Security Properties of Distributed Platforms
The trust properties of systems described here
can be described as follows. If one of the sites is compromised then signals
from that site can cause capabilities conceptually held by some object
at that site to be abused. Capability discipline at that site disappears
but capabilities that never traveled to that site cannot be abused. Applications
are in a position to manage which sites they operate at. Logic in the code
that generates the application or instances of objects within the application
can elect the sites where they will materialize. Some objects of the application
that do not need dangerous capabilities may be allowed to run at less trusted
Vulnerability to your Platform
It seems obvious that when a program with some effective authority runs
on a platform, then that authority is accessible to the platform. Lacking
a precise definition of platform I can't prove this. Here are a few examples
Each of these systems can serve the needs of guest programs and is in a
position to seize and abuse the authority of those programs.
- Computer with no operating system
- Computer with MacOS or Windows
- Computer with Unix
- Computer with Keykos
- Scheme running on one of the above
- Java virtual machine running on one of the above
- E-vat running on one of the above.
I think that a central processor within a computer is also capable of
doing this but perhaps only in an environment where untrusted confederate
code is allowed.
These same points are made from a bit different perspective in
Capabilities As A Cryptographic Protocol.