> >Capabilities do not solve all problems in security [53].
> >.....
> >[53] Dan S. Wallach, Dirk Balfanz, Drew Dean, and Edward W. Felten.
> >Extensible security architectures for Java. In 16th Symposium on
Operating
> >System Principles, October 1997.
A brief followup concerning the exchange I've been having with Dan Wallach
so far. The exchange is still in progress, and I'm going to ask him if it
can be republished, but I think it is fair to say that Dan has conceded that
the claims made in that paper about capability systems are mistaken.
In fact, Dan has now agreed that (unmodified) capability systems are
perfectly okay, and that none of the flaws ascribed to them in [53] are
true. Our discussion concerning this point has already put that issue to
rest. We are now debating whether mandatory security policies can be
*efficiently* enforced in a pure capability system.
The issue of efficiency is actually relevant, as something that is
mathematically sound but too slow to use is irrelevant. However, Dan is on
very weak ground, because he doesn't have any performance figures with which
to substantiate his claim, and Original E, E, and EROS provide examples that
demonstrate that it can be done perfectly acceptably.
Jonathan
-
Please send submissions to users@mozart-oz.org
and administriva mail to users-request@mozart-oz.org.
The Mozart Oz web site is at http://www.mozart-oz.org/.