[cap-talk] Manipulating an object with a secondary reference

Micah Brodsky micahbro at csail.mit.edu
Sun Nov 12 14:00:12 CST 2006

I've got a simple patters question: What's a good way to manipulate an
object when named by a weak capability but when the necessary access
permissions are provided by a different, stronger capability? For example,
if you're passed an object A with a read-only capability to another object
B, and you want to manipulate object B with greater permissions than A's
capability, how should you do it? Should you just dig through your own
capabilities hunting for an applicable one? This seems like a very
un-capability-ish thing to do, but I'm not sure how to avoid it -- and it
seems a little reminiscent of a common issue in object oriented programming
where you need to test for "equality" of two objects even when their
references differ. 

(The particular issue in question is actually for a hybrid MLS-capabilities
system, a successor design to Asbestos. The problem is how to name the
capability necessary for declassifying a given taint. In Asbestos, the
capability was uniquely named by twiddling a few bits on the taint's
identifier. But, this led to a serious weakness where it was hard to provide
multiple different facet capabilities for a single object. We want to fix
this, but if you support many different facets, how do you map between them
and recognize that they refer to the same object? Having proxies seems like
it would further complicate this situation, although for now, we're not
planning to support proxies directly.)

Any thoughts?

More information about the cap-talk mailing list