On Tue, Jun 19, 2007 at 02:36:31AM +0200, Jaap Weel wrote:
Normally I've seen capabilities used so that you can't access anything you can't name. Can you elaborate a little?
He's saying that the language itself prevents programs from writing outside their address spaces
Yep. Capabilities are usually not actually unforgeable, they are just picked from a largish key space. You can guess at them if you want to bother. Somewhere in the Exokernel papers, there is some discussion of this, and reference to the fact that a 64 bit capability is at least as secure as an 8 byte UNIX password, which I suppose is a fair assessment of the situation.
Every capability system I've seen works like Unix file descriptors. The kernel assigns capability numbers, and since the numbers are only valid in one process, and the only valid capability numbers are to capabilities your have, there is no danger caused by guessing. Stefan