Split Capabilities: Making Capabilities Scale
Jonathan S. Shapiro
shap@eros-os.org
Sat, 8 Jul 2000 20:39:08 -0400
> We have a
> counter example to the statement that most capabilities never need to be
> created. Our e-speak Virtual File System must issue capabilities for each
> access right of each file it controls. (Here's where wildcards are used.)
> While any client over any session may need only a few capabilities, over
> time a substantial fraction of the possibilities will end up being
created,
> and each client may end up holding a substantial fraction of them
I suspect that what really happens is that over time, nearly every
capability will be generated and used for a brief period of time and then
permanently retired, never to be accessed again. In your design, I do not
see that it is easy to retire the access lists when all processes have
dropped their respective capabilities. This seems a potential source of
security issues.
I'm also struck by your comment that clients may hold a substantial fraction
of capabilities. Is this is a carryover from the Brevix internals? In any
case, the violation of "least privilege" embedded in your statement is
self-evident, and to me that is a serious concern.
How do you ensure that when a capability is no longer needed it is dropped?
Jonathan