[cap-talk] Announcing "Analysing Object-Capability Security" Paper and Authodox v. 0.2.0
Jonathan S. Shapiro
shap at eros-os.com
Mon Jun 2 09:23:04 CDT 2008
On Mon, 2008-06-02 at 15:24 +0100, Toby Murray wrote:
> On Mon, 2008-06-02 at 09:37 -0400, Jonathan S. Shapiro wrote:
> > The problem is that the operating system needs to be
> > able to *observe* that no state is reachable on return in order to treat
> > the program as memoryless. It doesn't matter whether state was
> > introduced by the programmer or the compiler -- the OS cannot tell.
>
> Perhaps this question is naive, but what options does the OS have when
> it treats a program as memoryless, i.e. in what way does the OS behave
> that is different for a program that it considers memoryless vs. one
> that it does not? Why is this distinction relevant to Coyotos, for
> example?
If the OS can be presented with a satisfactory proof that the program is
memoryless, then (for example) it does not need to downgrade entry
capabilities in order to ensure confinement...
shap
More information about the cap-talk
mailing list