[cap-talk] Wikipedia: Object-capability model
Mark S. Miller
markm at cs.jhu.edu
Fri Jan 5 10:15:27 CST 2007
Ka-Ping Yee wrote:
> I think it's high time Wikipedia had an article entitled
> "Object-capability model". Here's what i think should go in the
> main definition of the term:
> - Objects access or designate other objects through unforgeable
> references (pointers).
> - Computation is performed by sending messages along these
> references to other objects.
> - One comes to have a reference to an object via (a) creation,
> (b) endowment, or (c) introduction.
> Is that enough for a precise definition?
No, but it's a great start. It probably is the right thing for a high level
summary on the wikipedia page, given that the reader is referred elsewhere for
a more precise statement. The one thing I would add to it, even as a summary,
is "(d) initial conditions".
* It doesn't account for how local naming preserves distinctions. That's why
there's all this stuff about "index" in Section 9.1 "The Object-Capability
Model". This logic needs to be stated to account for how (and how much) an
object can come to know about other objects by interacting with them. Without
this, one cannot precisely account for confused deputy issues. See for example
previous e-lang discussions about "c-lists as sets" vs "c-lists as maps".
* It doesn't explain how new code enters the system. My attempt to state the
issues here precisely, in my Chapter 10, is the least clear part of my thesis,
and the one most needing a rewrite. However, without making these points, it's
hard to say why existing memory safe encapsulated object languages like Java
and Smalltalk are not object-cap languages.
* It doesn't say that an object is *only* able to (overtly) affect the world
outside itself according to the references it holds, and is only able to be
effected by the world outside itself according to those who hold references to it.
> (The rest of the article, which i hope you will all help me write,
> can cite systems and papers and compare the specific meaning of
> "object-capability" to the usage of "capability" in security theory
> and the usage of "capability" in practice.)
I think it's a great idea! Please do!
Text by me above is hereby placed in the public domain
More information about the cap-talk