[cap-talk] capabilities in a layer
Steve Witham
sw at tiac.net
Wed Dec 31 02:48:27 EST 2008
>From: Mitsu Hadeishi <mitsu at syntheticzero.com>
What you've been saying makes sense to me.
>So yes, these layers are, essentially, languages. However, I could
>imagine building a system that used capability security as a form of
>access control which wasn't a full-blown language, but merely used
>capability security as a theoretical model for passing around
>authority within the system. Such a system would be of less utility
>but would still allow fine-grained and mixed permissions which are
>very difficult to model with any role-based approach.
Do you mean something like the Mac OS X kernel, which is monolithic,
but uses the Mach source code with message passing being done by
subroutine calls?
So in general a system where you get a combination of flexibility
and security if the programmers adhere to certain disciplines?
(No class variables or class methods, no unwrapped open calls,
no memory leaks...)
>However, what makes this different from approaches
>which attempt to put capabilities all the way down to the OS is that
>the backend does not have to be based on capability security, and can
>be built with ordinary technologies such as Linux, Java, etc. If the
>*layer* is not breachable, then from the POV of clients of the layer
>it is a "top to bottom" capability world.
Well, and if stuff underneath or on top doesn't have its own holes.
For instance Apache on top, Java, MySQL, or Linux below.
--Steve
More information about the cap-talk
mailing list