungi), the 
programmer presents an "Object ID" which designates the target of a 
method invocation. The kernel then searches the c-lists of the caller to 
find a capability that might grant the access. I believe that this is 
done to hide the capabilities form the programmer in the common case 
where operations on the protection domain aren't required (eg. to 
achieve confinement or whatever)

With this system, has designation and authorisation been separated? Does 
this separation reduce the ability to provide /enable POLA? More 
specifically, does it allow the application to become "confused" and use 
the wrong authority at the wrong time.
My suspicion is that it does allow the application to become confused 
and as a result, reduces the ability of the capability system to promote 
least authority.

That said, I'd be interested in the opinions of others here with more 
experience. Particularly those of Professor Heiser, who I believe is the 
main architect of these systems.

While I understand the potential benefits of hiding the capabilities 
form the programmer in order to provide a more comfortable system, I 
believe that if the API instead called capabilities "object pointers" 
(or some equivelent) then we get the familiarity without fear of losing 
POLA. (I'm thinking Joe-E).

As an aside, I believe that Shap and Gernot has some discussion during 
the early stages of the development of the ideas surrounding Iguana and 
Coyotos that ultimately led to an "agreement to disagree" and to pursue 
separate projects. I'm curious to know if this issue was discussed and 
any conclusions that may have been reached by either party.

At the moment, I tend to feel that the only real way to get the benefits 
of capabilities is by having the application handle them explicitly. 
Furthermore, these benefits can be endhanced if the capabilities (or the 
objects they address) themselves are reified in the user interface, such 
that individual user actions map to capability (method) invocations. But 
that's just me...

Thanks all,
Toby

-- 
Toby Murray
Advanced Computer Capabilities Unit
Information Networks Division
DSTO, Australia

IMPORTANT: This e-mail remains the property of the Australian Defence
Organisation and is subject to the jurisdiction of section 70 of the
Crimes Act 1914. If you have received this e-mail in error, you are
requested to contact the sender and delete the e-mail.