[cap-talk] Documentation and the "Access Propagation Fear"

[David-Sarah Hopwood]

Jed Donnelley wrote:
> http://www.cs.utah.edu/flux/papers/micro/node4.html
> 
> with this:
> 
> "Though popular, capability mechanisms are poorly suited to
> providing policy flexibility, because they allow the holder
> of a capability to control the direct propagation of that
> capability, whereas a critical requirement for supporting
> security policies is the ability to control the propagation
> of access rights in accordance with the policy. The enhancements
> introduced by Hydra

This is probably referring to 'EnvRts' [*] (which is useless as
a security mechanism, and interferes with delegation)...

 > and KeyKOS

but I have no idea what this is referring to. Anyone know?

> are intended to limit such
> propagation, but the resulting systems still generally only
> support the specific policies they were designed to satisfy,

I really don't know what to say to this. It's a particular strength
of capability systems that they can enforce unanticipated policies
outside the kernel -- 'Paradigm Regained' has a good discussion of
that.

> at the cost of significant complexity that diminishes the
> attraction of the capability model in the first place."


[*] http://www.google.co.uk/search?q=site%3Aeros-os.org+EnvRts

-- 
David-Sarah Hopwood