On Tue, Jun 19, 2007 at 02:36:31AM +0200, Jaap Weel wrote: > > > Normally I've seen capabilities used so that you can't access > > > anything you can't name. Can you elaborate a little? > > > > He's saying that the language itself prevents programs from writing > > outside their address spaces > > Yep. Capabilities are usually not actually unforgeable, they are just > picked from a largish key space. You can guess at them if you want to > bother. Somewhere in the Exokernel papers, there is some discussion of > this, and reference to the fact that a 64 bit capability is at least > as secure as an 8 byte UNIX password, which I suppose is a fair > assessment of the situation.
Every capability system I've seen works like Unix file descriptors. The kernel assigns capability numbers, and since the numbers are only valid in one process, and the only valid capability numbers are to capabilities your have, there is no danger caused by guessing. Stefan _______________________________________________ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe
