[cap-talk] Minimal capability EROS processes

Bill Frantz frantz at pwpconsult.com
Thu Jun 11 02:40:52 EDT 2009 

In the thread: Re: [cap-talk] Concening entry "ambient authority" in Wikipedia, marcus.brinkmann at ruhr-uni-bochum.de (Marcus Brinkmann) on Wednesday, June 10, 2009 wrote:

>Furthermore, undeniable capabilities are an integral part of the constructor
>design in EROS.  The constructor provides the starting process B with an
>undeniable bag of capabilities.  There is a mechanism to decide if this set of
>undeniable capabilities are safe, but the policy is hard coded in the
>constructor (and partly in the system) design.  It's not mandatory to use the
>constructor, and if you create your own subprocesses then of course you can
>deny any capabilities, but use of the constructor is strongly encouraged in
>EROS.

There are two notions of "having" for the most basic capabilities used by
EROS processes. The process can either "have use of a capability", or "have
the ability to manipulate a capability". Any process which has a process
key to itself has its capabilities in both senses.

From the point of view of minimal capability processes, consider processes
which have all their key registers set to contain the NIL key at entry.
(This state is trivially created by a routine that runs before the "main"
procedure is started.) They obviously don't have a process key to
themselves. While they usually have use of a schedule capability, they can
not invoke it, or pass it to another process. They might have use of a
space bank through a facility that handles memory faults by allocating
pages and installing them in the processes address space, but they can't
allocate space themselves, or pass the space bank to another process.

It turns out that processes like these can actually be useful. Supervisor
call instructions, or calls to special addresses can be made to enter the
process keeper, which can do OS-like things and implement the functions of
a traditional OS. When you adopt this architecture, you should keep track
of the authorities, and not just the capabilities.

Processes which don't have use of a schedule capability can't run, are
"mostly harmless", and are usually created due to a bug. Processes that can
run, but can't address memory call their process keeper quickly and so have
similar characteristics.

Cheers - Bill

---------------------------------------------------------------------------
Bill Frantz        |"We used to quip that "password" is the most common
408-356-8506       | password. Now it's 'password1.' Who said users haven't
www.periwinkle.com | learned anything about security?" -- Bruce Schneier

More information about the cap-talk mailing list