[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[DotGNU]pointers to nice things to read about "capability based security
From: |
David L. Nicol |
Subject: |
[DotGNU]pointers to nice things to read about "capability based security models" |
Date: |
Thu, 12 Jul 2001 17:59:04 -0500 |
-------- Original Message --------
Return-Path: <address@hidden>
Date: Thu, 12 Jul 2001 15:01:05 -0700
Subject: Re: [Cap-Talk] immutable data
Cc: address@hidden
From: "Mark S. Miller" <address@hidden>
At 12:27 PM Thursday 7/12/01, Richard Uhtenwoldt wrote:
>I've been browsing eros-os.org et al for years but did not become
>enthusiastic about strong capabilities till I read Rees's paper. (Rees's
>paper requires a knowledge of Scheme and is at
>href="http://mumble.net/jar/pubs/secureos/".
It is truly an excellent paper (and thesis). Not only is it a great
explanation of capabilities, but it explains capabilities the "right" way.
AFAIK, there have been two threads of capability thinking in computer
science ( http://www.erights.org/history/overview.html ):
1) that rooted in operating systems and citing Butler Lampson's paper
"Protection" (or papers derived from this paper) either as the correct
definition or as the definition gone bad, or
2) that rooted in the lambda calculus.
The lambda thread yields much better formalisms as well as better ways of
thinking about capabilities. The best capability OSes, KeyKOS and EROS,
though typically described with Lampson-esque models, are actually much
better described in terms of the lambda calculus and Actors (as has been
discussed on the EROS list). Via Algol-68, the lambda calculus was a
significant influence on Norm's early thinking, but not enough on his
descriptions.
Hewitt's original Actors still seem to me like the clearest formal
statement
of the capability computation model. But, as far as I remember, there are
no references between his work of the 70s and the capability OS work
happening at the same time. And I don't think Hewitt ever says
"capability". It looks to me like a completely independent discovery.
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [DotGNU]pointers to nice things to read about "capability based security models",
David L. Nicol <=