19 Jun
2007
19 Jun
'07
12:53 a.m.
Every capability system I've seen works like Unix file descriptors. The kernel assigns capability numbers, and since the numbers are only valid in one process, and the only valid capability numbers are to capabilities your have, there is no danger caused by guessing.
You know, when I typed that, I knew I really ought to qualify it a bit, because the word capability is used in several ways. You are, of course, right to say that this is a common implementation of capabilities in operating systems with multiple memory spaces, but it does not work in a single memory space design without language security where user processes can access the kernel tables. /jaap