[cap-talk] Capabilities vs. Classifications, Capabilities in Hardware.

David Wagner daw at cs.berkeley.edu
Sun Jan 1 01:06:25 EST 2006


John C. McCabe-Dansted writes:
>I understand pure software capabilities can be written on top of current 
>hardware architectures, but that leaves rogue hardware devices with the 
>ability to bypass the capabilities.

I fear that will still be true, even if we all use hardware that provides
(or claims to provide) support for capabilities.  If you want to posit
rogue or malicious hardware, then one can just as easily posit rogue or
malicious hardware that we think is capability-respecting but in fact
violates the rules.  In short, there is some minimum set of hardware
that's in your TCB, and if you don't trust that hardware, you're screwed.


More information about the cap-talk mailing list