[cap-talk] Summer of Code
Ivan Krstić
krstic at solarsail.hcs.harvard.edu
Mon Feb 26 21:36:20 CST 2007
James A. Donald wrote:
> The OLTP operating system, bifrost, where everything runs in chrooted vm
> sandbox, is a big step in this direction, but it is still chrooted linux
> for compatibility with existing code, therefore fundamentally
> permissions based, not capabilities based.
Bitfrost uses real container-based VMs, so I think I could reasonably
get away with calling it a capability system at the granularity level of
the entire program. If the goal is to do capabilities at the granularity
level of the subcomponents of a running binary, not only do you have to
write black magic kernel support for it, but programs need to be
explicitly (re)designed to run securely on the resulting platform. This
is a worthwhile goal, but one that I see as rather far off in the
future, which is why I chose the pragmatic approach for Bitfrost.
--
Ivan Krstić <krstic at solarsail.hcs.harvard.edu> | GPG: 0x147C722D
More information about the cap-talk
mailing list