[cap-talk] "ambient authority" on wiki.erights.org
naasking at higherlogics.com
Wed Jun 17 13:14:01 EDT 2009
Karp, Alan H wrote:
> An ambient authority is one that gets exercised without being explicitly designated. Global variables that convey authority can only be invoked by designating them. Hence, they may represent a security vulnerability, but they aren't ambient authorities.
That depends on where you draw the line between between "inside" and
"outside". That line seems fairly arbitrary, and to draw it at the
linker, which resolves global designators to objects in a program, but
not the OS, which resolves a file path designators to files, seems very
arbitrary to me.
I agree with David-Sarah here: this distinction is not convincing, and
global variables are also ambient authorities, though not necessarily
harmful ones, ie. the number 5, the immutable string "foo", etc.
More information about the cap-talk