From: Mark Miller <>
Replying To: Tyler Close <>
Date: Sun, 08 Dec 2002 19:31:09 -0800
Subject: [e-lang] Modelling Blindness (was: "Capability Myths Demolished" (was: Software security workshop))

At 05:02 PM 12/8/2002 Sunday, Tyler Close wrote:
>> No, I never imagined the inaccuracies were intentional, and there's no need
>> to question anyone's motives. I'm sure everyone paved the road to hell with
>> the best of intentions.
>I meant "intentional" in the same way that Jonathan's SW model is
>intentionally innacurate. Some of the emails between you and
>Jonathan seemed to indicate that this was a possibility. Is it?

Ah, now I understand the question. But I wouldn't say that SW is 
"inaccurate".  SW includes certain things in the model and leaves out others, 
in order to make the confinement proof easier to carry through. So long as 
what's left in is accurate, and so long as the presentation of the model is 
clear that aspects of the real system are not represented in the model, I 
would avoid the term "inaccurate" to describe the situation. vze2729k shap 

Rather, I would say that SW is an accurate abstraction of EROS, even though 
this abstraction describes an ambient authority system.  As to whether 
Lampson71 is an accurate model or CAL-TSS or any other actual capability 
system, I don't know. vze2729k

Text by me above is hereby placed in the public domain


e-lang mailing list