Re: [colorforth] DARPA takes aim at IT sacred cows
- Subject: Re: [colorforth] DARPA takes aim at IT sacred cows
- From: "Samuel A. Falvo II" <kc5tja@xxxxxxxx>
- Date: Mon, 15 Mar 2004 08:08:48 -0800
On Monday 15 March 2004 06:57 am, John Drake wrote:
> to do anything that I would do. Take something as
> simple as e-mail viruses. M$ (the same folks that
> came up with WinNT's ACL system) put this "neat"
Actually, Microsoft did not think of ACLs; they hired a team from DEC to
write the NT kernel. This same team was responsible for also writing
VAX/VMS, and it is no surprise to see such extreme similarities between
the two systems. :-)
But this is a minor point of correction.
> And of course it could be used for useful things
> like workflow. Problem is VBA, by default, has
This was the original intent. However, Microsoft has capitalized
big-time on the other `uses' for it. It sells upgrades.
> the option of doing ANYTHING I would do with
> email without first asking permission! How many
> email viruses would be stopped if every time
> a VBA program wished to access you address list
> or send an email on your behalf it had to ask
> permission?
And this is precisely what a capability-based OS implementation would
have done. Instead of seeing things like this:
file = OpenFile( "C:\\whatever" )
you'd see code like this:
file = OpenFile( "Please select one or more files to send via
Internet", READ+WRITE );
The OpenFile() function itself would be responsible for presenting the
user with a file requester. You can easily detect the presence of the
WRITE flag too, since most dialog boxes will replace the "Open" button
with "Save" in that case.
> Also with regards to the differences between
> ACLs and capability systems please read:
>
> http://www.eros-os.org/essays/ACLSvCaps.html
I've read it, and their arguments contradict the simple mathematical
proof that ACLs and capabilities are semantically equivalent. If
capabilities represent the vertical columns on a permissions matrix,
then ACLs represent the horizontal rows. They both express *exactly*
the same level of information.
The issue is that capabilities makes writing a secure system *easier*, at
least in theory. For example, Unix file handles represent (to some
extent) capabilities. Consider that every process starts out with
stdin, stdout, and stderr pre-configured for them. The parent process
MAY also preconfigure other handles as well. What makes the system
insecure (from the viewpoint of capabilities) is that a child process
may then open or close those handles independently of the parent
process.
--
Samuel A. Falvo II
---------------------------------------------------------------------
To unsubscribe, e-mail: colorforth-unsubscribe@xxxxxxxxxxxxxxxxxx
For additional commands, e-mail: colorforth-help@xxxxxxxxxxxxxxxxxx
Main web page - http://www.colorforth.com
