[Haskell-cafe] OS design & FP aesthetics
Stefan O'Rear
stefanor at cox.net
Mon Jun 18 20:45:02 EDT 2007
On Tue, Jun 19, 2007 at 02:36:31AM +0200, Jaap Weel wrote:
> > > Normally I've seen capabilities used so that you can't access
> > > anything you can't name. Can you elaborate a little?
> >
> > He's saying that the language itself prevents programs from writing
> > outside their address spaces
>
> Yep. Capabilities are usually not actually unforgeable, they are just
> picked from a largish key space. You can guess at them if you want to
> bother. Somewhere in the Exokernel papers, there is some discussion of
> this, and reference to the fact that a 64 bit capability is at least
> as secure as an 8 byte UNIX password, which I suppose is a fair
> assessment of the situation.
Every capability system I've seen works like Unix file descriptors. The
kernel assigns capability numbers, and since the numbers are only valid
in one process, and the only valid capability numbers are to
capabilities your have, there is no danger caused by guessing.
Stefan
More information about the Haskell-Cafe
mailing list