[cap-talk] Capabilities by example in C#
Stiegler, Marc D
marc.d.stiegler at hp.com
Tue Oct 31 19:47:47 CST 2006
Great Presentation! Some detail suggestions:
On slide Capabiliies Encapsulate Permissions, I think you want to
explicitly state at the bottom, that the Security Model must be shut
off, because it adds no useful security, but it does prevent the
principle-of-least-authority grants needed to enable full power
operation even though security is in effect.
On slide C# is NOT capability-secure, I think you want to say, "but a
fully functional subset could be", i.e., do not let them leap to the
false conclusion that you must trade away functionality.
On slide, User requests are unspoofable, I suggest putting 2 explicit
references, to the DarpaBrowser report discussion of how CapDesk gives
unspoofable access in a graphical windowing environment, and to How
Emily Tamed the Caml, which discusses unspoofable access on a command
line, both driven by powerboxes.
You do not discuss taming the libraries, which is a big effort and is
necessary to enable ordinary programmers to actually write code that
does not accidentally leak the universe, a process that is far more than
just shutting off the authorities. I would suggest one slide to indicate
there is a job to be done, with a single example. For Java, the example
I always give is, if you want to give someone read-only authority on a
file, it would appear natural to call the getReadStream method on the
file and hand over the resulting stream. But if you do that, the
recipient can "cast down" into a FileReadStream, which has the method
getFile, which has the method getParent: the consequence is, handing
over the readstream secretly leaks full authority over the user's whole
directory system. C# is replete with similar things, indeed, the
FileInfo data type may have exactly this same authority/taming bug, I
have forgotten, it's been 2 years since I've used C#.
--marcs
> -----Original Message-----
> From: cap-talk-bounces at mail.eros-os.org
> [mailto:cap-talk-bounces at mail.eros-os.org] On Behalf Of Sandro Magi
> Sent: Tuesday, October 31, 2006 4:18 PM
> To: General discussions concerning capability systems.
> Subject: [cap-talk] Capabilities by example in C#
>
> This is my first crack at a set of slides explaining
> capabilities to C#/.NET developers:
>
> http://higherlogics.com/Capabilities%20presentation.pdf
>
> I welcome any suggestions. :-)
>
> I'll be writing up some slides on the web-calculus in .NET next.
>
> Sandro
> _______________________________________________
> cap-talk mailing list
> cap-talk at mail.eros-os.org
> http://www.eros-os.org/mailman/listinfo/cap-talk
>
More information about the cap-talk
mailing list