[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [ANNOUNCE] Introducing Codezero

From: Sam Mason
Subject: Re: [ANNOUNCE] Introducing Codezero
Date: Sun, 26 Jul 2009 11:57:54 +0100
User-agent: Mutt/1.5.13 (2006-08-11)

On Sun, Jul 26, 2009 at 08:13:09AM +0200, Bas Wijnen wrote:
> While the provided links may certainly help, I think the biggest
> "conflict" is that Bahadir seems to be talking about unprotected
> capabilities (but correct me if I'm wrong), while most people here
> implicitly mean "capability" to be kernel-protected.  What I mean by
> protection is that it is impossible (not just very hard) for a thread to
> guess a capability, because when invoking, the kernel checks if you
> actually have it.

I was under the impression that when you have protected capabilities
you can make more guarantees about the ways in which capabilities can
propagate.  In most practical terms, guessing an arbitrary 256bit number
(say) is going to be just as secure as protected capabilities---you're
looking for bugs in either system and you're not going to be able to
brute force either.

In protected systems you can do things like garbage collect unreferenced
objects, which would not be possible in an unprotected scheme.

> This effect does indeed inflate the kernel, but it also has some good
> effects on security, which cannot be achieved without kernel support.

I tend to interpret this as follows; if every piece of code ends up
having to implement their own capabilities then that's going to be
significantly more code written and potential for bugs.  Putting
capabilities into the kernel allows some very useful design goals that
would otherwise be difficult.

> Again, I'm not saying this is something you must aim for with CodeZero.
> But it is something that IMO the Hurd should aim for (and I think most
> people here agree, but I'm not even sure about that).

On a personal level I'd say capabilities are very cool and should be
used much more than they are; I haven't thought about hurd for a while

  Sam  http://samason.me.uk/

reply via email to

[Prev in Thread] Current Thread [Next in Thread]