[E-Lang] Java 2 "Security" (was: Re: Welcome ChrisSkalkaand ScottSmith of Johns Hopkins)

Ben Laurie ben@algroup.co.uk
Sat, 20 Jan 2001 11:23:06 +0000


"Scott Smith (by way of Mark S. Miller )" wrote:
> The general approach needed in my (not completely well-formed) opinion
> is a broad family of techniques for modulating capabilities.  The bigger
> the basket of tricks, the greater the security possible.  Some are
> easily encoded in capabilities themselves, such as restricted feature
> capabilities (subset of a full capability via a wrapper), timed
> capabilities, revokable capabilities, coordinated capabilities (requires
> two parts to get the real capability), etc (is there a good listing of
> these things somewhere??).  But some modulating dimensions are not
> easily encoded in capabilities, and stack inspection is one such
> dimension.

What I don't really understand is why, in a capability system, you would
put yourself in a position where stack inspection was useful - surely
you would be breaking the program across multiple processes instead, and
isolating the capabilities required for each component in that way?

I guess a concrete example where stack inspection does something useful
that decomposition+capabilities does not would help.

Cheers,

Ben.

--
http://www.apache-ssl.org/ben.html

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff