[cap-talk] What sustained interest in capabilities

[David-Sarah Hopwood]

Mitsu Hadeishi wrote:
> Hi,
> 
> I used to be CTO of the same startup where Monty still works (I've since
> left but have retained my interest in capability security).  I've been
> skimming this list but I thought I'd throw in a comment.  One thing I've
> noticed with some of the capability security efforts is the desire to
> create a top-to-bottom capability security system, i.e., an entire
> operating system based on capability security, or an entire general
> purpose language like E.  However, we found that it was quite possible
> to implement capability security just at a specific layer of a system,
> so that one can combine ordinary ACL-based security with capability
> security principles to gain many of the benefits of cap security without
> having to make every cooperating system capability secure.

That's true to a certain extent. The main deficiency of this approach is
that you end up with a system in which it may be possible to bypass the
capability layer by taking advantage of flaws in other layers. There
are also impedence mismatches between the layers that use different
access control approaches. For these reasons, I consider it only to be
a short-term solution.

> I think this strategy ought to be applied far more frequently; [...]

I agree with that, but possibly for a different reason: replacing layers
individually is probably the only practical way to get to a top-to-bottom
capability system in the longer term.

-- 
David-Sarah Hopwood ⚥