[cap-talk] Horton vs. ACLs (was: Examples where ACLs are better...)

Mark Miller erights at gmail.com
Mon Oct 8 13:38:52 EDT 2007 

On 10/8/07, Jed Donnelley <capability at webstart.com> wrote:
> While I appreciate the example and discussion, I don't see how the
> above fits into a "a place or two where ACLs are preferable to capabilities
> for access control..."

Sorry, I was speaking about hybrid caps (caps && ACLs), rather than just ACLs.


> Is an "unauthorized capability" any more than a name/designation?
> I guess the difference is that you really need it and can't get it
> through a data path?

Exactly right.


> Are there more "mythical" problems than what amount to the
> communicating conspirators problem?

That's the problem I had in mind. Since I included Alan's client
utility on the list of hybrid systems, I should point out that Alan
was not confused about this or any of the other myths. Horton was
largely inspired by trying to understand Client Utility's virtues in
pure ocap terms.


> What I was referring to was Jonathan's concern that the Horton
> mechanism which I believe does qualify as a 'membrane approach'
> has "...storage allocation and transitivity issues that were very
> difficult to resolve without GC."
>
> Do you know what he means there?

GC stands for Garbage Collection.

Systems like E, where allocation and GC are implicit, are vulnerable
to denial-of-service by resource exhaustion attacks.

For ocap systems like KeyKOS, EROS, CapROS, Coyotos, GuardOS where
right to memory is a first class right and the kernel does no implicit
allocation, we do not yet have practical proposals for membrane
mechanisms, whether for use by Horton or even for non-kernel remoting
systems like DCCS. I have heard no proposal for non-kernel remoting
systems that are invulnerable to memory exhaustion attacks.


> Aside from any use Horton sorts of mechanisms may have in modeling
> hybrid systems, I would like to better understand the concerns that
> Jonathan is expressing about the unsuitability of Horton to
> practically achieve the auditability value of ACL systems
> in a pure object capability context - as I believe we have
> claimed in the Horton paper.

The only objection I've heard about Horton so far is storage
management. This is a serious objection, but doesn't contradict any of
the claims made in our paper.

-- 
Text by me above is hereby placed in the public domain

    Cheers,
    --MarkM

More information about the cap-talk mailing list