[cap-talk] communication and capabilities
David Hopwood
david.nospam.hopwood at blueyonder.co.uk
Mon Jul 17 08:48:47 EDT 2006
Mark S. Miller wrote:
> David Hopwood wrote:
>> John Carlson wrote:
>>
>>> One issue I have with capability systems is that they seem to assume
>>> that the communication path between objects is secure.
>>
>> They don't assume that; the concept of a capability system explicitly
>> requires it. That is, whatever protocol layer is responsible for securing
>> the communication path between objects is considered to be part of the
>> capability system "kernel".
>
> Yes. However, here is an interesting gedanken experiment:
>
> Imagine an objcap system, whether an objcap OS like DVH, KeyKOS, EROS or
> an objcap language like E. Now, break the above guarantee by providing a
> global ambient primitive that allows any object to unconditionally read
> any physical memory location. In such a system, no object can any longer
> keep any secrets, and there is effectively an uncontrolled bit channel
> from any stateful object to every other object that wants to listen.
> Confinement can no longer be distinguished from CC. This scenario is an
> extreme version of "assume we can't plug covert channels". Even in this
> hypothetical system, all the normal capability controls on what an
> object can *do* still apply.
Yes, provided that the original objcap system did not depend on keeping
secrets (e.g. cryptography).
However, the result is not an objcap system, because it violates the following
requirement (from <http://www.erights.org/talks/asian03/paradigm-revised.pdf>):
While an instance is reacting, its addressable references are those in
the incoming message, in the receiving instance's state, and in the
literal data of the receiving instance's code. The directly accessible
objects are those designated by addressable references.
(What is left implicit here is that an instance cannot do anything other
than react to a message.)
> This is very similar to the abstraction of
> authority used by the Joe-E project for reasoning about authority.
>
> Similar but different: A SPKI-like certificate-based capability system
> requires only signed messages, not encrypted messages.
This is not an object capability system either.
--
David Hopwood <david.nospam.hopwood at blueyonder.co.uk>
More information about the cap-talk
mailing list