Subject: Re: [e-lang] Modelling Blindness (was: "Capability Myths Demolished" (was: Software security workshop))

From: Tyler Close <tyler@waterken.com> · Date: Wed, 11 Dec 2002 16:55:39 -0400

On Wednesday 11 December 2002 12:09, Jonathan Shapiro wrote:
> In modeling terms, the statement you want is "so long as the model is
> strictly more powerful than the real system". The model can be more
> permissive than the real system (as is the case in SW). In the tech
> report version of that work we took tremendous care to *ensure* that the
> model was strictly more powerful.

... 

> The lampson model is not flawed in the sense that it is strictly more
> powerful than a real capability system. The *paper* is flawed in the
> sense that it lends itself to a variety of misunderstandings.

Wow, this is really bad jargon. The interpretation of the sentence
in plain English is completely misleading.  The Lampson model is
susceptible to the Confused Deputy and does not support
confinement, but is "more powerful" than a real capability system. norm

Can you suggest a textbook that defines this modeling jargon? shap 

Tyler 
_______________________________________________
e-lang mailing list
e-lang@mail.eros-os.org
http://www.eros-os.org/mailman/listinfo/e-lang