[cap-talk] Selling capabilities programming

[James A. Donald]

Jed Donnelley has been discussing the political and
social engineering problem of getting authorities to
accept capabilities.

I doubt that anyone on this list is very good at
politics and social engineering, and have formed the
impression that Jed Donnelley is worse than most of us.

A capability in this sense is a communicable permission
to access a computer resource, typically a very fine
grained permission, for example permission to access a
particular file in a particular way.  At the
implementation level, the permission may be implemented
as a value in a sparsely populated address space that
enables access to an event queue through a filter, and
one program with such access can give another program
access, possibly through an added filter, with
additional constraints, such as reduced time to live.
The added filter used by the second program may well be
a dynamic variable in the first program, which
disappears when it goes out of scope.  Such extremely
fine grained permissions must be managed by software,
lots of software, they are too much trouble for humans.

We want communicable permissions so that more trusted
code can issue permissions to less trusted code.  Thus,
for example, the file chooser dialog box in an editor's
file save or file open should be trusted code that
passes not merely the file name to the less trusted
editor, but also the ability to access the file, and
indeed the ability to discover that the file exists.
Thus the edit program does not need and should not have
a general ambient capability to open any file it
pleases, so cannot be a trojan horse, nor can bugs in
the edit program be exploited by a virus or worm.  With
this system one would be able to open doc files from
email in Microsoft Word, which at present one cannot do,
because bugs in Microsoft Word enable a well crafted
document to place your computer under the control of the
person crafting the doc - the bugs provoke Microsoft
Word into accessing and revising various critical files
that ordinarily it would never touch, that it never has
any legitimate reason to touch.

With this system we only have to make sure a small
number of small pieces of code are bullet proof, instead
of every line of every program on your system.

The objection to capabilities is that we have ordinary
users and their programs passing permissions around,
whereas only these wise and good superempowered *human*
administrators should issue permissions.

The trouble with having *humans* issue each and every
permission is that this means that permissions must be
broad and coarse grained - typically every program run
by a given user must have permission to read all the
files relevant to that user, and permission to change
all the files specific to that user - permission so
great, as to allow a rogue program, a trojaned program
or a program with a bug that a virus or worm may
utilize, to take total control of everything that user
has control of, and read anything that user may read, do
anything that user may do.  Your computer is apt to
become owned by someone in Russia who intends to  profit
from what is yours at your expense, intends to rob you.

The objection to capabilities is that we propose to
*take* *power* *away* from a large class of people in
well paid high status government jobs, and to a lesser
extent, somewhat less well paid and not quite as high
status private jobs.  By empowering user's programs, we
empower users, by empowering users, we disempower
administrators.  We propose to have software doing, what
at present privileged high status people do.

By and large, people will kill to stop this, stop their
careers being taken away from them.  In the past, when
major categories of workers were deskilled or
destatused, this resulted in extensive outbreaks of
murder, most infamously the Homestead riots.  In the
nineteenth century, American businessmen, applying
science to steelmaking, made the production of good
steel routine, instead of each batch being a reflection
of the individual artisan's skill, judgment, and art. So
they decided to hire ordinary unskilled workers, many of
them black, to do the job, and offer unskilled wages to
their former staff.  This is what Marx had in mind when
he complained that capitalism was immiserating the
proletariat. The union responded with attempted mass
murder and numerous actual murders.  Today highly
skilled workers are more dispersed, each with his own
specialty, so we no longer see thousands of heavily
armed workers backed by artillery storming heavily
fortified steel foundries with intent to slaughter black
employees. Instead it is more smaller scale stuff, like
poisoning the coffee or adding your name to the
terrorist watch list.  However, despite this change to
more dispersed and less newsworthy forms of violence,
Jed Donnelley's efforts are unlikely to change the views
of this category of government employee about
capabilities programming, even if his political and
social skills were considerably better than they are.

Horton is unlikely to get this category of government
employee on side.  With Horton, instead of having
authority to give or deny people permission to do things
that they need to do, they would be discovering who had
done something bad - and reporting that to people in
higher authority - a considerable loss of power and
status - from boss to nark.