[cap-talk] Selling capabilities programming

[Marcus Brinkmann]

At Wed, 25 Jul 2007 23:50:59 -0400,
"Jonathan S. Shapiro" <shap at eros-os.com> wrote:
> This aside, I think there is a hidden flaw in the "capabilities die with
> their process" meme. Back when systems had an MTBF of hours or days this
> might have been a useful source of protection. Today, we see user
> sessions that run for months at a time. Given this, it does not seem
> obvious that the temporal scope of a process provides a useful basis for
> protection.

I think that could be a misunderstanding.  As long as the process runs
and holds on to its handles, it has authority anyway and can proxy.
Ignoring covert channel bandwidth, you have are at the mercy of the
confined program in that case anyway, for that time.  The discussion,
as far as I understood it (which may be wrong), was about capabilities
as data leaked by a confined process to external processes, which can
use these capabilities even when the confined process is destroyed.
Only after the destruction of said process does it become interesting
if other parties hold copies of the capability or not (again, ignoring
covert channel bandwidth and assuming that proxying is feasible).

I am not saying that these assumptions need to apply to your use case.
But I think they are assumptions made by James.  If not, please
correct me.

The term transient then has causal aspects which dominate the temporal
aspects.

Thanks,
Marcus