[cap-talk] What sustained interest in capabilities

Steve Witham sw at tiac.net
Wed Jan 7 22:17:12 EST 2009

>From: David-Sarah Hopwood <david.hopwood at industrial-designers.co.uk>
>From: Mitsu Hadeishi <mitsu at syntheticzero.com>

One way of thinking of Mitsu's idea is as a sandbox around the capability-
secure stuff (actually a metabox that sub-encapsulates all the
objects inside).

You would write the bulk of your software for this CS environment.
The assumption is you write it in a CS style, even though you could
emulate the problems of any kind of system in there.

Compared to other ways of giving users access to (say) files
and a MySQL database, through a middle layer of server-side
software you're going to write, this at least lets the middle
layer be more secure amongst itself, and lets you reduce the variety
of ways it gets to the SQL server, filesystem and OS.

If you didn't take other steps, many of which other system architects
and server administrators ought to take too, you might well undermine
any benefits of this tricky arrangement.

It's not a layer of security added around or in the middle of an
existing complex system, but an isolated place to put your
new stuff (which you have to write in a better way) allowing the
underlying system (and hopefully less of it) to be used in a less
complex and variable way.

It reminds me of an E vat, in this case talking to some
software, files and OS services outside itself, still with their
vulnerabilities but hopefully fewer of them exposed.

So this layer can't "add security" to existing systems, but the
idea adds a way to create more secure systems.


More information about the cap-talk mailing list