Hacker News new | ask | show | jobs
by sparkie 1155 days ago
I think the OS should begin with a lower level abstraction - object capabilities, and build out from there.

Rather than a loss of control, capabilities enable fine-grained control over authorization, because a capability is both designates a resource and provides authority to use it.

But pathnames are not useful as capabilities, because they can be easily forged. So at best a pathname could serve to discover resources for which you could then request a capability to access.
1 comments
ElectricalUnion 1155 days ago
Isn't Windows built this way?

Everything in Windows is an object, on a centralized resource broker Ob.

Windows uses capabilities based access to enable fine-grained control. It is EAL4 - Methodically Designed, Tested and Reviewed.

This by itself doesn't prevent Windows from having security issues.

link
sparkie 1155 days ago
Windows does not have the kind of capabilities I'm referring to.

With proper capabilities, the capability itself provides the authority. There's no need to have separate access control lists or some kind of central resource broker. Each process manages its own capabilities, can create new capabilities and can delegate them to others. And importantly, capabilities can always be revoked, at any time.

See: http://www.erights.org/elib/capability/overview.html, https://en.wikipedia.org/wiki/Capability-based_security

Also see seL4 for an example of this done right.

link