[E-Lang] Summary for Practical Programming
Mark S. Miller
Sat, 03 Feb 2001 09:20:51 -0800
At 04:35 AM Saturday 2/3/01, Tyler Close wrote:
>> >It follows that everyone also agrees that the capability model is
>> >theoretically sound.
>By "theoretically sound" I meant that the model can enforce the
>prohibitions that it expresses.
Strictly speaking then, we need to admit that no actual capability
implementations are, by this definition, theoretically sound. Capabilities
allow the *expression* of full confinement by lack of capability
connectivity, since causality is only *supposed* to flow along capabilities.
However, in actual capability implementations, this only perfectly confines
capabilities, not bits, since bits can be wall banged. Capability
programmers on such platforms must understand this extra unsuppressable
channel of unauthorized causality. The possibility of bandwidth limits does
not change this conclusion.
I doubt this has any effect on the current discussion, since no other
security system of any kind claims to do any better regarding this issue.