[cap-talk] Wikipedia: Object-capability model
benl at google.com
Sat Jan 6 11:23:00 CST 2007
On 1/5/07, Mark S. Miller <markm at cs.jhu.edu> wrote:
> Ka-Ping Yee wrote:
> > I think it's high time Wikipedia had an article entitled
> > "Object-capability model". Here's what i think should go in the
> > main definition of the term:
> > - Objects access or designate other objects through unforgeable
> > references (pointers).
> > - Computation is performed by sending messages along these
> > references to other objects.
> > - One comes to have a reference to an object via (a) creation,
> > (b) endowment, or (c) introduction.
> > Is that enough for a precise definition?
> No, but it's a great start. It probably is the right thing for a high level
> summary on the wikipedia page, given that the reader is referred elsewhere for
> a more precise statement. The one thing I would add to it, even as a summary,
> is "(d) initial conditions".
> * It doesn't account for how local naming preserves distinctions. That's why
> there's all this stuff about "index" in Section 9.1 "The Object-Capability
> Model". This logic needs to be stated to account for how (and how much) an
> object can come to know about other objects by interacting with them. Without
> this, one cannot precisely account for confused deputy issues. See for example
> previous e-lang discussions about "c-lists as sets" vs "c-lists as maps".
> * It doesn't explain how new code enters the system. My attempt to state the
> issues here precisely, in my Chapter 10, is the least clear part of my thesis,
> and the one most needing a rewrite. However, without making these points, it's
> hard to say why existing memory safe encapsulated object languages like Java
> and Smalltalk are not object-cap languages.
Lack of opacity, see my previous mail :-)
I don't think this is to do with how code enters the system (via
capabilities presumably is the answer to that!).
> * It doesn't say that an object is *only* able to (overtly) affect the world
> outside itself according to the references it holds, and is only able to be
> effected by the world outside itself according to those who hold references to it.
That is surely a consequence of the object capability model, once
fully specified. If you have to make this a basic property, then
you've left way too much unsaid!
> > (The rest of the article, which i hope you will all help me write,
> > can cite systems and papers and compare the specific meaning of
> > "object-capability" to the usage of "capability" in security theory
> > and the usage of "capability" in practice.)
> I think it's a great idea! Please do!
> Text by me above is hereby placed in the public domain
> cap-talk mailing list
> cap-talk at mail.eros-os.org
More information about the cap-talk