[cap-talk] Capability-based Projects - theory vs. practice
Charles Landau
clandau at macslab.com
Mon Aug 13 22:10:26 EDT 2007
At 9:16 AM -0700 8/11/07, Norman Hardy wrote:
>Here is a note I wrote some time ago on Mach and Aegis vs. Keykos:
>http://cap-lore.com/CapTheory/KK/Contrasts/cont.html
>
>A major shortcoming of Mach in my opinion (described above) is that if
>(1) you and I are on the same capability platform
>(2) I find a bug in the file logic allowing me to run code with the
>authority of the file logic.
>
>then I can the read and write your files.
>
>In the same situation with Keykos the integrity of your application
>depends only
>on the way you use the file system.
>I can corrupt only my own files.
>
>In short all files are served by the same object in Mach (and thus
>Mac OS X).
>In Keykos each file gets its own isolated object and only the
>immutable code is shared.
In any ocap system, the file system can be implemented either way. If
I'm not mistaken, in EROS (to the extent it had a file system) there
was a single process serving all files. I believe this was done for
performance reasons - traversing directory paths can be done without
context switches.
More information about the cap-talk
mailing list