[cap-talk] Concening entry "ambient authority" in Wikipedia
Mark Miller
erights at gmail.com
Wed Jun 10 14:27:07 EDT 2009
On Wed, Jun 10, 2009 at 11:15 AM, Marcus Brinkmann <
marcus.brinkmann at ruhr-uni-bochum.de> wrote:
> Mark Miller wrote:
> > The crucial concept left out of these earlier expressions is "Loader
> > Isolation", explained in Section 10.3 of my thesis. My apologies again
> for
> > how badly Chapter 10 is written. I hope someone will someday attempt a
> more
> > coherent restatement.
>
> OTOH, playing devil's advocate here, I don't think the line that separates
> safe from unsafe operations is completely clear. There seems to be near
> universal consensus (including me) that side-effect-free calculation is
> generally safe. But there is at least one cautionary tale from the real
> world, where additional restrictions are desirable, namely packet filtering
> in
> a network stack, where we need to solve the halting problem (and more) on
> user
> supplied code (so we can't allow use of the complete CPU instruction set).
I am also unclear on whether this is a counter-example, since it is only
unsafe regarding availability.
> Of course, there are other tools we have at our disposal beside capability
> theory to solve this particular issue.
>
Exactly. Including extended capability theories to cover additional threats.
For example, the KeyKOS family use capabilities to represent ownership and
transfer of rights to use computational resources like memory and time. In
your example on a KeyKOS-like model, the packet filter would be halted, so
to speak, when its meter ran out. But this is again beyond the ocap model by
itself.
--
Text by me above is hereby placed in the public domain
Cheers,
--MarkM
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.eros-os.org/pipermail/cap-talk/attachments/20090610/cdd30eaa/attachment.html
More information about the cap-talk
mailing list