[cap-talk] What *is* a powerbox?
daw at cs.berkeley.edu
Mon Jul 30 19:06:12 EDT 2007
Jonathan Shapiro writes:
>A powerbox is a process that holds, or can obtain, capabilities that are
>potentially sensitive (the "guarded capabilities"). One or more
>applications have access to the powerbox via capabilities, and are able
>to request [copies of] these guarded capabilities. The powerbox
>implements a decision procedure by which it will decide whether or not
>to transfer the requested capabilities to the application, and if so,
>whether it will grant them in full-strength or reduced form, and whether
>it will introduce a membrane protocol around the transferred
>The decision procedure implemented by the powerbox may be stateful (i.e.
>its behavior for current requests may depend on past requests), and it
>may incorporate interaction with the user. Neither of these is a
>A conventional, rule-based firewall that allows
>or refuses connection based on a table of rules may be viewed as a kind
To me, the rule-based firewall seems a somewhat different sort of beast.
Let me see if I can flesh out why I have that instinctive reaction, and
see whether there is anything to my instinctive reaction or not.
Assume we want to protect access to a resource R. Let me distinguish
two ways we might implement this.
Initially, Pow has a capability to R and Alice has a capability to Pow.
When Alice wants to access R, she contacts Pow and engages in some protocol
to request a capability to R. Pow decides whether Alice is entitled (e.g.,
by asking a human) and then possibly returns a capability to R to Alice.
Once Alice receives the capability she can use it freely without any
further involvement from Pow. Pictorially:
R <--- Alice <---> Pow
Initially, Mon has a capability to R and Alice has a capability to R.
When Alice wants to access R, she contacts Mon and asks R to perform the
action. Mon decides whether that action is permissible and if so performs
it directly upon R. Alice never gains an unmediated capability directly
to R; all of Alice's intereactions with R are mediated by Mon.
Alice ---> Mon ---> R
The classic type of powerbox falls into Scenario #1. A rule-based
firewall seems to fit more into Scenario #2. I'm tempted to say that
Scenario #1 uses a powerbox while Scenario #2 uses a reference monitor
(hence the choices of the names Pow and Mon). To be more precise, I'm
tempted to say that Pow is a powerbox but is not reference monitor;
and that Mon is a reference monitor but not a powerbox.
Would you agree with this? Is this kind of distinction at all useful?
P.S. I am, for the moment, ignoring the case where the powerbox
returns a capability wrapped in a membrane; to simplify matters, I am
for the moment focusing only on powerboxes that either return a
capability or don't.
More information about the cap-talk