[cap-talk] Selling capabilities programming
Jonathan S. Shapiro
shap at eros-os.com
Sun Jul 22 20:45:45 EDT 2007
On Mon, 2007-07-23 at 00:23 +0100, David Hopwood wrote:
> It is highly desirable for new capability systems to be designed to
> provide protected rather than unprotected capabilities (when confinement
> is at all possible), to the extent that I would consider not doing so
> to be a design error.
I strongly agree -- except that I would omit the confinement qualifier.
The empirical evidence of my dissertation has subsequently been
validated independently in several other works. There is no marginal
cost to protecting descriptors, and several advantages to doing so.
Setting aside confinement entirely, there are significant caching
benefits that arise from protecting descriptors. The mere fact that they
must be invoked through a validating interface offers opportunities to
improve their performance.
Independent of that, protection of capabilities promotes a change in the
developer's view of system structure that I believe (without concrete
evidence) improves robustness.
More information about the cap-talk