[E-Lang] Java 2 "Security" (was: Re: Welcome ChrisSkalkaand
ScottSmith of Johns Hopkins)
Ben Laurie
ben@algroup.co.uk
Sat, 20 Jan 2001 11:23:06 +0000
"Scott Smith (by way of Mark S. Miller )" wrote:
> The general approach needed in my (not completely well-formed) opinion
> is a broad family of techniques for modulating capabilities. The bigger
> the basket of tricks, the greater the security possible. Some are
> easily encoded in capabilities themselves, such as restricted feature
> capabilities (subset of a full capability via a wrapper), timed
> capabilities, revokable capabilities, coordinated capabilities (requires
> two parts to get the real capability), etc (is there a good listing of
> these things somewhere??). But some modulating dimensions are not
> easily encoded in capabilities, and stack inspection is one such
> dimension.
What I don't really understand is why, in a capability system, you would
put yourself in a position where stack inspection was useful - surely
you would be breaking the program across multiple processes instead, and
isolating the capabilities required for each component in that way?
I guess a concrete example where stack inspection does something useful
that decomposition+capabilities does not would help.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff