[cap-talk] Network POLA, network accounting and capability databases?

David Hopwood david.nospam.hopwood at blueyonder.co.uk
Tue Jun 20 12:38:23 EDT 2006


Jed at Webstart wrote:
> At 02:17 AM 6/6/2006, John Carlson wrote:
> 
>>In any case, I think that quotas are necessary in order to prevent
>>"accidental" DoS attacks.  Thus someone might have limits
>>on the number of objects they can create, and other scarce
>>resources.
> 
> Ah.  Perhaps the above gave me an inkling.  I think you may be
> getting at the "account" issue.  I guess I'll throw out a general
> statement in this area and see if I get any reaction:
> 
> People ("users") are of course important in computing systems
> regardless of whether one uses an ambient authority model of
> computing or a capability model.  The main difference for capability
> models is where people come into play.  There are at least two
> places where I've seen them come into play:
> 
> 1.  Initial authentication and mapping that initial authentication
> to a set of permissions (authorities), and
> 
> 2.  Accounting - where people are given the right (authority)
> to use resources.
> 
> In my experience (others may and I hope do differ) this second #2
> (accounting) has been less well developed in capability systems.  In
> fact I'd be quite interested to explore a thread on accounting in object
> capability systems if anybody else has an interest in the topic.

Authority should (and does in a capability system) belong to processes,
not people; as a special case, resource authorities should also belong to
processes, not people.

A difference from most other authorities, is that when a group of processes
share a quota, it is the sum of their resource usages that is limited. It
may be common for such groups to correspond to the set of processes in a
user's login session (or all sessions for a user if the system allows more
than one). However, that is just a special case.

The arguments in favour of allowing resource authorities to be freely
delegated, as opposed to placing user-based restrictions on such delegation,
are the same as for any other authority. It is also important to support
attenuation of resource authorities -- for example generating an authority
for a reduced quota from one that specifies a larger quota.

> If nobody else is interested I'd at least like to hear why not -
> e.g. because they believe it's a solved problem or because they
> believe it's intractable or otherwise not productive.

I don't believe it's a solved problem, and I do think it's an important
problem. OTOH, I don't think it's less well developed in capability operating
systems than in conventional operating systems. It is pretty badly developed
in most conventional OSes, at least the ones that are widely used.

(I agree that resource accounting needs more work in capability languages.
Act2 and Act3 had "sponsors" representing resource authorities, but that
does not seem to have been taken up by more recent cap languages.)

-- 
David Hopwood <david.nospam.hopwood at blueyonder.co.uk>




More information about the cap-talk mailing list