[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [ANNOUNCE] Introducing Codezero

From: Bas Wijnen
Subject: Re: [ANNOUNCE] Introducing Codezero
Date: Tue, 28 Jul 2009 08:37:36 +0200
User-agent: Mutt/1.5.18 (2008-05-17)

On Sun, Jul 26, 2009 at 01:53:29PM +0200, Bas Wijnen wrote:
> The ability to contact a thread is one thing you need a capability for.
> But to contact a thread with a certain request (and no other) is also
> something capabilities should allow for.  That is hard to implement
> without kernel protection, AFAICS.

I forgot to mention a feature that is not possible without kernel
protection: encapsulation.  If the server is responsible for its access
control, it is impossible to forbid it to _receive_ messages from
untrusted sources.  If there is a program that is willing to listen, it
can simply not do access control, and allow any request.  That means
that you never know if a program can communicate (in fact both incoming
and outgoing) with other programs.  AFAICS, the only solution to this is
kernel support.

For me, supporting encapsulation is extremely important.  It means that
a user can start a program in a safe way.  Even if the program is
malicious, and somewhere on the system is an other malicious program
which would like to work together with it, it is impossible because they
cannot talk.  IMO this is the main missing feature in all current
systems, and the main reason people think computers are untrustable.


I encourage people to send encrypted e-mail (see http://www.gnupg.org).
If you have problems reading my e-mail, use a better reader.
Please send the central message of e-mails as plain text
   in the message body, not as HTML and definitely not as MS Word.
Please do not use the MS Word format for attachments either.
For more information, see http://a82-93-13-222.adsl.xs4all.nl/e-mail.html

Attachment: signature.asc
Description: Digital signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]