[cap-talk] What sustained interest in capabilities

Mitsu Hadeishi mitsu at syntheticzero.com
Mon Dec 29 20:46:15 EST 2008 

On Dec 29, 2008, at 8:23 PM, Charles Landau wrote:

> Please clarify a couple of points:
>
> Mitsu Hadeishi wrote:
>> other programs can't access the service via the ACL-based
>> interface unless they breach the security layer.
>
>> If the
>> *layer* is not breachable, then from the POV of clients of the layer
>> it is a "top to bottom" capability world.
>
> Assuming the layer is implemented without bugs, is it breachable or  
> not?

If it is implemented without bugs, no, it is not breachable.

>> and thus the capability
>> security picture can be and is quite total, from the point of view of
>> entities interfacing with the service through the exposed interfaces
>> of the layer.
>
> Through the actually exposed interfaces, or just the intentionally
> exposed interfaces?

Well, again, the point of using capability security is that it  
dramatically limits the potential for damage due to mistakes in  
exposing interfaces, because in general all programs running at the  
abstraction level of the capability-secure layer can only access  
resources that they have the capability to access.  The comes into  
play most explicitly when plugging components (programs) together, of  
course.

>> For example, consider using the approach we're discussing to present
>> an external web interface to underlying backend systems.  Many of the
>> backend systems may be built, internally, using legacy ACL-based
>> technology, but the external interface uses capability security to
>> control access.
>
> I think you'll find considerable support for that approach on this  
> list.
>
>> However, what makes this different from approaches
>> which attempt to put capabilities all the way down to the OS is that
>> the backend does not have to be based on capability security,
>
> I see the approaches as similar. Capability OS's are built on a  
> platform
> (hardware) that is not based on capability security, just as you are  
> doing.

That's precisely my point.  The approach is similar --- but my point  
is that when writing a software-as-a-service layer, it's possible to  
use capability security principles now, while leveraging huge  
quantities of existing legacy software behind the firewall.  Not only  
this, but I believe capability security is ideally suited as an  
architectural strategy for exposing software-as-a-service scriptable  
functionality.  In other words --- I'm simply arguing that here's an  
opportunity for all the theoretical work that's been done on  
capability security to have an immediate and tangible real-world  
impact on production systems without having to wait for the entire  
world to switch over to a capability secure operating system,  
leveraging tons of legacy code.
>
>
> _______________________________________________
> cap-talk mailing list
> cap-talk at mail.eros-os.org
> http://www.eros-os.org/mailman/listinfo/cap-talk

More information about the cap-talk mailing list