[cap-talk] Capabilities in C# (revised)
Mark S. Miller
markm at cs.jhu.edu
Thu Nov 2 19:45:59 CST 2006
Sandro Magi wrote:
> I took all the suggestions to heart and I've uploaded a revised version:
>
> http://higherlogics.com/Capabilities%20presentation.pdf
Hi Sandro, your presentation is excellent! Good job!
However, your choice of motivating example, especially on slide 4 "Let the
Conspiracy Begin", admits attack by covert timing channel. If, in tamed .net,
"new Thread(...)" is considered safe, then mole can use resources in such a
way as to create detectable scheduling variations. The tabloid can run
multiple threads in order to run races, to get some information about
variabilities in scheduling. What variabilities are detectable will depend on
the implementation, but the existence of such timing channels is almost
inevitable within this overall framework.
When we give talks on CapDesk we often commit the same sin: We often use
confidentiality as our motivating example, whereas object-capabilities (or
pretty much anything else) can only make air-tight claims regarding integrity
and action.
--
Text by me above is hereby placed in the public domain
Cheers,
--MarkM
More information about the cap-talk
mailing list