[E-Lang] Summary for Practical Programming

[Mark S. Miller]

At 04:35 AM Saturday 2/3/01, Tyler Close wrote:
>> >It follows that everyone also agrees that the capability model is
>> >theoretically sound.
>[...]
>By "theoretically sound" I meant that the model can enforce the
>prohibitions that it expresses. 

Strictly speaking then, we need to admit that no actual capability 
implementations are, by this definition, theoretically sound.  Capabilities 
allow the *expression* of full confinement by lack of capability 
connectivity, since causality is only *supposed* to flow along capabilities. 
However, in actual capability implementations, this only perfectly confines 
capabilities, not bits, since bits can be wall banged.  Capability 
programmers on such platforms must understand this extra unsuppressable 
channel of unauthorized causality.  The possibility of bandwidth limits does 
not change this conclusion.

I doubt this has any effect on the current discussion, since no other 
security system of any kind claims to do any better regarding this issue.


        Cheers,
        --MarkM