[cap-talk] A Taxonomy of Current Object-Cap Systems

Rob Meijer capibara at xs4all.nl
Thu Mar 5 06:09:25 EST 2009

On Wed, March 4, 2009 12:21, Toby Murray wrote:
> Hi all,
> (apologies for cross-posting)
> I'm trying to put together a taxonomy of current object-capability
> systems. I'm hoping people can help fill in some of the many missing
> items in my list so far.
> The only criteria for inclusion is that there must be a working /
> prototype implementation for the system in existence right now -- i.e.
> it must be possible (even if very difficult) for /someone/ to write code
> for this system today. Notable omissions therefore include KeyKOS and
> (D)CCS (the first object-capability OSes) and Gedanken (the first
> object-capability language).
> The list omits caps-as-data systems in which objects can handle the bits
> of a cap-as-data directly, such as the E sturdyref part and Webkeys.
> Partitioned password-capability systems (like Annex) are, however,
> included.

I'm confused a bit about the difference.

> The current systems included in the taxonomy are:
> E
> Cajita (and other JavaScript subsets)
> Joe-E
> Emily
> CaPerl
> Sahara
> Coyotos
> seL4
> OKL4
> Annex (2008-09)
> If a systems is missing above that you think should be included, please
> let me know.

In the light of recent discussions possibly:

* Linux + AppArmor + UNIX domain sockets.

AppArmor can be used to remove ambient authority on Linux. UNIX domain
sockets can be used for IPC and can transfer other UNIX domain sockets.
I feel the combination of these two would qualify as a rudimentary object
capability system, that is however pretty wide spread (Ubuntu + Suse).
It is currently indeed possible but pretty hard to write code for this
system today.


More information about the cap-talk mailing list