[cap-talk] Stack walking is capability access control?

David Wagner daw at cs.berkeley.edu
Tue May 15 20:36:58 EDT 2007 

David Hopwood wrote (among other things):
>  - the Java model allows global access to authority-granting objects
>    (e.g. new File(pathname)), so it cannot implement confinement, and
>    the requirement to possess a reference to an object in order to invoke
>    it is not sufficient as a security measure.

Geoffrey Alan Washburn <geoffw at cis.upenn.edu> writes:
>	I cannot really address what you've said without knowing which set of 
>definitions you are working from.  You seem to be assuming a rather 
>complicated notion of capabilities.

See Mark Miller's PhD thesis for definitions.  They seem to be more
or less the consensus definitions of the terms as they are used on this
list (at least for purposes of this discussion).

David Hopwood nailed it.  If the programmer can write, for instance,
    new File("foo").delete();
and cause the file "foo" to be deleted, then the language has ambient
authority and thus is not a capability system.

Geoffrey Alan Washburn <geoffw at cis.upenn.edu> writes:
>For my purposes, I am defining a 
>capability as a "token" that can be used to perform some action.  Given 
>that, "plain vanilla" stack inspection can be abstractly seen as 
>capability based access control.  Why?  Because every program written 
>against a stack inspection model can be transformed, for example by a 
>continuation passing transformation, into one where a capability is 
>passed from function to function during invocation.

It may well be true that every Java program can be translated into
one that is written in capability style, but that doesn't make Java
a capability system.  For instance, you can always translate a program
written in ambient authority style into one that doesn't have any
ambient authority by passing along the authority as an argument to every
function call, just like you can translate a program with global
variables into one that doesn't have any global variables by passing
along a reference to that variable as an argument to every function call.  
Nonetheless, there is still an articulable difference between a language
that does have global variables vs one that does not, and there is still
a discernible difference between a programming system that has ambient
authority and one that does not.

For instance, if I create a new object and don't pass it any capabilities,
then in a capability system that new object would have no way to delete
a file on the filesystem (by itself).  But Java does allow objects to do
that, even if they haven't been passed anything at all.  Consequently,
Java is not a capability system.

More information about the cap-talk mailing list