[cap-talk] A dabblers take on security
Jonathan S. Shapiro
shap at eros-os.com
Thu Feb 7 10:32:30 EST 2008
On Thu, 2008-02-07 at 11:45 +0000, William Pearson wrote:
> On 06/02/2008, Jonathan S. Shapiro <shap at eros-os.com> wrote:
> > William:
> >
> > It seems to me that there are two very early decisions that you need to
> > make:
> >
> > 1. Are you planning a language-style capability system or an
> > OS/hardware style capability system? The two involve very
> > different sorts of design decisions.
>
> OS/Hardware. I am actually looking more at the hardware. And I am
> thinking at the moment of not having a separate address spaces per
> process, although still having memory protection. Which probably
> explains some of the difference in intuitions with regards to length
> of capability.
Okay. This helps frame the discussion. If you are assuming a SASOS-style
system, 64 bit protected pointers remain sufficient.
> > 2. Do you plan to admit an explicit object destroy operation?
> > This has implications for capability invalidation.
>
> There will be an object destroy operation. I see the problem. I'll do
> some more reading and see what other people have come up with.
This is where life will get complicated. It's one of those decisions
that strongly partitions the feasible design space -- particularly the
implementation of invalidation and the implementation of selective
revocation.
shap
More information about the cap-talk
mailing list