[cap-talk] Wikipedia: Object-capability model

Ben Laurie benl at google.com
Sat Jan 6 11:23:00 CST 2007 

On 1/5/07, Mark S. Miller <markm at cs.jhu.edu> wrote:
> Ka-Ping Yee wrote:
> > I think it's high time Wikipedia had an article entitled
> > "Object-capability model".  Here's what i think should go in the
> > main definition of the term:
> >
> >     - Objects access or designate other objects through unforgeable
> >       references (pointers).
> >
> >     - Computation is performed by sending messages along these
> >       references to other objects.
> >
> >     - One comes to have a reference to an object via (a) creation,
> >       (b) endowment, or (c) introduction.
> >
> > Is that enough for a precise definition?
>
> No, but it's a great start. It probably is the right thing for a high level
> summary on the wikipedia page, given that the reader is referred elsewhere for
> a more precise statement. The one thing I would add to it, even as a summary,
> is "(d) initial conditions".
>
> * It doesn't account for how local naming preserves distinctions. That's why
> there's all this stuff about "index" in Section 9.1 "The Object-Capability
> Model". This logic needs to be stated to account for how (and how much) an
> object can come to know about other objects by interacting with them. Without
> this, one cannot precisely account for confused deputy issues. See for example
> previous e-lang discussions about "c-lists as sets" vs "c-lists as maps".
>
> * It doesn't explain how new code enters the system. My attempt to state the
> issues here precisely, in my Chapter 10, is the least clear part of my thesis,
> and the one most needing a rewrite. However, without making these points, it's
> hard to say why existing memory safe encapsulated object languages like Java
> and Smalltalk are not object-cap languages.

Lack of opacity, see my previous mail :-)

I don't think this is to do with how code enters the system (via
capabilities presumably is the answer to that!).

>
> * It doesn't say that an object is *only* able to (overtly) affect the world
> outside itself according to the references it holds, and is only able to be
> effected by the world outside itself according to those who hold references to it.

That is surely a consequence of the object capability model, once
fully specified. If you have to make this a basic property, then
you've left way too much unsaid!

>
>
>
> > (The rest of the article, which i hope you will all help me write,
> > can cite systems and papers and compare the specific meaning of
> > "object-capability" to the usage of "capability" in security theory
> > and the usage of "capability" in practice.)
>
> I think it's a great idea! Please do!
>
> --
> Text by me above is hereby placed in the public domain
>
>      Cheers,
>      --MarkM
> _______________________________________________
> cap-talk mailing list
> cap-talk at mail.eros-os.org
> http://www.eros-os.org/mailman/listinfo/cap-talk
>

More information about the cap-talk mailing list