From: Mark Miller <>
Replying To: Ben Laurie <>
Date: Thu, 05 Dec 2002 10:59:47 -0800
Subject: Re: [e-lang] "Capability Myths Demolished" (was: Software security workshop)

At 10:05 AM 12/5/2002 Thursday, Ben Laurie wrote:
>Surely [a C-lists-as-sets scenario] isn't a possible scenario for the kinds 
>of capabilities EROS or E have?

Absolutely not.  E, EROS, and virtually all actual capability systems are 
what Jonathan calls C-lists-as-maps.   C-lists-as-sets occur primarily in 
models of capability systems. This can be due to bad modelling, or due to 
the "maps" aspect being irrelevant to the issues being modelled, as in the 
Shapiro-Weber (SW) model in Jonathan's thesis.

The case of SW is quite revealing. SW was built to show that EROS could do 
confinement, which it succeeds at.  It was not built to show whether EROS was 
vulnerable to confused deputy, and by abstracting C-list as sets, it cannot 
show that. Indeed, for other reasons, in SW one can't even speak of deputies.
If one took SW to be an accurate description of EROS, one would conclude 
that EROS was indeed vulnerable to confused deputy, which it isn't.

Lampson's paper was published in 1971, when capabilities were only four 
years old.  I am not shocked at the mistakes in the paper -- it was perhaps a 
respectable first try. I am shocked and boggled that the process of science 
could be so broken as to let these obvious mistakes lead 30 years of work -- 
both in academia and industry -- astray.

Text by me above is hereby placed in the public domain


e-lang mailing list