[cap-talk] A question on capabilities

Stiegler, Marc D marc.d.stiegler at hp.com
Mon Jun 12 13:59:18 EDT 2006 

> P.S. If others are interested in what other questions I got, 
> here are some of them:
> - Can capability systems help protect confidentiality and 
> enforce information flow policies?  (My view: No, 
> capabilities don't give you much leverage there.  To the 
> extent that you can use access control to prevent Alice from 
> getting access to the secret in the first, capabilities can 
> help you get that access control right, but once Alice knows 
> the secret, it's very hard to prevent her from leaking it -- 
> and capabilities don't really help much with the latter problem.)

As Zooko pointed out, VOC can help protect confidentiality though it
cannot enforce the non-transfer of information. One appropriate reply
is, "and if you ever see any computer technology that can really enforce
the non-transfer of information, you let me know" :-)

> - Can capability systems be used in a distributed 
> environment, for instance to help secure mobile agents?

You can mention donutlab and darpabrowser for this; both systems already
do secure mobile agents.

> - Can you mix capability-style code with non-capability style code?
> For instance, can you mix some new code written in the 
> capability way with old legacy code not written in the 
> capability way?  (My view: You can, and you can get some 
> partial benefits, but to be honest, there are some real 
> limitations on how much this can help you, and the boundary 
> between the capability and non-capability world is often a 
> source of both frustration, because of the impedance 
> mismatch, and security holes.
> Capability style programming has a tendency to pervade the 
> system, in that you have to change the entire system from the 
> ground up if you really want to do things the capability way, 
> which does make it harder to adopt capabilities 
> incrementally.) 

A conservative answe on this is appropriate, but as the years go by, we
keep coming up with more solutions to more of these problems, solutions
that give you some useful benefits without buying the whole enchilada. A
more correct answer is, if you have a specific legacy-interface problem,
ask the community what might be done for that specific problem. You may
be pleasantly surprised.

--marcs

More information about the cap-talk mailing list