[cap-talk] Selling capabilities programming
James A. Donald
jamesd at echeque.com
Wed Jul 25 07:21:28 EDT 2007
Pierre THIERRY wrote:
> On the other hand, people claimed (and may have proved
> formallly, I didn't read the papers on that myself
> yet) that such an implementation prevents confinement
"confinement" being tautologically defined to make that
trivially true by definition.
> And as confinement has been shown to be quite
> fundamental in being able to verify some security
> properties of a system,
The security properties of programs are not changed by
whether they are "confined" in this sense.
A typical argument that is does have an effect on the
security properties starts with such suppositions as
"capabilities as data could be compiled into the program
image". Well yes they could, and diplomatic codes could
be chiselled in stone and used as bricks in embassies.
If you have durable communicable permissions, then
indeed it is true that you have a problem, but
"confinement" does not make it any less of a problem,
unless "confinement" is used to make them non
communicable - no longer capabilities but ACLs.
And sure, if you use ACLs, *then* it makes a difference
to the security properties of the system - but you don't
need confinement to use ACLs - you merely need
confinement to make capabilities into ACLs.
More information about the cap-talk