[cap-talk] Selling capabilities programming - a point

Jed Donnelley capability at webstart.com
Thu Jul 19 02:17:44 EDT 2007 

At 09:57 PM 7/18/2007, Jonathan S. Shapiro wrote:
>...
>
>What I have stated is that capability protection is a precondition to
>controlling authority propagation, which is in turn a precondition to
>confinement. Confinement is the only basis technology we have that lets
>us run unsafe and/or hostile programs while retaining control of our
>computers.

I just wanted to clarify one point on the above where Jonathan
and seem to have a disagreement.  While I believe that confinement
is a huge benefit to our program execution environment (e.g.
as discussed in my previous WebCVOS message), I dispute that
confinement "is the only basis technology we have that lets
us run unsafe and/or hostile programs while retaining control of our
computers."

Perhaps this is just an issue of how much is meant by
"retaining control of our computers".

I can easily imagine something like the WebCVOS that I
described which was, sadly, without the confinement value
(that Johathan and I agree is very valuable).  I still
assert that it could allow me a better basis to retain
control over my computer than I currently have.

In particular Microsoft's first law would no longer
apply.  If I ran a program in such an environment,
even if it had full communication access to the
Internet, it would still only be able to get
access to the objects (though ocaps) that I gave
it access to from my system (despite whatever it
might get access to from the Internet).  It could
not read my files and transmit them to some site
on the Internet, because it could not get ocap
access to my files without my permission.  If I
gave it access to some such files (e.g. my
last years tax return through a power box) then
it could indeed send it out to anywhere it wished
on the Internet (e.g. back to the Turbotax
developers).  This is bad and this is where
Jonathan and I agree (I believe) that confinement
is of value.

However, it could not delete my files (as
Windows and Unix programs can), write over
them, etc.

I have less control than I would have with
confinement, but I still assert that I have
something that I would call 'control.'

Having said that, I'm fully on board about
getting full confinement (e.g. in the context
of something like WebCVOS) and I hope to
provide very tight limits on any weaknesses
Jonathan may find in the ocaps as 'data' model
that can be made available in such an
environment.

--Jed  http://www.webstart.com/jed-signature.html

More information about the cap-talk mailing list