[cap-talk] Is EQ necessary for PetName systems?
Jonathan S. Shapiro
shap at eros-os.com
Sun Oct 21 10:17:59 EDT 2007
On Sat, 2007-10-20 at 10:28 -0700, Dean Tribble wrote:
> On 10/19/07, Jonathan S. Shapiro <shap at eros-os.com> wrote:
> There is one case where EQ appears to be necessary. This has
> nothing to
> do with pet names. In KeyKOS/EROS, invoking a resume
> capability destroys it. In such
> systems, there must be some comparator operation that can
> compare two
> capabilities for equality without invoking the capabilities.
> This is an interesting constraint. This constraint would also require
> that brand checking operations to have magic (i.e., non-message-based)
> access for checking brands, correct?
Offhand, I do not thing so, because brands cannot usefully be
implemented by destroy-on-use capabilities.
But there is a larger issue: in any design where the operation:
a == b
[again without taking a position on what type of equality test this is]
is handled by code written by the implementer of object a, we have a
potential denial of control flow issue. For many use-cases of ==, it is
necessary to know that the operation completes within bounded time. For
many others, it is necessary to know that the answer is stable in
certain regards. Neither of these is straightforward to determine in the
absence of code verification.
This certainly doesn't stop us from implementing user-provided equality
primitives, but it does suggest that there may be considerations beyond
the purity of the capability model.
Jonathan S. Shapiro, Ph.D.
The EROS Group, LLC
More information about the cap-talk