[cap-talk] "ambient authority" on wiki.erights.org

[David-Sarah Hopwood]

Toby Murray wrote:
> On Mon, 2009-06-15 at 19:55 +0100, David-Sarah Hopwood wrote:
>> Karp, Alan H wrote:
>>> David-Sarah Hopwood wrote:
>>>> The dereference of the static variable represents use of ambient authority.
>>>
>>> No it doesn't.  The object is referenced explicitly.
>>
>> The object dereferenced by name, from a global namespace (assuming
>> we are considering global static variables), without specifying any
>> additional permission that grants the authority to dereference this
>> variable.
>>
>> There is no essential difference between this and the fopen+fread example:
>> in both cases you have an ambient dereferencing operation, followed by a
>> non-ambient use of the obtained reference.
> 
> But the authority used in the initial dereference is not ambient.
> Whatever the name refers to you have the permission to access.
> I agree with Alan. I'd see an "import <module>" as an ambient operation,
> sure, but global variables are simply capabilities available in every
> scope (like E's SafeScope or GlobalScope or whatever).

E's SafeScope *is* ambient authority. It's just ambient authority to
things that are intended to be safe.

Note that variables that are called "global" are not necessarily
system-global. The larger the scope, the greater the hazard due to
ambient authority. When variables are scoped to fine-grained subjects
(such as objects or functions), then we don't call that ambient authority.
If the system is purported to be able to support subjects of a given
grain, but has variables scoped to a larger grain, then it will have
ambient authority hazards whenever a subject accesses a variable
with larger scope than itself.

[That is poorly explained, but we're on a flight to San Francisco
tomorrow morning :-), so we don't have time to fix the explanation
now :-( ]

-- 
David-Sarah Hopwood  ⚥  http://davidsarah.livejournal.com