[cap-talk] Another "core" principle - e.g. re purpose capabilities in dist. documents.

Jonathan S. Shapiro shap at eros-os.com
Tue Dec 19 12:21:55 CST 2006 

On Tue, 2006-12-19 at 12:30 -0500, Kevin Reid wrote:

> This case can be handled by using a different protocol. In your  
> notation:
> 
>    sourceOfStorageCap->subdivide() -> fragmentCap
>    someCap->deepCopyInto(fragmentCap) -> completion
> 
> When the deepCopyInto is complete, fragmentCap, which was created  
> locally and so is not membraned, has a copy of the data someCap  
> provided by writing to its wrapped-fragmentCap through the membrane.

I see that this pattern will work, but I have to say that from the "can
developers maintain this idiom" perspective I am suspicious that it is
not an idiom that programmers can be relied on to build correctly.
Recall that this pattern is going to be common. It's not something that
"just" the security experts need to know how to do.

> In Mark Miller's most recent posting of a membrane program, the  
> equivalent function, passing passive permissionless objects  
> irrevocably, is handled by this part:
> 
> def makeMembrane (target) {
>      ...
>      def wrap(wrapped) {
>          if (Ref.isData(wrapped)) {
>              # Data provides only irrevocable knowledge, so don't
>              # bother wrapping it.
>              return wrapped
>              ...
> 
> Ref.isData provides the knowledge needed to pass information through  
> the membrane. It is implemented by the capability to be wrapped

I think I had misunderstood this example then, because I had assumed
that isData() was somehow primitive. That is: I had originally read this
to mean that the argument in question was a data argument as opposed to
a capability argument (which made sense, but I see that in E this cannot
be what is going on, because all arguments are capabilities).

Why is it that the membrane policy can trust the answer provided by
isData()? I would appreciate some detail here, because I'm looking to
understand how we might go about duplicating that effect in an OS-based
system.

shap
-- 
Jonathan S. Shapiro, Ph.D.
Managing Director
The EROS Group, LLC
+1 443 927 1719 x5100

More information about the cap-talk mailing list