[DotGNU]pointers to nice things to read about "capability based security models"

[David L. Nicol]

-------- Original Message --------
Return-Path: <address@hidden>
Date: Thu, 12 Jul 2001 15:01:05 -0700
Subject: Re: [Cap-Talk] immutable data
Cc: address@hidden
From: "Mark S. Miller" <address@hidden> 
At 12:27 PM Thursday 7/12/01, Richard Uhtenwoldt wrote:
>I've been browsing eros-os.org et al for years but did not become
>enthusiastic about strong capabilities till I read Rees's paper.  (Rees's
>paper requires a knowledge of Scheme and is at
>href="http://mumble.net/jar/pubs/secureos/";.

It is truly an excellent paper (and thesis).  Not only is it a great 
explanation of capabilities, but it explains capabilities the "right" way.  
AFAIK, there have been two threads of capability thinking in computer 
science ( http://www.erights.org/history/overview.html ):

1) that rooted in operating systems and citing Butler Lampson's paper 
"Protection" (or papers derived from this paper) either as the correct 
definition or as the definition gone bad, or

2) that rooted in the lambda calculus. 

The lambda thread yields much better formalisms as well as better ways of 
thinking about capabilities.  The best capability OSes, KeyKOS and EROS, 
though typically described with Lampson-esque models, are actually much 
better described in terms of the lambda calculus and Actors (as has been 
discussed on the EROS list).  Via Algol-68, the lambda calculus was a 
significant influence on Norm's early thinking, but not enough on his 
descriptions.

Hewitt's original Actors still seem to me like the clearest formal
statement 
of the capability computation model.  But, as far as I remember, there are 
no references between his work of the 70s and the capability OS work 
happening at the same time.  And I don't think Hewitt ever says 
"capability".  It looks to me like a completely independent discovery.