Split Capabilities: Making Capabilities Scale

Karp, Alan alan_karp@hp.com
Mon, 24 Jul 2000 09:32:41 -0700 

> -----Original Message-----
> From: Jonathan S. Shapiro [mailto:shap@eros-os.org]
> Sent: Sunday, July 23, 2000 10:25 AM
> To: Karp, Alan; 'Mark S. Miller'
> Cc: e-lang@eros-os.org
> Subject: Re: Split Capabilities: Making Capabilities Scale
> 
> 
> > My statement refers to the fact that the interposer need be 
> nothing but
> two
> > lines of code to be a message forwarder, while a 
> capability, if remote,
> > requires some cryptography
> 
> We need to be careful about this assumption. Clearly, 
> cryptography is the
> only technique we have right now for security over unsecured 
> wires. It does
> not follow that cryptographic capabilities are required. A sufficient
> alternative would be unsecured capabilities transmitted 
> between mutually
> trusting runtimes over a more generically encrypted link.

Actually, you only need cryptographically secure capabilities if they are
outside the control of the TCB.  If all the client has is a virtual address
that points to the capability, for example, you don't need crypto or trust
between the parties.

> 
> This wouldn't work for E-speak, obviously, because ultimately 
> the capability
> representation is visible to the end user. It's a fine solution for
> distributing a system like EROS.  It also raises the 
> possibility that each
> participant E-speak system could be made responsible for its 
> own encryption
> locally. Not sure that's a good idea, but sometimes I find 
> that thinking
> around corners in this way is revealing.

We need to be explicit in how the crypto is being used.  A cryptographically
secure link prevents tampering and eavesdropping.  A cryptographically
secure capability prevents forging of access rights by tampering with the
contents of the capability.  I am only discussing the latter.

In e-speak DR 3.0, the capability is a bag of bits that the clients can pass
around any way they like.  In this case, the capabilities internals are
visible to the user and must be cryptographically secure.  In e-speak Beta
2.2, the capabilities are handles to data structures maintained in the
engine's address space; there is no need for crypto.

> 
> shap
> 

_________________________
Alan Karp
Decision Technology Department
Hewlett-Packard Laboratories MS 1U-2
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-6278