[cap-talk] Capabilities and Freedom vs. Safety
James A. Donald
jamesd at echeque.com
Sun Jul 29 21:47:41 EDT 2007
David Hopwood wrote:
> [Code that makes capabilities effectively ambient] is
> expressible in most of them (just put all the
> application code in a nested scope in which the
> declaration of theApp is visible). But that's beside
> the point: no-one is claiming that that all
> application designs that can be expressed in obj-cap
> languages are equally secure.
Obviously, an obj-cap language *allows* one to express a
secure application design, which is undoubtedly a very
good thing. I was casting doubt on the likelihood that
people would in fact adhere to such designs.
The projects created by Microsoft's project wizard
massively violate the principle of data locality, so
their security would be unlikely to benefit from object
capability language. On the other hand, TBB and STL are
pretty good with data locality.
Problem is, data locality helps one construct a program
that passes testing, so programmers have an incentive to
apply it. Object capability code helps one construct a
program that passes security review - and there rarely
is any security review, and when there is, it is usually
too late, so programmers have little incentive to use an
object capability language, and less incentive to use it
in the intended manner.
More information about the cap-talk