[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Capabilities in Amoeba
|
From: |
Ludovic Courtès |
|
Subject: |
Re: Capabilities in Amoeba |
|
Date: |
Tue, 09 Aug 2005 17:09:34 +0200 |
|
User-agent: |
Gnus/5.1007 (Gnus v5.10.7) Emacs/21.4 (gnu/linux) |
Hi,
Bas Wijnen <address@hidden> writes:
> I think protection by sparsity is a bad idea. It opens up possibilities for
> attacks which may work every now and then, which means a mission-critical
> machine cannot be allowed to have untrusted users. That is not an acceptable
> limitation IMO.
Sure. But actually, unlike one might think from the paper's title,
protection doesn't rely very much on sparsity. Quoting the paper:
A capability typically consists of four fields as illustrated in Fig. 2.
1. The put-port of the server that manages the object
2. An object number meaningful only to the server managing the object
3. A rights field, containing a 1 bit for each permitted operation
4. A random number, for protecting each object
The random field is actually a function of a random number known only to
the server (and associated specifically to that object) and the rights
field. All this makes it practically infeasible to forge capabilities.
At least, that doesn't seem to be limiting.
The nice thing here is that the capability mechanism itself is
distributed and fully implemented at the application level. The only
kernel feature being relied on is the global port naming scheme.
Thanks,
Ludovic.
- Capabilities in Amoeba, Ludovic Courtès, 2005/08/08
- Message not available
- Re: Capabilities in Amoeba,
Ludovic Courtès <=