On Wed, Jun 10, 2009 at 5:50 AM, Marcus Brinkmann <span dir="ltr"><<a href="mailto:marcus.brinkmann@ruhr-uni-bochum.de">marcus.brinkmann@ruhr-uni-bochum.de</a>></span> wrote:<br><div class="gmail_quote"><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<br><div class="im">> To quote the Wikipedia page:<br>
><br>
> "An address can be obtained by: 1. creation: creating a new object ...<br>
> 2. receiving a message ... *all* computation is performed following the<br>
> above rules."<br>
><br>
> If there are memory pages that aren't optional, they are received by<br>
> some means other than the above.<br>
<br>
</div></blockquote><div><br><br>EVERYONE, PLEASE STOP USING THE WIKIPEDIA PAGE AS AUTHORITATIVE! <br></div></div><br>The restatement of the ocap model on this page reproduces the mistakes of Paradigm Regained and the Actor locality laws. As I mentioned previously, I have tried to update the citation on this page to instead cite my thesis. But after this was anonymously reverted several times, I got tired of playing reversion wars. Please don't let my fatigue, or the comparatively greater energy of anonymous wikivandals, determine the authoritative definition of the object-capability model.<br>
<br>The crucial concept left out of these earlier expressions is "Loader Isolation", explained in Section 10.3 of my thesis. My apologies again for how badly Chapter 10 is written. I hope someone will someday attempt a more coherent restatement.<br>
<br><br>Part of Marcus' criticism is partially correct:<br><br>Section 10.3:<br><blockquote style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;" class="gmail_quote"><blockquote style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;" class="gmail_quote">
The E loader does honor a few magic names, but the associated values provide no <br>authority. In Figure 10.2, the loader calls need not actually include “E”, “throw”, “true”, <br>or “false”, as the loader will resolve these magic names to their well known values, none of<br>
which provide authority. Although this violates our model and should be fixed, it is mostly <br>harmless. The E loader also considers itself mostly harmless, and provides magic access to <br>itself.<br clear="all"></blockquote>
</blockquote><br>The key reason we allowed ourselves this cheat is the "none of which provide authority" qualifier. That's also why I used the term "authority bearing" in my earlier quote that Marcus is responding to:<br>
<br>> If authority bearing capabilities are necessarily widely held, i.e.,<br>
> if A loading and instantiating code B cannot deny such capabilities to<br>
> B, then you don't have an object-capability system.<br>
<br>5 is not authority bearing. Possessing a 5 does not allow the holder to cause any effects on the world outside itself. The last part of section 10.4 makes the connection between what capabilities (like 5) may be safely undeniable and Popek & Goldberg's earlier work explaining what kinds of instructions may safely be user-mode instructions without violating "full virtualizability".<br>
<br>Regarding 7 specifically, section 9.1 states:<br><br><blockquote style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;" class="gmail_quote"><blockquote style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;" class="gmail_quote">
We distinguish three kinds of primitive objects. <br>1. Data objects, such as the number 7. Access to these are knowledge limited rather <br>than permission limited. If Alice can figure out which integer she wants, whether 7 or <br>
your private key, she can have it. Data provides only information, not access. Because <br>data is immutable, we need not distinguish between a reference to data and the data <br>itself. (In an operating system context, we model user-mode compute instructions as <br>
data operations.) <br></blockquote></blockquote><br>I leave it as an exercise for the reader to figure out how to generalize this to cover 5 ;).<br><br>-- <br>Text by me above is hereby placed in the public domain<br><br>
Cheers,<br> --MarkM<br><br>