[cap-talk] Capability begginer questions

Kevin Reid kpreid at mac.com
Tue Oct 2 19:05:07 EDT 2007


On Oct 2, 2007, at 14:48, Matheus Morais wrote:

> 2 - According to Capability-Based Computer Systems book[2] written  
> by Henry M. Levy, the capabilitie could be showed as rows of an  
> access matrix which contrasts with ACL's in the column of the same  
> access matrix. In a paper called 'Capability Myths Demolished'[3]  
> they say that assignment don't explicit show the differences  
> between ACL's and capability. My question is, could I represent  
> capability as rows (or columns depending on where user field is  
> positioned) of an access matrix?

If the purpose is to execute an actual program, then no, you cannot  
represent capabilities in an access matrix, unless there is one row  
per *field in object or data structure* in the program. Since this  
dynamically changes, the matrix representation would be awkward and  
silly.

The reason such subdivision is necessary is that a fundamental aspect  
of capability execution is that a program *specifies what capability  
it is operating on*.

For example, consider this E program:

def makeCopier(input, output) {
   def copier() {
    output.put(input.get())
   }
   return copier
}

Whenever invoked, "copier" will place the contents of "input" in  
"output".

If one were to represent a "copier" in a way which does not  
distinguish which is the input and which is the output, then there  
would not be sufficient information to execute the program, and any  
safety analysis would miss the directionality.

> 3 - Suppose that I have a program P and I want to assign a  
> capability to read an file F. The read access capabilitie will be  
> stored in P capability list or F capability list?

P's capability list.

> 4 - I was playing with C++ and design a _very_ primary capability  
> structure
> as follow:
> ...
> #define RIGHTS_LIST_SIZE 2
> #define CAP_LIST_SIZE 10
> typedef char r_list[RIGHTS_LIST_SIZE];
> typedef struct cap {
>     long key;
>     r_list rights;
> };
> typedef cap clist[CAP_LIST_SIZE];
> ...
> I am in the right direction? I was thinking to write a small  
> Capability _Fake_ File System to run on top of ext3 fs, just to  
> learn more about capabilites in the practical. Any suggestions?

If this structure is intended to be protected from the user programs  
(actually or conceptually), then I don't see much wrong with it, but  
there's not enough information to tell how it's intended to be used.

How are key values chosen? How are they looked up during capability  
invocation?

What is stored in an r_list? What interprets the values?

-- 
Kevin Reid                            <http://homepage.mac.com/kpreid/>




More information about the cap-talk mailing list