Hacker Neue

Preferences
naasking parent
> Capabilities can simply hold a provenance that can be used to verify the source of the access. If that access is then revoked from that source, the capability doesn't need to change at all

This is basically using access control lists to mimic a capability system [1]. The capability folks did something similar in "Polaris", their layer atop Windows XP that enforced principle of least authority by default. If only MS had taken that and run with it.

[1] A Distributed Capability Computing System (DCCS), http://www.webstart.com/jed/papers/DCCS/

[2] Polaris: Virus-Safe Computing For Windows XP, https://cacm.acm.org/research/polaris-2/

LoganDark
> This is basically using access control lists to mimic a capability system

Is it? My understanding is access control lists are typically static, and on resources, defining what is allowed to access them, or on processes/threads/etc, defining what they are allowed to access. If you get a capability from something, and that something eventually becomes invalid, making the capability invalid, is keeping track of that necessarily an access control list? Is any data structure double-checking operations like that always necessarily an access control list? If each capability has a reference to a parent that it relies on to remain valid, does that mean each capability stores an access control list for itself?

If your answer to all of these is "yes, that's an access control list" then my response would be to start ignoring the presence of an access control list as it ceases to mean much of anything.

btilly
How equivalent this is to ACLs depends on what "provenance" means here.

One of the strategies with capabilities is that I do not hand you the capability that I own to X. Instead, I create a proxy Y that can make requests of X, and then hand you the capability to make requests of Y.

If I later stop Y, you lose access.

This can be viewed as a kind of provenance. The history of how the access came to be is reflected in the actual capability. The downside, obviously, is that we've added overhead. But this strategy can allow us to do a number of interesting things. Like split an existing capability into multiple finer grained ones.

naasking OP
"Construct proxy" need not be a primitive in the core system though. If message passing is the only means of communication, then interposition to create facets or attenuate permissions naturally follows. This works with ACLs too. All you need to do is restrict the rights amplification authority to discriminate what a capability actually points to, but this is a rights amplification operation and so should itself be a capability that's closely held. DCCS did this right, IIRC.
btilly
Yes. Just as we can build an ACL on a capability system, we can build a capability system on an ACL.

But this approach is more natural in a capability system. You have to write software differently for dealing with "I got permission through an ACL" versus "I got information through a capability". So when the default expectation is, "I get a capability," the right abstraction is already there for "...and this capability has something more behind it."

This item has no comments currently.

Keyboard Shortcuts

Story Lists

j
Next story
k
Previous story
Shift+j
Last story
Shift+k
First story
o Enter
Go to story URL
c
Go to comments
u
Go to author

Navigation

Shift+t
Go to top stories
Shift+n
Go to new stories
Shift+b
Go to best stories
Shift+a
Go to Ask HN
Shift+s
Go to Show HN

Miscellaneous

?
Show this modal