[cap-talk] Capability-based Projects - theory vs. practice
David Hopwood
david.hopwood at industrial-designers.co.uk
Fri Aug 3 11:52:58 EDT 2007
Mark Miller wrote:
> A persistent E vat checkpoints some of its state to its checkpoint
> file on the file system. Such a checkpoint file records the persistent
> capabilities that its vat holds to objects in other vats as
> cap-as-data URIs. So, inter-vat, E provides only cap-as-data security,
> both for ephemeral caps and for persistent caps.
That's not quite right. The programming model treats all capabilities,
including cross-vat capabilities, as opaque. The implementation of that
model uses caps-as-data, but the implementation cannot normally be
accessed by an E program (assuming the program does not have authority
to write [*] to the E implementation's private files, including the
checkpoint file, or otherwise interfere with its low-level operation).
So it is possible for an E program that spans multiple vats to be confined.
[*] It does not matter whether the program can read these files, or
otherwise obtain the representation of a cap-as-data, provided that
it does not have authority (e.g. to the introducer) needed to convert
this representation to a live reference.
--
David Hopwood <david.hopwood at industrial-designers.co.uk>
More information about the cap-talk
mailing list