black-box re-use? (was: Re: [E-Lang] MintMaker with ACLs)

Tyler Close
Sat, 3 Feb 2001 12:37:26 -0000

David Wagner wrote:
> Tyler Close wrote:
> >The access check is at the subject. If the subject doesn't check,
> >there is no check. What else can be said?
> It's not inherent in ACL's.  The usual diagram of an ACL system
> (or a capability system, for that matter) looks like this:
> +---------+        +-------+       +--------+
> | Subject |------->| Guard |------>| Object |
> +---------+        +-------+       +--------+
> The "guard" is just a reference monitor, and may be part of, e.g.,
> the operating system.  Note that the Guard is separate from
> the Subject
> and the Object.

I plead temporary confusion. I meant to be talking about the "Object".
Making the distinction between the "Guard" and the "Object" seems like
it would be more theoretical in some implementations. Drawing the line
in Hal's Mint example seems tricky.

> Note: ACL's don't help you to ensure that all accesses are mediated.
> This is a burden imposed on the implementor, which must be
> discharged
> before ACL's (or capabilities) can be at all useful.

I don't think I understand exactly what you mean here. Are you talking
about the getuid() calls in Hal's example?