[cap-talk] Capability-based Projects - theory vs. practice

Jonathan S. Shapiro shap at eros-os.com
Fri Aug 3 10:24:05 EDT 2007 

On Thu, 2007-08-02 at 18:52 -0700, Jed Donnelley wrote:
> If we do that, however, then I guess Unix has to be considered
> a "capability"** system, as Unix open file descriptors can
> be communicated over pipes and can act in some sense as
> capabilities - as with Mach.

In spirit, the non-persistent portion of UNIX really *is* a capability
system, with the exception that the process space was handled through
IDs rather than descriptors. Plan 9 later resolved this, and it is not
unreasonable to view it as a deficiency resulting from hasty
implementation.

At the persistence boundary, of course, UNIX becomes an ACL-like system.

Given the historical complaints about capability system performance, it
is interesting to note that UNIX adopted file descriptors (which are
nearly capabilities) for performance reasons...

> However, I note that if we take that tact then we significantly
> thin the ranks of 'capability' systems.  By that criteria I think
> we must eliminate all the language based systems, Emerald,
> Network Objects, and E just as examples that come to mind?

I'm not clear that we need to eliminate these. It is a question of
consistent use of the model. Just as Mach or EROS sit on top of a
non-capability hardware system, E sits on top of a non-capability host
system. Within the respective environments of EROS and E, however, the
capability model is purely preserved.

Does this seem like a reasonable litmus test?

> 1967: Magic Number Machine - University of Chicago   *****?????

I have the docs somewhere. I'll check whether caps were durable. Note
that the Chicago Magic Number Machine is an interesting case.
Capabilities were protected and directly implemented by hardware.
Further, it appears to have had an operation comparable to the (un)seal
pattern.

> 1973: System/38 - IBM               ?????

A.K.A. AS/400. This one is delegate. To my knowledge, the only serious
OS for S/38 was OS/400, which is definitely not a capability OS.

> 1984: SCAP - Cambridge University         ???????

SCAP is Paul Karger's work. It is a hybrid system implementing an
intersection of capability and principal-based controls. I have the SCAP
thesis online somewhere.


shap

More information about the cap-talk mailing list