[cap-talk] Concening entry "ambient authority" in Wikipedia

[Marcus Brinkmann]

David-Sarah Hopwood wrote:
> Marcus Brinkmann wrote:
>> Mark Miller wrote:
>>> I would define an ambient authority system as one in which "If a
>>> requesting entity requests an action that it is permitted to perform,
>>> then the action is allowed." By contrast to a designated authority
>>> system, in which "If a requesting entity requests an action that is
>>> permitted by the subset of its permissions that it explicitly brings
>>> to bear on the action, then the action is allowed." This formulation
>>> also has the right paradoxical sense -- one can see why it was so easy
>>> to think that ambient authority was a sensible architecture.
>> I think that what is missing from this picture is how finely permissions can
>> be described in the given system.  For example, I don't see any reason why a
>> traditional Unix kernel can not be interpreted under an object-capability
>> glasses, as the object-capability model does not require that separable
>> interfaces are actually separated.
> 
> A traditional Unix kernel grants significant authorities -- for example,
> the ability to read world-readable files -- to all [*] processes, so it is
> definitively not an object-capability system.

So an object-capability system with capabilities that are widely held is not
an object-capability system?  That I can formulate the question this way
already seems to preclude the answer in my favor.

A close analysis will reveal that the situation is not so simple.  For
example, the wikipedia page "Object-capability_model" cites Java global
variables as a different way to access resources.  But in a capability system
memory load/store instructions are *modeled* as messages to memory pages that
are part of the processes page table, where the relevant capabilities are
named implicitely through the architectures process model.  And in fact, the
hardware's page table is just an optimized implementation of those
capabilities (the seL4 specification makes this correlation very explicit, to
the point where there is a 1:1 correspondence between software capabilities to
memory pages and entries in the hardware page table).

You can take an easy way out and just consider the Unix kernel to be a
degenerate case of no special interest.  That's a high level view on what's
going on, but it requries that you gloss over many details of the actual
execution of programs on real machines that are relevant once more
sophisticated machine models come into force (hardware virtualization etc).

This raises the following question: Is there ambient authority that every
ia-64 process has, irregardless in which operating system/software environment
it runs?  This is analogous to the question: Is the ia-64 architecture fully
virtualizable?  A related question: is the blue pill malware possible?  These
questions are far from trivial, and hotly debated.

However, all these questions disappear once you add further requirements.  For
example, if you use as a guideline the degree by which separable interfaces
are separated, then Unix is clearly at one end of the spectrum and EROS at the
other.

Thanks,
Marcus