[cap-talk] Stack walking is capability access control?
Jonathan S. Shapiro
shap at eros-os.com
Tue May 15 22:31:19 EDT 2007
On Tue, 2007-05-15 at 18:23 -0700, David Wagner wrote:
> David Wagner wrote:
> > It may well be true that every Java program can be translated into
> > one that is written in capability style, but that doesn't make Java
> > a capability system.
>
> Geoffrey Alan Washburn <geoffw at cis.upenn.edu>
> > I never claimed it was equivalent to a capability system. I only was
> > claiming that it can be treated as an instance of a capability system.
> > The text in my proposal, as quoted by Sandro, does unfortunately not
> > clearly articulate this distinction.
Geoffrey:
David is correct. The term "capability" is an established term of art in
the field, and it does not make sense in either of the ways that you
have proposed to use it. Sandro Magi is correct: stack traversal is an
implicit subject-based security check. A capability system is not, by
definition, identity- or subject-based in any respect.
The work you want to cite for the allegation that Java stack
introspection is a form of capability system is: Li Gong, "A Secure
Identity-Based Capability System", IEEE Symposium on Security and
Privacy, 1989. The language standard is a relatively innocent
by-stander.
Concerning Gong's paper, it has been demonstrated in subsequent
publications that the scheme is neither secure nor a capability system.
Based on earlier analyses of subject-based security systems and complete
misuse of the term "capability", the title should have led to *much*
stronger scrutiny from the Oakland committee. The scheme *is* identity
based, and one out of three was evidently good enough for Oakland that
year.
You have a locally available resource who has a very solid handle on
capability-based architecture and design. Last I checked, JMS could be
found (when on campus) in 604 Levine.
Since I have now gone public on this (I had planned to take it up with
you and Stephanie privately), let me be clear why I am sticking my nose
in on this. Your dissertation proposal puts forward an interesting
effort. I would prefer not to see your work weakened by this comparative
framing. In particular, it would be a shame to see your work undermined
by the claim that it reduces to complete nonsense.
Jonathan
--
Jonathan S. Shapiro, Ph.D.
Managing Director
The EROS Group, LLC
More information about the cap-talk
mailing list