[cap-talk] Capabilities and Freedom vs. Safety
Toby Murray
toby.murray at comlab.ox.ac.uk
Thu Jul 26 09:01:44 EDT 2007
On Thu, 2007-07-26 at 00:09 -0400, Jonathan S. Shapiro wrote:
> Another way to look at this is that the safety property serves as a
> litmus test. In a system that satisfies the safety property, it is
> possible to know that some sensitive right is only accessible to some
> particular (set of) programs. As a design matter, this allows you to
> focus your attention on those programs when trying to manage that
> sensitive access right.
By "right" I presume you mean "permission". If so, could we adopt that
terminology. If you mean something else, could you please clarify.
None of this helps when we move from considering perission to authority,
however. The best work on the safety problem (such as Fred Spiessens'
SCOLL) fails to adequately reason about authority.
>
> Conversely, the proof shows that in all of the commodity systems in
> current deployment, no such focus of attention is possible. It is silly
> to worry about whether the behavior of some particular program w.r.t.
> some right 'r' is sensible when *every* program is in a position to
> abuse that right.
Could you elaborate on how the proof (by which I presume you mean HRU
but again if I've assumed wrong or lost the thread then please correct
me) shows this? Current commodity systems certainly are more restrictive
than those covered by the general HRU undecideability result.
More information about the cap-talk
mailing list