[cap-talk] Capabilities and Freedom vs. Safety
James A. Donald
jamesd at echeque.com
Wed Jul 25 06:53:07 EDT 2007
Stiegler, Marc D wrote:
> So one could build a system in which the single
> monolithic program, every time it requested the chance
> to use the download channel, would lose its authority
> to read the music area (still being granted an
> append-only authority, so it could add the new song)
> and would forget everything it ever knew. When it
> closed the download connection the read authority
> would be re-granted.
That would work.
Bifrost has a rule that if a program gets extensive read
authority, (in Bifrost's equivalent of ACLs) it cannot
have internet access at all.
This could be elaborated to a rule that if a program
instance has ever exercised extensive read authority, it
must forget everything before accessing the internet,
and cannot exercise extensive read authority again until
it is done accessing the internet - thereby guaranteeing
that information will only flow from the internet to the
local system, and not the other way around.
More information about the cap-talk