[cap-talk] Capability-based Projects - theory vs. practice
Mark Miller
erights at gmail.com
Sat Aug 11 14:20:12 EDT 2007
Suggestion: Would anyone like to start a capability history page at
wikipedia, or at least <http://wiki.erights.org>? Then we'd have a
place to accumulate refinements like the observations below.
On 8/11/07, Dean Tribble <tribble at e-dean.com> wrote:
> Additional capability systems and/or efforts. MarkM: please verify :)
>
> I think that the FCP system (Flat Concurrent Prolog, by Udi Shapiro and the
> Weizmann Institute) was a capability-based system.
As a programming language, FCP is indeed an ocap system. But the Logix
operating system, building a virtualized FCP OS-like environment in
FCP, was done without ocap security as a goal, and so accidentally
introduced ambient authority. When we explained the ocap nature of FCP
(e.g., in the Logical Secrets paper), Udi was very receptive. He went
on to form a distributed collaboration startup company that he later
sold to, I think AOL, for some real money. I think his architecture
did realize and utilize the ocap nature of FCP. But I'm not sure. I
don't remember the name of the company.
> Janus and other
> concurrent constraint systems by Vijay Saraswat in the FCP tradition were
> also capability systems.
> 1986: Vulcan Project - Ken Kahn (and MarkM and me and others) @ Xerox PARC
> An actor language layered on FCP.
Janus, Vulcan, and all the other variants that emerged from the Vulcan
project were true ocap systems.
> Joule started in 1988 or early 1989.
That's about right, but I don't know precisely when Joule started.
> ToonTalk, by Ken Kahn, is actually a capability system, in spite of being a
> programming environment for children. I think it started around 1994.
Again, I don't know precisely when it started, but that seems right.
Everything else you say is correct.
> 1994: Corbamite - Agorics/SunLabs
> This was a C++ system vaguely related to Corba, but using capabilities. The
> actual network security enforcement was never implemented, but the
> components were all designed following that approach. It was the second
> attempt to apply Joule insights to a sequential programming system (Promises
> in Xanadu was the first), and contributed a lot to later E designs.
This went by several names, of which Corbamite was one of the shortest
lived. When I refer back to this project, I say "WebMart", by which I
include both the C++/Tclio incarnation and the later Java-based
incarnation. Only the earlier incarnation did local language caps
(Tclio was sorta a capability taming of Tcl). The latter's Java was
coded as if we had something like Joe-E, which we never did, so really
it was only a distributed cap system. Except...
All of the above projects created a captp-like layer which would have
given distributed cap security *if* it were layered on a vattp-like
link encryption layer. The first system in this family to actually do
the hard and crucial work to integrate the crypto was Original-E at
Electric Communities, thanks to the heroic crypto work of Bill Frantz.
Because of export controls, the distributed security of open source E
was separately due to the heroic work of Tyler Close (living on
Anguilla at the time).
> 1995: GuardOS - Agorics
> This is/was a KeyKOS derivative for Sparc and eventually other platforms.
> It got to the point of emulating enough Solaris to host Java and let us
> experiment with running Agorics' Java applications on it.
You and others on this list know much more about this one than I do.
As we've seen from earlier discussions on cap-talk, persistence was
also a frequent blind spot of ocap efforts. WebMart, Toontalk, and
GuardOS had it. I'm not sure which of the others above did.
--
Text by me above is hereby placed in the public domain
Cheers,
--MarkM
More information about the cap-talk
mailing list