[cap-talk] Capability begginer questions

Jed Donnelley capability at webstart.com
Wed Oct 3 12:20:02 EDT 2007 

At 07:15 AM 10/3/2007, Matheus Morais wrote:

>On 10/3/07, Kevin Reid <<mailto:kpreid at mac.com>kpreid at mac.com> wrote:
>This is inconsistent. Randomly generated values are only useful if
>you're creating sparse capabilities (those which the client can
>access the bits of); but the presence of the r_list means that these
>must be protected capabilities (those which the client can't access
>the bits of, or at least can't cause a given bit-sequence to be used
>as a capability).
>Assuming that you intend protected capabilities (which have superior
>properties), there is no reason for the "key" to be random; it might
>as well be a pointer or index referring to the implementation of the
>capability (what is invoked/accessed when the capability is used).
>
>
>Yes your assumption are correct, I'm wanted to create a protected 
>capabilitie environment. Well, now I'm a bit lost, the key is the 
>identifier to point for an object which has that capabilitie or for 
>what _action_ that capabilitie could provide to the object? I was 
>thinking in that manner, the key is used to identify what object 
>that capabilitie is assigned to and the r_list will provide what 
>permissions are given by that capabilitie. For example, when a 
>program P call to write in a file F, the system will check in P's 
>capability list if the key pointed to F exists and then look what 
>actions(r_list) will be available to P over F.

To my thinking you are focusing too much on implementation
details.

I believe the base idea of a capability is a parameter
token that can communicate permission to a designated
something (an object) between two protected domains
(vats, processes, etc.) so as to preserve their possible
mutually suspicious interaction.

The strongest forms of capability implementation include
the permission to communicate to whatever services
requests on the object with the communicated capability.
Such forms support the confinement property.

Beyond the above it seems to me you start to delve into
implementation details - which we on this list of
course love to debate endlessly.  You will find such
a huge variety of successful implementations of the
capability concept that I hope you don't try to define
the concept by any particular implementation or even
type of implementation - hardware, software, protected
references, capabilities as data, etc.

You can find efforts to describe capabilities that
have been hashed to some extent on Wikipedia, e.g.:

http://en.wikipedia.org/wiki/Capability-based_security
http://en.wikipedia.org/wiki/Object-capability_model

While I naturally have my own opinions that differ some
(since I didn't write the above ;-), I particularly
recommend the beginning of the second reference which
I believe focuses on the essence of the capability concept.

--Jed  http://www.webstart.com/jed-signature.html  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.eros-os.org/pipermail/cap-talk/attachments/20071003/61b0ce33/attachment.html

More information about the cap-talk mailing list