[cap-talk] keyrings and bootstrapping capabilities

Karp, Alan H alan.karp at hp.com
Tue May 29 00:55:37 EDT 2007 

Norman Hardy wrote:

> At this level of objects there are many other concepts of mutability  
> to contend with; the page, segment and directory each have their own.
> Some capability systems have a bit presumably devoted to RO and its  
> generalization within each capability.
> We could not find a semantics for this bit in the case of a start key.
> Here is a failed attempt: http://cap-lore.com/CapTheory/Confine/ 
> sensoryGate.html

In Client Utility, we did not want the core (aka kernel) to need to
understand the semantics of application level resources, such as files
and directories.  The first prototype used something analogous to
facets, but we switched to "split capabilities" for the second version.

Here I'll describe how split capabilities worked for a file, but all
resources were handled the same way.  A client referenced a file with a
capability.  It was up to the file handler to decide what to do.  For
example, the capability could be to a read only facet, in which case
that's all that was needed.  However, we didn't usually do things that
way.  Instead, we used permission strings in metadata the core kept for
each resource.  The client would also specify a second capability that
we called a key.  If the key matched the "lock" on a permission in the
metadata, the corresponding permission string was forwarded to the
handler.  It was up to the handler to interpret the meaning of that
string.

Here's a simple example.  The metadata for some file might contain

	(lock1,"R") (lock2,"W")

If the client referred to this file and included the key corresponding
lock1, then the file handler would receive the string "R" with the
request.  Note that the handler did not receive the key.

This approach allowed us to introduce a new kind of thing without
modifying the core or needing to map rights to some predetermined set of
permissions.  For example, an SAP purchase order had a permission string
"cancel".

Should you use split capabilities instead of facets?  Probably not.  On
the plus side, clients could use the same capability to a resource no
matter which rights they wanted to exercise.  We also found that we
could emulate other access models, such as Unix user-group-world, with
relatively few keys.  That made it easier to manage rights.  On the
negative side, we made it too easy for clients to include all their
keys, leading to confused deputy.  More importantly, split capabilities
haven't been studied very well.

________________________
Alan Karp
Principal Scientist
Virus Safe Computing Initiative
Hewlett-Packard Laboratories
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
https://ecardfile.com/id/Alan_Karp
http://www.hpl.hp.com/personal/Alan_Karp

More information about the cap-talk mailing list