[cap-talk] Resource management on OCap systems

Jed Donnelley capability at webstart.com
Tue Jan 3 01:24:19 PST 2012


On 1/2/2012 4:39 AM, Rob Meijer wrote:
> On Mon, January 2, 2012 08:55, Jed Donnelley wrote:
>> On 12/28/2011 1:44 PM, Rob Meijer wrote:
>>> I have a gut feeling that the whole field of resource management should
>>> deserve a lot more 'least authority'attention than it has been getting.
>>>
>>> Rob
>> I don't know about resource management deserving 'a lot more' attention,
>> but I do think
>> that some sort of a resource management model is needed for any
>> practical resource
>> sharing system - and resource sharing is what object/capabilities are
>> about.
> Funny,in contrast, for me high integrity induced by the possibilities for
> reduction of shared resources that capability based systems enable is what
> its mostly about.

I don't think we disagree.  When I say "resource sharing is what 
object/capabilities are
about." of course I don't mean indiscriminate resource sharing.  I mean 
POLA resource
sharing with as fine grained and effective control as possible.  It's of 
course always
possible to make systems "secure" by pulling the plug.  The challenge is 
to support
resource sharing in as fine grained a POLA a way as possible.

--Jed

<the rest his historical>
> I have a possibly unsubstantiated feeling that GC
> systems
> designed for the careless (non capability-discipline) sharing of resources
> may be overkill and might in its implementation thus very likely depend on
> the kind of shared resource usage that from a high integrity point of view
> would want to avoid. You might even be able to further reduce the usage of
> shared resources by (at a language level) making (as I suggested in the
> blog post I referred to) 'sharing' in actor/reactor based systems
> something that requires more explicit annotations than 'giving'. That is,
> I suggested that it might be a good least authority design for a language
> that (in line with the old and deprecated C++ auto_ptr behavior) if Alice
> passes the 'Carol' capability that she has over to Bob, the capability
> that Alice holds will 'by default' get revoked. That is: If I pass a
> reference and want to keep using it myself after that, I should be
> 'explicit' about that fact. If I'm not, than there won't be a shared
> resource to worry about.
> If you were to combine this 'use giving over sharing by default' policy
> for a capability language/system with GC that is geared to the limited
> sharing model that this pollicy combined with capability discipline should
> yield, than I feel a 'least authority'GC or alternative resource
> management system for capability systems might indeed look very different
> from for example JVM based GC.


More information about the cap-talk mailing list