Split Capabilities: Making Capabilities Scale

[Karp, Alan]

> -----Original Message-----
> From: Mark S. Miller [mailto:markm@caplet.com]
> Sent: Sunday, July 09, 2000 10:24 AM
> To: Karp, Alan
> Cc: 'Norman Hardy'; 'e-lang@eros-os.org'
> Subject: RE: Split Capabilities: Making Capabilities Scale
> 
> 
> At 08:30 AM 7/6/00 , Karp, Alan wrote:
> >... the e-speak Protection Domain, an
> >e-speak resource which defines the part of the universe 
> accessible to the
> >user.  It contains the e-speak root name frame, which 
> defines the user's
> >name space, and a mandatory key ring, basically a set of 
> capabilities that
> >get presented on every request.  In general, there are 
> capabilities on this
> >key ring that the user cannot remove.  This latter feature 
> enables us to
> >enforce "negative permissions", capabilities that deny 
> access to certain
> >resources.
> 
> If you indeed have a way to enforce negative permissions 
> across a mutually 
> mistrustful distributed system, I would be very impressed.  
> If the user has 
> access to his own hardware, how is he prevented from removing 
> the negative 
> capabilities on his mandatory key ring?
> 
> 
>          Cheers,
>          --MarkM
> 

First of all, one e-speak machine cares not a hoot for resources on another
machine.  Hence, the negative capability is applied only on the machine
owning the resource.  Its presentation is enforced because all remote users
access local resources through a local proxy having a protection domain
controlled by the local system.  On the local system, we rely on separation
of address spaces.  If we don't have that, all bets are off.  The protection
domain and mandatory key ring are kept in the engine address space.

_________________________
Alan Karp
Decision Technology Department
Hewlett-Packard Laboratories MS 1U-2
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-6278