[E-Lang] CapC: making C programs safe and turning filenames into capabilities

Mark S. Miller markm@caplet.com
Mon, 31 Dec 2001 09:31:15 -0800 

At 07:03 AM 12/31/2001 Monday, Mark Seaborn wrote:
>Back in September I e-mailed this list about a scheme I had been
>working on for translating C programs into a memory-safe language.
>Since then I've been implementing this, writing a C compiler which I'm
>calling `CapC' (as it implements C using capabilities).  It's now at a
>point where it will run a demonstration program.  I've put a copy of
>it at:
>
>  <http://www.srcf.ucam.org/~mrs35/comp/safe-c/>
>
>The particular relevance of this is that the technique for turning
>pointers into capabilities to access memory

A nice intro.  But are these capabilities in the modern (post-Hydra or so) 
sense -- invocation capabilities, or are they more like the earlier notion 
of memory-protection capabilities?  It seems to me they are only memory 
protection capabilities, as I see no support for encapsulation, expressed in 
the Ode at 
http://www.erights.org/elib/capability/ode/ode-capabilities.html#encap as

>Absolute Encapsulation. From outside an object, one must not be able to gain 
>access to the object's internals without the object's consent, even if one 
>has a reference to the object. For operating systems, this corresponds to 
>the separation of processes, and is quite common (even if imperfect) outside 
>of capability operating systems. For example, operating systems often 
>control a computer's memory management hardware so that one process cannot 
>read or write another's address space or access its (for example) file 
>descriptors, even if the two processes are communicating.


A C with only memory capabilities would still be quite valuable!  It would 
just be good to be clear about what claims are being made.  Since C has no 
linguistic mechanisms that even suggest encapsulation, I also don't see how 
you could grow this work into invocation capabilities without extending your 
input language -- either to C++ (horrors) or by allowing C functions to 
lexically nest, turning them into Scheme-like closures.

>(Also, I'm looking to set up a mailing list for the project -- can
>anyone suggest a site that provides that service?  I've heard that
>Sourceforge can't be relied on any more.)

I'm a mostly-lurker on several egroups http://groups.yahoo.com/ lists.  It 
works and it's free, but don't take this as an endorsement. ;)


        Cheers,
        --MarkM