[cap-talk] Capabilities and Freedom vs. Safety
Jonathan S. Shapiro
shap at eros-os.com
Sun Jul 22 18:40:41 EDT 2007
On Sun, 2007-07-22 at 17:54 +0100, David Hopwood wrote:
> Pierre THIERRY wrote:
> > And why should an uninspectable code be more malicious than one
> > inspectable? Isn't it partly because code inspection isn't effective as
> > a practical security measure that we are designing capability systems?
>
> A design goal of many capability systems is to make code inspection more
> effective (in addition to constraining uninspected code).
Pierre: inspectable code is subject to social feedback. Uninspectable
code is not.
David: can you expand on what you mean by that? I agree that POLA
designs tend to be more inspectible simply because the components are of
manageable size, but I would not have categorized this as a goal of
capability designs. Lots of people have advocated small components for
decades. Heck, my C++ book has quotes from the 1960 NATO Conference on
Software Engineering advocating this, and it wasn't a new idea then.
shap
More information about the cap-talk
mailing list