black-box re-use? (was: Re: [E-Lang] MintMaker with ACLs)

David Wagner daw@mozart.cs.berkeley.edu
2 Feb 2001 01:02:48 GMT


Tyler Close wrote:
>The access check is at the subject. If the subject doesn't check,
>there is no check. What else can be said?

It's not inherent in ACL's.  The usual diagram of an ACL system
(or a capability system, for that matter) looks like this:

+---------+        +-------+       +--------+
| Subject |------->| Guard |------>| Object |
+---------+        +-------+       +--------+

The "guard" is just a reference monitor, and may be part of, e.g.,
the operating system.  Note that the Guard is separate from the Subject
and the Object.

The Guard is responsible for ensuring that all accesses by the Subject to
the Object are mediated.  For instance, we might try to achieve this by
interposing on all such accesses: If we can force them to be vectored
through a central location (e.g., the user->kernel syscall trap, in
a traditional OS), then we can add the mediation where the accesses
are vectored.

Note: ACL's don't help you to ensure that all accesses are mediated.
This is a burden imposed on the implementor, which must be discharged
before ACL's (or capabilities) can be at all useful.