danfuzz at milk.com
Thu May 6 00:00:48 PDT 2010
On Wed, May 5, 2010 at 9:23 AM, Fred <phreed at gmail.com> wrote:
> My interest is related to developing a market of applications with
> a high degree of interaction between applications.
FWIW, Android already attempts to enable a high degree of interaction
between apps, via the loosely-coupled "intent" mechanism.
> However it seems that permissions are granted to applications not processes.
> That is every right granted to an application is available to every
> process in that application.
> This would imply that applications are the ocaps for android.
> Did I miss something?
That's about right, but there's at least one twist. It's more like
it's a private key that's the ocap: On Android, two applications that
were signed with the same private key are allowed to run in the same
process, so granting a permission to one is equivalent to granting a
permission to the other.
> I propose as a strawman the following constraints in a secure android market.
You seem to be implying that the existing Android market is
"insecure." To be clear, it might help for you to elucidate what you
mean by the term "secure android market."
I would say that the Android platform, in general, successfully
enforces a security model that is fairly tight, compared to its
popular contemporaries, and as such might already be reasonably
labeled "secure." That said, I am reluctant to label *anything* as
"secure" in an absolute sense.
Are you advocating (a) changing Android or forking it, to make
something that more closely idealizes / embodies capability security,
(b) implementing applications on Android using capability discipline,
or (c) something else?
I thought you were asking about (b) before, and that was the context
of my answer.
But it sounds now like you are talking about (a). At this point, I'm
sufficiently confused that I don't know how to coherently respond to
your questions / suggestions.
Just so you know my stance: I am keenly interested in the continued
development of object capability systems, but I work on Android
knowing full well that it is not a pure obj-cap system and that it is
not likely to transmogrify into one in the foreseeable future. As
such, I see discussions along the lines of (a) as very nearly purely
academic, whereas I see discussions along the lines of (b) as being
potentially quite fruitful in terms of short- to medium-term results.
More information about the cap-talk