Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

This article seems to be recommending the use of capabilities, but a question is how you represent a capability, if not as a string or a number like a file descriptor. And how do you send it over a network, if not as a byte sequence?


For capabilities to work they need to be unforgeable. So you need some opaque handle (and a memory/type safe language) and on the wire you need some sort of cryptographic signing.


Seems like you could store an unforgeable hash in an environment variable, though, or put it in a constant in source code. This only works if you treat as a secret. Also, maybe they should expire?


The idea is that you don't look. A handle is opaque. You don't care or depend on what's in it. Doesn't matter if it's actually a number or a string.

As for sending over a network, that's the low level details. You can keep high-level types most of the way.


Types work within a single process, but that's pretty limiting. Most people are dealing with multi-process systems, one way or another.

There is a trend towards more sandboxing - the sandboxes and pinholes model described in the article.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: