[cap-talk] Stack walking is capability access control?

Bill Frantz frantz at pwpconsult.com
Tue May 15 21:01:34 EDT 2007 

daw at cs.berkeley.edu (David Wagner) on Tuesday, May 15, 2007 wrote:

>Geoffrey Alan Washburn <geoffw at cis.upenn.edu> writes:
>>For my purposes, I am defining a 
>>capability as a "token" that can be used to perform some action.  Given 
>>that, "plain vanilla" stack inspection can be abstractly seen as 
>>capability based access control.  Why?  Because every program written 
>>against a stack inspection model can be transformed, for example by a 
>>continuation passing transformation, into one where a capability is 
>>passed from function to function during invocation.
>
>It may well be true that every Java program can be translated into
>one that is written in capability style, but that doesn't make Java
>a capability system.  For instance, you can always translate a program
>written in ambient authority style into one that doesn't have any
>ambient authority by passing along the authority as an argument to every
>function call, just like you can translate a program with global
>variables into one that doesn't have any global variables by passing
>along a reference to that variable as an argument to every function call.  
>Nonetheless, there is still an articulable difference between a language
>that does have global variables vs one that does not, and there is still
>a discernible difference between a programming system that has ambient
>authority and one that does not.

I think I would be a bit stronger than David was.  Security is not about
what you can do, but what you (provably) can't do.  Sure you can convert
a program that uses stack introspection into one that doesn't by using
continuation passing, but with a capability secure system you don't have
to.  (And, IMHO, generally don't want to.)  If you don't, you have
limited the authority of the programs you call, a security decision.

As David said, you can take a program with global variables and
transform it to a program without global variables by passing a
reference to those variables to every function call, but without global
variables, you have a choice.  In Java, you don't have a choice.  File
is a globally accessible class which confers authority over the file
system.  There is no way, short of verifying every program, to take that
away.

Cheers - Bill

-------------------------------------------------------------------------
Bill Frantz        | The first thing you need when  | Periwinkle
(408)356-8506      | using a perimeter defense is a | 16345 Englewood Ave
www.pwpconsult.com | perimeter.                     | Los Gatos, CA 95032

More information about the cap-talk mailing list