[cap-talk] Wikipedia: Object-capability model - excluding distributed
Jed Donnelley
capability at webstart.com
Thu Jan 11 17:16:06 CST 2007
At 08:26 AM 1/10/2007, Karp, Alan H wrote:
>Jed wrote:
> >
> > From my perspective the criteria for being an "object-capability"
> > system should be functional, not based on some theoretical
> > grounds of being able to break an encryption scheme by
> > infeasible guessing.
> >
>There is a difference other than just infeasible guessing. An important
>feature of object capabilities is that "only connectivity begets
>connectivity". In other words, isolated subgraphs cannot become linked.
>That's not true on an open network since IP addresses are quite
>guessable. Of course, there are no isolated subgraphs thanks to Google
>and the like.
Hmmm. It seems to me that the notion of "connectivity" needs to
be qualified. I accept the qualification that in an "object-capability"
system only connectivity within the system begets connectivity
within the system. Surely you can't expect an object-capability
system on a network to block any other sort of connectivity
(e.g. direct IP connectivity) on the network? No capability system
('object' or not) can do more than to provide confinement within the limits
provided by its "invocation" mechanism. If other calls or methods
are available outside the system then, well, they're outside the system.
I wonder if we aren't narrowing in on the identification of a
capability system (e.g. an object-capability system) in terms
of the view of a subject. That is, it may be that one subject
may see a system as a capability system (e.g. a "CCS"
process in the DCCS or an active object on one vat in E)
because it only has access to the world outside it's memory
space through an object invocation, but some other subject
(e.g. a network device driver or an application layer process
muxing a network) may have additional connectivity.
Let's consider an example of a process environment where
the only "system call" is an invocation of a YURL. However,
let's further suppose that only YURLs that have been signed
by the local component of the capability system (think of
a vat if you like) can be invoked and that the local component
of the capability system signs such capabilities (YURLs)
as they arrive through invocations of other signed YURLs.
Would you consider the environment seen by a process
operating under that regime an "object-capability" system?
--Jed http://www.webstart.com/jed/
More information about the cap-talk
mailing list