[cap-talk] Objects and Facets
Charles Landau
clandau at macslab.com
Mon Aug 7 13:32:28 EDT 2006
At 8:47 AM -0700 8/7/06, Mark S. Miller wrote:
># By object, we mean the finest-grain unit to which separate direct access
># rights may be provided, such as a file, a memory page, or another subject,
># depending on the system.
Ah, by saying it is "finest-grain", you have indeed precisely and
formally defined the term "object".
>Without loss of generality, we model restricted
># access to an object, such as read-only access to /etc/passwd, as simple
># access to another object whose behavior embodies the restriction, such as
># access to the read-only facet of /etc/passwd which responds only to queries.
>In KeyKOS, for
>example, each distinct start key to the same domain -- distinguished by its
>so-called data byte ("facet id") -- is a capability to a different object.
This sounds just like the "no facet" view I described. It's great to
know we're in agreement on this.
>what EROS more clearly calls the "facet id"
(This is indeed clearer, and I hope some day this term actually makes
it into the CapROS documentation.)
>For descriptive purposes, we often want to aggregate several objects into one
>composite. Such aggregation is purely subjective.
We are in complete agreement.
>In KeyKOS, a natural
>descriptive aggregate for many purposes is the process (domain) together with
>all the keys which designate the root node of that process (all start keys,
>domain key, node key).
Now I'm confused. A composite is an aggregation of objects, but keys
are not objects, so why do you include those keys in the composite? I
think you mean, all the objects designated by those keys.
In fact I think it would be correct to just say that the composite is
all the objects designated by those keys, and omit the phrase "the
process (domain) together with" above. The process alone isn't a
well-defined object; it would work as a name for this composite.
>A KeyKOS domain is a composite.
Seems like we agree.
>Given some descriptive composite, those objects within
>the composite which are potentially designatable from outside the composite
>are facets of the composite.
For example, a start key with a particular facet id, which is outside
the composite, designates an object in the composite and is a facet
of the composite.
Unfortunately, we need some better terminology for describing
composites, which is why many people are using the term "object" when
they mean composite.
>The term facet is used
>only in relation to a composite. It is nonsensical to speak of a "facet of an
>object". Rather, one only has facets of composites.
>I endorse everything in David's message. His stance on terminology clarifies
>and accurately reflects how these terms are used at erights.org, in various
>papers I've co-authored, and in the "object-capability model" as stated in my
>thesis.
It seems to me you have gone beyond what David said:
At 1:19 PM +0100 8/7/06, David Hopwood wrote:
>there is a socket object ... The socket object
>is part of the implementation of the remote object
These are clearly composites, not finest-grain objects.
More information about the cap-talk
mailing list