On Fri, Jul 4, 2014 at 3:25 PM, Matt Oliveri <[email protected]> wrote:
> OK, I like that. But really, what the programmer must know is that > authority is transitive and reflexive. They don't need to know what > it's the transitive reflexive closure of. > Not so! If I'm holding a reference (a capability), and I want to know what authority it conveys, the answer is that the authority conveyed is the TRC of the permissions conveyed by the reference that I hold. This is very basic. It's important enough that if we really end up using interfaces for security ideas, we probably want an authority-oriented browsing view in an IDE. > Whenever you know you can exercise A (somehow) to get B, and exercise > B (somehow) to get C, you can exercise A (by doing both) to get C. At > no point does that require knowing which operations are the atomic > building blocks of security-relevant operations, as long as you know > which operations under consideration are security-relevant. I'd say > it's anti-compositional to worry about permission (in addition to > authority). > Matt, you aren't getting it here, and this is really basic axiom stuff. authority = TRC(permission). I understand that this isn't a language person's way to think about things. It is THE conceptual foundation for thinking about information flow security issues correctly. And as with mathematics, the terms exist as they do for good reasons. > I didn't mean to promote any particular approach, just to point out > that there are different ways of building up the same authority > structure from primitives, so the primitive permissions are not part > of the essence of the system. I'm all for useful fictions about what > the primitive operations are; that's what abstraction's all about. You are misusing the term permissions. There are no primitive permissions. If you hold a reference, the permissions conveyed by that reference are the operations that the reference directly permits. Period. Full Stop. It hasn't got a thing to do with whether those operations are primitive. The primitive *operations* damned well *are* part of the essence of the system. Structure those wrong and you get an unsecurable system. shap
_______________________________________________ bitc-dev mailing list [email protected] http://www.coyotos.org/mailman/listinfo/bitc-dev
