[cap-talk] "ambient authority" on wiki.erights.org

David-Sarah Hopwood david-sarah at jacaranda.org
Mon Jun 15 19:57:15 EDT 2009 

Karp, Alan H wrote:
> David-Sarah Hopwood wrote:
> 
>>>> The dereference of the static variable represents use of ambient authority.
>>>>
>>> No it doesn't.  The object is referenced explicitly.
>>>
>> The object dereferenced by name, from a global namespace (assuming
>> we are considering global static variables), without specifying any
>> additional permission that grants the authority to dereference this
>> variable.
>
> Normally, holding a reference to an object allows you to invoke any method
> of the object.

The subject in the static variable example didn't "hold" the reference,
strictly speaking. It accessed it from a scope larger than itself, and
that access was ambient.

> Are you saying that there is some external mechanism that decides which
> methods the requesting object has permission to invoke?

No, that wasn't my point.

> The object is dereferenced by a lambda name, e.g., a program variable.

"filename" in the fopen example is also a lambda name in that sense.
That it is not a variable in the programming language sense is an
implementation detail.

As another example: C-list indexes are variables. If there were well-known
C-list indices that always pointed to the same shared object across
processes, then those would provide ambient authority.

>> There is no essential difference between this and the fopen+fread example:
>> in both cases you have an ambient dereferencing operation, followed by a
>> non-ambient use of the obtained reference.
>>
> The difference is that the static variable is a reference to an object
> within the running program.

If there is no claim to be able to support protection domains finer-grained
than a program, then the access is not ambient at that granularity.
Of course this size of protection domain (or subject) may be insufficiently
fine to support POLA. The context was a programming language that was
(I assumed) being analysed with respect to its ability to support
protection between objects, without ambient authority hazards.

> The fopen/fread example refers to resources outside the program, specifically
> files, and an interaction with the operating system.

There is nothing special about the program level of granularity; the
ambient authority concept can be applied at any grain.

-- 
David-Sarah Hopwood  ⚥  http://davidsarah.livejournal.com

More information about the cap-talk mailing list