[cap-talk] Value of 'copy on write' as attenuation mechanism.

Toby Murray toby.murray at comlab.ox.ac.uk
Wed May 21 16:31:29 CDT 2008 

On Wed, 2008-05-21 at 11:05 +0200, Rob Meijer wrote:
> While requesting feedback for my MinorFs project, one issue that came up
> twice was the value of so called copy on write or COW mechanisms.
> 
> Currently the design of MinorFs only provides for a generic attenuation
> pattern that allows for deep, shallow and composed 'controled' attenuation
> of read and write. Combined with decomposition and composition, many
> attenuations can be created, however facilities for COW are currently not.
> 
> Given that the main goal of MinorFs is to be a demonstration of practical
> use of sparse tokens in powerful discretionary Ocap related access control
> mechanisms, I am a bit troubled about the nature of COW. Is it an
> essentially important form of attenuation, and if so, is it of value for
> directory trees as such a core mechanism, or would providing COW for files
> combined with composition, be more in sync with the value of this
> mechanism.

Plash implements a limited form of COW. This COW feature has been used
to good effect in the Plash package tools.

The main use for COW, as I see it, is to facilitate POLA. An untrusted
application can be given COW access to a subtree of the filesystem and
run as normal, except the user can be assured it cannot cause lasting
harm. Plus examining the differences between the original and any copies
created provides a neat way of quantifying the damage the software could
have done.

COW provides "virtual" read-write access to a filesystem. In this sense,
I think it is very useful for POLA. That might not be the question you
asked though.
> 
> I am not sure if COW would add to the educational value of MinorFs, or if
> it would actually be damaging, distracting from the above core mechanisms?
> I am very much interested to hear opinions on the value of COW as
> attenuation pattern in general, and its educational value if I would
> add it as an extra file system abstraction layer to MinorFs.
> 

I think that developers should realise that COW allows untrusted
applications to run as normal without allowing them to cause harm to a
system (beyond perhaps learning sensitive information.)

Cheers

Toby

More information about the cap-talk mailing list