[cap-talk] "ambient authority" on wiki.erights.org
Karp, Alan H
alan.karp at hp.com
Wed Jun 17 12:58:02 EDT 2009
Sam Mason wrote:
> >
> > But the authority used in the initial dereference is not ambient.
> > Whatever the name refers to you have the permission to access.
>
> I don't think this is a useful distinction; the thing of interest seems
> to be your frame of reference. If you have trusted and untrusted
> modules within a single process then you need to be sure that global
> variables convey no authority.
>
An ambient authority is one that gets exercised without being explicitly designated. Global variables that convey authority can only be invoked by designating them. Hence, they may represent a security vulnerability, but they aren't ambient authorities.
________________________
Alan Karp
Principal Scientist
Virus Safe Computing Initiative
Hewlett-Packard Laboratories
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
http://www.hpl.hp.com/personal/Alan_Karp
More information about the cap-talk
mailing list