[cap-talk] Selling capabilities programming

Pierre THIERRY nowhere.man at levallois.eu.org
Tue Jul 24 22:01:22 EDT 2007


Scribit James A. Donald dies 25/07/2007 hora 11:31:
>>> My original claim was that capabilities *may* be [usefully]
>>> represented by a sparsely populated address space
>> [...]
> This claim has been denied with such passion and persistence as to
> persuade me that any attempt at rational discussion is pointless.

>> You were told why it is undesirable to implement unprotected
>> capabilities in new systems.
> Which is the claim you just said no one was making.

Clearly you're mixing two things: no one denied that capabilities can be
usefully implemented as secrets, because there is a strong historical
trail of such implementations. Amoeba is one of the latests, if I ain't
mistaken.

On the other hand, people claimed (and may have proved formallly, I
didn't read the papers on that myself yet) that such an implementation
prevents confinement altogether.

And as confinement has been shown to be quite fundamental in being able
to verify some security properties of a system, people then go on to
claim it would be unwise to implement any new capability system with
secrets.

That's all.

- that's possible
- it has been made
- that prevents confinement
- don't do it again

You claimed "that's possible", so there's agreement on that point,
obviously.

> If two programs are permitted to communicate, the security properties
> are the same as if they can transfer capabilities unobserved and
> undetectably.

In a system with protected capabilities as in the SW model, hasn't been
the contrary been *formally* proved?

> Therefore, "protecting" capabilities is of limited value, and that
> value must be compared with the implementation costs of "protection",
> which in the networked case can well be substantial.

What is the cost, BTW?

Curiously,
Pierre
-- 
nowhere.man at levallois.eu.org
OpenPGP 0xD9D50D8A
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://www.eros-os.org/pipermail/cap-talk/attachments/20070725/b44f95f6/attachment-0001.bin 


More information about the cap-talk mailing list