[cap-talk] "ACLs don't" paper rejected from Oakland 09
Toby Murray
toby.murray at comlab.ox.ac.uk
Tue Feb 3 08:47:22 CST 2009
On Tue, 2009-02-03 at 13:18 +0000, David-Sarah Hopwood wrote:
> Toby Murray wrote:
> > On Mon, 2009-02-02 at 17:10 +0000, David-Sarah Hopwood wrote:
> >> Toby Murray wrote:
> >>> All equivalence claims between caps and ACLs are about expressible
> >>> static configurations of permissions. In this case, they *are*
> >>> equivalent -- both can express the same static configurations of
> >>> permissions.
> >> This is false, because in the capability case, the access matrix is
> >> not an abstraction of all relevant protection state. In a capability
> >> system, it matters (to the results of access decisions, and therefore
> >> to the ability to resist classes of attack) which capabilities are stored
> >> in which variables. This information is not present in the access matrix.
> >
> > Who says a cap system has variables in which caps can be stored? (In
> > this case it wouldn't be an object-cap system but that wouldn't stop it
> > from being a cap system.)
>
> In any capability system, capabilities can be independently designated,
> regardless of whether the system is type-partitioned or whether it is
> an object-capability system.
Iguana and Mungi are counter-examples to this claim. See
http://archives.devshed.com/forums/development-94/pola-and-mungi-iguana-style-apis-520706.html
As MarkM has often said, the object-cap model was specifically created
to rule out such systems because we need to be able to designate
individual caps to avoid confused deputies etc.
This doesn't stop them being cap systems, unless you want to narrow the
definition of a cap system as well.
Cheers
Toby
More information about the cap-talk
mailing list