[cap-talk] request for comments on capability design
Peter Amstutz
tetron at interreality.org
Thu May 17 15:40:03 EDT 2007
On Thu, May 17, 2007 at 05:10:46PM -0000, Stiegler, Marc D wrote:
> I presume that, since you're using C++, you are only interested in
> security between machines, not within a machine.
I am interested in security within the machine, but primarily in the
context of scripts running in a virtual machine hosted within the main
application process. The choice of C++ is motivated by several factors:
a) the ability to leverage a large body of existing libraries, b) that
we may want to plug in our own library to other applications which are
by and large C or C++ based, and c) that C functions are the de facto
common foreign function interface for most languages so having a
"kernel" written in C++ with a lightweight C API seems like the most
flexible solution for cross-language support.
> I do not know how expensive it would be to build a capability-secure
> networking stack in C++, but my fear is that the cost would be
> substantial. If you do decide to do this, you might want to think about
> making it compatible with the waterken protocol, which may be less
> expensive anyway since you should be able to find good building block
> libraries for it.
I'm planning on looking into the waterken protocol as soon as I get a
chance.
I've already built a distributed object network stack a couple of times
so I have a pretty good idea of how much work is involved. From what
I've seen so far, in terms of the primitives required by the system I
don't think capability security is significantly more or less work than
other access control schemes.
> If you could switch to Java, there are 2 object-capability protocols
> that fall into your hands very cheaply: the waterken protocol (if it
> makes sense to build on a web server, namely, the waterken web server),
> and the E protocol using the Elib library package (if the waterken
> protocol doesn't make sense).
For the reasons outlined above I've been forced to rule out Java,
although I did consider it at one point. I also have a number of fairly
specific low-level requirements that I need that are fairly unique to
the problem I'm solving (online 3D virtual worlds) that don't seem to be
present in E. I'm very open to borrowing (or even stealing) ideas from
E and Waterken, but the implementation will be my own.
--
[ Peter Amstutz ][ tetron at interreality.org ][ peter.amstutz at gdit.com ]
[Lead Programmer][Interreality Project][Virtual Reality for the Internet]
[ VOS: Next Generation Internet Communication][ http://interreality.org ]
[ http://interreality.org/~tetron ][ pgpkey: pgpkeys.mit.edu 18C21DF7 ]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://www.eros-os.org/pipermail/cap-talk/attachments/20070517/3611fbbf/attachment.bin
More information about the cap-talk
mailing list