[cap-talk] Announcing "Analysing Object-Capability Security" Paper and Authodox v. 0.2.0
Toby Murray
toby.murray at comlab.ox.ac.uk
Mon Jun 2 09:24:06 CDT 2008
On Mon, 2008-06-02 at 09:37 -0400, Jonathan S. Shapiro wrote:
> The problem is that the operating system needs to be
> able to *observe* that no state is reachable on return in order to treat
> the program as memoryless. It doesn't matter whether state was
> introduced by the programmer or the compiler -- the OS cannot tell.
Perhaps this question is naive, but what options does the OS have when
it treats a program as memoryless, i.e. in what way does the OS behave
that is different for a program that it considers memoryless vs. one
that it does not? Why is this distinction relevant to Coyotos, for
example?
I can see that in terms of some sort of static analysis (which might
include formal modelling or static code analysis to prove properties)
that being able to statically determine that a program is memoryless
would be very useful (for a definition of memoryless that makes sense in
the OCap context -- i.e. does not hold any capabilities to non-self
objects or facets). However, I don't understand how this concept is
useful to a running kernel.
Cheers
Toby
More information about the cap-talk
mailing list