[cap-talk] Wikipedia: Object-capability model - excluding distributed

[Mark Miller]

On 1/11/07, Jed Donnelley <capability at webstart.com> wrote:
> Let's consider an example of a process environment where
> the only "system call" is an invocation of a YURL.  However,
> let's further suppose that only YURLs that have been signed
> by the local component of the capability system (think of
> a vat if you like) can be invoked and that the local component
> of the capability system signs such capabilities (YURLs)
> as they arrive through invocations of other signed YURLs.
>
> Would you consider the environment seen by a process
> operating under that regime an "object-capability" system?


Clearly not. Take the *-property example in my Section 11.2. Let's say
that Cassie, Q, Bond, and all facets of the data diode are all on
machine A, and therefore within the scope of one "local component of
the capability system", i.e., one signing key. Q can now realize
Boebert's attack, and send a properly signed YURL to himself
seganographically through the data diode to Bond. Bond can then invoke
it to talk to Q. By contrast, the Monash system is not vulnerable to
this attack.

Note that I have never disputed the claim that the *-properties are
useless in practice. But this example demonstrates that they are a
great scalpel for distinguishing different kinds of systems. In
particular, this example demonstrates that purely cryptocap (or sparse
cap systems) like Amoeba are fundamentally weaker than Monash or
objcap systems.

-- 
Text by me above is hereby placed in the public domain

    Cheers,
    --MarkM