[cap-talk] Reducing Ambient user authority in a Type Safe/Memory Safe OS.
Ben Kloosterman
bklooste at gmail.com
Sun Dec 20 22:56:40 PST 2009
>>
>> Only with extremely bad code .. This is a specific API specifying a
>file to open ( for RW we are a word document here) .
>>
>> I would imagine the code being very similar to
>>
>> ProcessRequest ( FileCapability fileToEdit) {
>[...]
>> if ( fileToEdit.Rights != FileRights.RW)
>> {
>> var result = KeyStore.FindUpgradeCapability( fileToEdit) //
>trusted
>> code that ensures capability is the same type (FileCapability) and
>> refers to same file/inode
>
>What process is this code in, and why does it have the authority to
>amplify any FileCapability to r/w (i.e. where did it get KeyStore from)?
The code is in a trusted system library but it runs in the programs address space ( really object space) , the only way to save , load or retrieve capabilities is via this lib , it is likely that this lib will save the capability in a special file or disk region (and not pass on the capability to this file /region to any caller) . Bit like the way a GC is a trusted lib in a type safe system that lives in your address space if you can crack it you crack the sand box but the API exposed tends to be very limited.
More information about the cap-talk
mailing list