[cap-talk] What sustained interest in capabilities
mitsu at syntheticzero.com
Mon Dec 29 20:46:15 EST 2008
On Dec 29, 2008, at 8:23 PM, Charles Landau wrote:
> Please clarify a couple of points:
> Mitsu Hadeishi wrote:
>> other programs can't access the service via the ACL-based
>> interface unless they breach the security layer.
>> If the
>> *layer* is not breachable, then from the POV of clients of the layer
>> it is a "top to bottom" capability world.
> Assuming the layer is implemented without bugs, is it breachable or
If it is implemented without bugs, no, it is not breachable.
>> and thus the capability
>> security picture can be and is quite total, from the point of view of
>> entities interfacing with the service through the exposed interfaces
>> of the layer.
> Through the actually exposed interfaces, or just the intentionally
> exposed interfaces?
Well, again, the point of using capability security is that it
dramatically limits the potential for damage due to mistakes in
exposing interfaces, because in general all programs running at the
abstraction level of the capability-secure layer can only access
resources that they have the capability to access. The comes into
play most explicitly when plugging components (programs) together, of
>> For example, consider using the approach we're discussing to present
>> an external web interface to underlying backend systems. Many of the
>> backend systems may be built, internally, using legacy ACL-based
>> technology, but the external interface uses capability security to
>> control access.
> I think you'll find considerable support for that approach on this
>> However, what makes this different from approaches
>> which attempt to put capabilities all the way down to the OS is that
>> the backend does not have to be based on capability security,
> I see the approaches as similar. Capability OS's are built on a
> (hardware) that is not based on capability security, just as you are
That's precisely my point. The approach is similar --- but my point
is that when writing a software-as-a-service layer, it's possible to
use capability security principles now, while leveraging huge
quantities of existing legacy software behind the firewall. Not only
this, but I believe capability security is ideally suited as an
architectural strategy for exposing software-as-a-service scriptable
functionality. In other words --- I'm simply arguing that here's an
opportunity for all the theoretical work that's been done on
capability security to have an immediate and tangible real-world
impact on production systems without having to wait for the entire
world to switch over to a capability secure operating system,
leveraging tons of legacy code.
> cap-talk mailing list
> cap-talk at mail.eros-os.org
More information about the cap-talk