[cap-talk] Announcing "Analysing Object-Capability Security" Paper and Authodox v. 0.2.0
Bill Frantz
frantz at pwpconsult.com
Mon Jun 2 20:07:49 CDT 2008
shap at eros-os.com (Jonathan S. Shapiro) on Monday, June 2, 2008 wrote:
>> But suppose that the OS could snapshot the state of the process after
>> an initialization phase, and then reset it to the snapshot after each
>> application-level request....
>If a mechanism existed by which the OS *could* tell, then I agree that
>functional programming might be useful, but I still believe that it is
>the wrong approach for many of the things one would like to build.
>
>This is a useful tool for thought experiments, but it is precisely the
>implementation that we are trying to avoid. The OS, for example, has no
>means to return the storage for the address space being abandoned.
Because of the need to have objects that manifestly couldn't
transfer data between callers, towards the end of the KeyKOS
project, we started building single-use factory-created objects
which were manifestly memoryless (modulo trust in the factory [1]
mechanism. The "type" object[2], which typed a file on the user's
terminal (think of the function of cat, and od in *nix) was an
example of such a program. With this technique, the program itself
is responsible for returning storage, and the OS is off the hook.
Cheers - Bill
[1] <http://www.cap-lore.com/CapTheory/KK/Factory.html>)
[2] <http://www.agorics.com/Library/KeyKos/Gnosis/133.html#type>
-----------------------------------------------------------------------
Bill Frantz | gets() remains as a monument | Periwinkle
(408)356-8506 | to C's continuing support of | 16345 Englewood Ave
www.pwpconsult.com | buffer overruns. | Los Gatos, CA 95032
More information about the cap-talk
mailing list