From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=ham autolearn_force=no version=3.4.4 X-Google-Language: ENGLISH,ASCII-7-bit X-Google-Thread: 103376,bc1361a952ec75ca X-Google-Attributes: gid103376,public X-Google-ArrivalTime: 2001-09-07 01:02:45 PST Path: archiver1.google.com!newsfeed.google.com!sn-xit-02!supernews.com!news.tele.dk!small.news.tele.dk!130.133.1.3!fu-berlin.de!uni-berlin.de!ailinel.cbb-automation.DE!not-for-mail From: dmitry@elros.cbb-automation.de (Dmitry Kazakov) Newsgroups: comp.lang.ada Subject: Re: Progress on AdaOS Date: Fri, 07 Sep 2001 07:49:37 GMT Message-ID: <3b9876e0.334859@news.cis.dfn.de> References: <3b95d429.592218@news.cis.dfn.de> <3B9654AE.CD4382ED@san.rr.com> <3b9768b6.1671036@news.cis.dfn.de> <3B97A5C7.3ED71528@san.rr.com> NNTP-Posting-Host: ailinel.cbb-automation.de (212.79.194.99) X-Trace: fu-berlin.de 999848977 6547733 212.79.194.99 (16 [77047]) X-Newsreader: Forte Free Agent 1.21/32.243 Xref: archiver1.google.com comp.lang.ada:12863 Date: 2001-09-07T07:49:37+00:00 List-Id: On Thu, 06 Sep 2001 16:35:21 GMT, Darren New wrote: >> That's not safe, because the "password" and the code that checks can >> be faked. > >Well, you have to make sure that doesn't happen. Certainly something >like a capability to a file is going to be checked by the file >server/process, not by the application trying to open the file. > >> It is generally no problem if object's code is executed on the >> caller's context. An exception may in worst case destroy the caller. > >Well, uh, .... obviously a capability is an access control mechanism. >You don't have access control protecting you from yourself. So a system >using capabilities is going to have some alternate access controls (such >as memory mapping or compiled-in array bounds checking, etc) that keeps >you from simply inspecting the code of the process that actually >supplies the service denoted by the capability. If there is "a process that supplies a service", then it is another process, i.e. the method is executed on another context. This is another case and a heavy weighted one. It would be very inefficient to have a separate process for every object. This will also exclude passive objects [= Ada protected objects] which have no task associated with. >Check out the EROS web site. Your objections don't make any sense in >context. And I can't figure out what context they would make sense in. There is a general problem how to protect private parts [routines and data]. In an Ada program, the compiler protects you. This level is not enough safe for an OS. >> But definitely there should be objects with methods executed on some >> more privileged context, no matter if the object itself exists in the >> caller's one. > >Well, maybe not "more privledged". Maybe "differently privledged". No matter. The rule is one cannot gain more privileges than granted. Regards, Dmitry Kazakov