[cap-talk] Implementing Capabilities in functional languages (esp type classes_
dmbarbour at gmail.com
Sat Apr 16 10:17:58 PDT 2011
On Sat, Apr 16, 2011 at 12:26 AM, Ben Kloosterman <bklooste at gmail.com>wrote:
> I would like to ask what is the best way to implement capabilities in a
> type class
based language which does not hide internals of data structures / records.
> Can we use the pair as Sandro indicated , if its not an "oCap" what are
Using the Pair<T,T->void> is a bad idea. Once you get two such pairs with
the same 'T' type in a subprogram, you can start crossing the streams and
get rights amplification. Unfortunately, the potential for this rights
amplification is not obvious to whomever is granting the pair.
> Can we define a type class for the cap and treat the type class as an
> interface ?
You can use something like:
(Cap c) => buildMain :: Args -> c () -- monadic c
(Cap' c) => buildProg :: c Args () -- arrow c
The monadic or arrow typeclasses provide the essential composition and
attenuation features. Any toplevel capabilities can be provided via Args. A
few reflective features might also be provided via Args (where 'reflect :: c
x -> Data') though I'd keep reflection minimal. I'm assuming that 'Cap c' is
simply shorthand for all the universally available typeclasses:
class (Monad c, HasVar c, HasSealerUnsealer c, etc.) => Cap c where
-- just a class collection
Assuming type-families you could do stuff like:
class (Monad m) => HasVar m where
type Var m :: * -> * -- type family
newVar :: a -> m (Var m a)
readVar :: Var m a -> m a
writeVar :: Var m a -> a -> m ()
But you can also do most such things in a pure capability manner:
-- return a reader/writer capability pair
class (Monad m) => HasVar m where
newVar :: a -> m (m a, a -> m ())
That said, something like 'HasSealerUnsealer' is vastly cleaner to model
using a type family.
class (Monad m) => HasSealerUnsealer m where
type Sealed m :: * -> * -- one could also add a 'Brand' phantom type here.
newSealerUnsealer :: m (a -> Sealed m a, Sealed m a -> Maybe a)
Anyhow, careful discipline would be important. While you can build a large
capability-secure program internally to 'buildMain', you would not be
assured of maintaining any real security with external composition (i.e.
when you start combining 'buildMain' with other functions) unless they are
constructed under the same (Cap c) restriction. And you'd want to be careful
about what features are granted to buildMain via 'Args' (where Args might be
a record or powerbox of capabilities). Also, I'd certainly exclude MonadIO
from 'Cap c' - any IO should be via the Args.
> Are we forced to create some TCB ( either a module or kernel) and access
> that via a capID ?
No. Well, not quite. You're already assuming a TCB: the type and typeclass
system. To the extent this TCB is violated (e.g. via unsafePerformIO or
divergence), your solution will be compromised. Still, it can be convenient
to structure programs in a capability-disciplined manner even if it isn't
> Should we only "secure" major components like resources or should it apply
> to most data / types/modules similar or oCaps .
You should certainly target any security-sensitive resources or
side-effects. Among those, securing non-termination, delay, synchronization,
and allocation can be interesting to tackle, though you'd need something
much more constrained than a Monad typeclass or even Hughes's Arrows; Adam
Megacz's Generalized Arrows should work.
Beyond that, it's up to you, really. I'd suggest taming your libraries,
minimizing use of ADTs (beyond a few for language features like Sealed
values), or explicitly modeling the ADTs you do need (using
sealers/unsealers rather than the type system). Explicitly modeling ADTs is
more expressive, secure, composable, and lowers risk of confused deputy
issues (since you need to explicitly unseal the ADT). If your type-system
isn't powerful enough to model sealed values and sealers/unsealers, though,
you'll have a lot of trouble expressing most of the richer security policies
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the cap-talk