[cap-talk] Monash as an object-cap system or not (was: Wikipedia: Object-capability model - reference vs. capability?)

Jed Donnelley capability at webstart.com
Thu Jan 11 10:01:32 CST 2007


At 07:31 AM 1/11/2007, Toby Murray wrote:
>On Mon, 2007-01-08 at 10:37 -0800, Mark S. Miller wrote:
> > In any case, the Monash system isn't an objcap system either, 
> since for any
> > cap and any subject, there exists some bit string which, if the 
> subject did
> > guess it, it would be able to exercise that cap. Within the rules of their
> > system, it is only infeasible to guess such a number, not impossible.
>
>I must be misunderstanding you. Surely E's captp URLs also suffer from
>the above but E is still an object-cap system. Or is it only the
>intra-vat portion of E that qualifies as adhering to the object-cap
>model?

>Apparently I should have read further in the thread. Sorry. It's only
>the non-distributed subset of E that's considered. Cool.

That's my understanding of MarkM's position.  Well stated.

As I noted, I consider this position really of only theoretical
relevance.  As is noted in some of the Monash papers, access to
systems by people initially is via password or certificate or
some other means that depends only on the infeasibility of
guessing.  That being the case, what's the 'big deal' with using
even stronger infeasible guessing for POLA access control
downstream?

For me these are engineering tradeoffs, not a qualitative
concern about functionality.  Are such engineering tradeoffs
something we want to base a relatively low level distinction
in an ABAC taxonomy on?

I know MarkM said he doesn't want to consider "object capability"
"good" and more general capability mechanisms (e.g. those which
depend on crypto) "bad", but doesn't the classification come off
that way if the distinction is that the one is 'safe' from
guessing (not really of course) and the other is 'vulnerable'
to guessing?

--Jed  http://www.webstart.com/jed-signature.html 




More information about the cap-talk mailing list