[FoRK] kragen rides again-

Tony Finch < dot at dotat.at > on > Sat Nov 4 06:04:53 PST 2006

On Sat, 4 Nov 2006, Dave Long wrote:
>
> Here's where it gets very handwavy: the normal reasoning for
> single-level store in a capability system is that the transitive aspect
> of the capabilities is precomputed and cached, so if the cache values
> are corrupted, who knows whether isolation still holds?  Hence, normally
> the kernel should be expected to go to a great deal of checkpointing to
> ensure that inconsistent states never make it to disk.  (IIRC, the disk
> channel could be kept pegged during operation)

This complexity is only necessary if transitive revocation is a low-level
feature of your capability system. However Mark Miller has shown that a
basic object-capability system with no built-in higher level security
features can implement things like revocation and confinement using proxy
objects that enforce the higher level requirements. See section II of
http://www.cypherpunks.to/erights/talks/thesis/markm-thesis.pdf

Tony.
-- 
f.a.n.finch  <dot at dotat.at>  http://dotat.at/
SHANNON: VARIABLE MAINLY SOUTHERLY 3 OR 4. SLIGHT OR MODERATE. FAIR. GOOD.

More information about the FoRK mailing list