[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Capabilities in Amoeba
|
From: |
Ludovic Courtès |
|
Subject: |
Capabilities in Amoeba |
|
Date: |
Mon, 08 Aug 2005 18:07:13 +0200 |
|
User-agent: |
Gnus/5.1007 (Gnus v5.10.7) Emacs/21.4 (gnu/linux) |
Hi,
The following might already have obvious answers, but anyway: did anyone
consider a distributed, cryptography-based, capability system à la
Amoeba [1]?
In his LSM talk intro, Marcus rejected the idea of relying on
cryptography to implement capabilities arguing that this would incur too
much overhead. Looking at how Amoeba does it, this assertion doesn't
seem so obvious. Shapiro and the erights.org people would have been a
good source of criticism but they don't seem to mention Tanenbaum's
work.
In Amoeba, capabilities have "value semantics" and can therefore be
copied from task to task without requiring anything special. In order
to achieve this, capabilities contain (among other things) a global port
identifier. While L4 X.2 provides global IDs for threads, L4ng, as I
understand it, will _not_ provide any global resource ID, therefore
precluding capability implementations à la Amoeba (I understand that
global thread IDs are not always desirable, e.g. as part of a resource
name within a multi-threaded server, but that's another issue).
Amoeba capabilities also make it possible for a client owning a
capability to a remote resource to locally create from it a new one with
restricted rights (e.g. creating a read-only capability from a
read-write one). Thanks to the cryptographic techniques being used, no
RPC is required for this.
Finally, Amoeba's capabilities contain an "object name" field "only
meaningful to the server managing the object". In cases where the
capability-providing server is trusted, we could even imagine coding
object types as part of this object name. This would allow for local
type identification of capability-designated resources.
I hope what I just wrote is not so trivial that it could be considered
as an offense. ;-) In case this has already been answered elsewhere,
could anyone refer me to the relevant documents?
Thanks and happy hacking!
Ludovic.
[1] E.g., A. Tanenbaum, "Using Sparse Capabilities in a Distributed
Operating System".
- Capabilities in Amoeba,
Ludovic Courtès <=