[cap-talk] Cap OS question

[Sandro Magi]

Mark Miller wrote:
> From looking at your slides again, I wonder if AppDomain is actually
> more like J-Kernel[1] than Joe-E. Do you have a sense of how AppDomain
> compares to J-Kernel?

Yes, the confinement is process based. AppDomains are a standard process
abstraction provided by the .NET CLR. The slides describe a trusted
kernel that runs all app code in AppDomains whose permissions are all
revoked via the CLR's Code Access Security (CAS -- declarative access
control via stack-inspection); these include permissions to open files,
sockets, perform reflection, etc. The kernel provides a tamed API that
may call out to a Powerbox to extract the necessary authority.

Unfortunately, CAS incurs quite a bit of overhead due to all the runtime
checking, so it would be far less efficient than bytecode verification.
I'll have to read up on the JVM limitations Joe-E ran into to see if
similar problems would occur on the CLR.

I can't in principle see why a Mono.Cecil verifier wouldn't work; the
Mono project has built quite a few bytecode verification tools, and
Microsoft's forthcoming CodeContracts library performs quite
sophisticated static analysis of bytecode-level pre/post conditions and
invariants.

Sandro