Re: Distributed Capabilities

[Jonathan S. Shapiro]

On Mon, 2006-03-27 at 14:57 +0200, Ludovic Courtès wrote:
> Hi,
> 
> Tom Bachmann <address@hidden> writes:
> 
> > As described in one of my mails [1] to coyotos-dev and somewhere on
> > the E language homepage [2] it is possible to implement transparent
> > "remote" capabilities, i.e. caps that are invoked like normal local
> > ones but that actually invoke servers on other machines over the
> > net.
> 
> That is feasible, except that you lose confinement (i.e., the bit
> representation of capabilities is visible to the participants, so one
> can transfer capabilities off-line, e.g., over the phone), unless you
> consider that some ``trusted kernel'' hides that representation to
> applications on both ends.  This is what is proposed in [0] where the
> trusted thing is the language runtime running on both ends.

Actually, it's a very old idea. It's been proposed for KeyKOS and EROS,
and it goes back at least to DCCS (1976).

Either you have a trust agreement between the kernels, or no distributed
security story is possible in principle. Doesn't matter if it is
capabilities or something else.

> However, in practice, as Marcus said, everyone is free to run whatever
> OS they may like.

Not necessarily. This is an example of one of the *valid* uses of remote
attestation. Attestation gives me the ability to form my associations
with other people selectively. The right to assemble selectively is a
fundamental freedom that is currently not supported in computational
systems.

> [0] http://www.erights.org/elib/capability/dist-confine.html

E is a bit different, because it can at least trace exposure to a
particular machine and test consequences of partial security failures.

shap