Security Properties of Distributed Platforms
The trust properties of systems described here can be described as follows.
If one of the sites is compromised then signals from that site can cause capabilities conceptually held by some object at that site to be abused.
Capability discipline at that site disappears but capabilities that never traveled to that site cannot be abused.
Applications are in a position to manage which sites they operate at.
Logic in the code that generates the application or instances of objects within the application can elect the sites where they will materialize.
Some objects of the application that do not need dangerous capabilities may be allowed to run at less trusted sites.
Vulnerability to your Platform
It seems obvious that when a program with some effective authority runs on a platform, then that authority is accessible to the platform.
Lacking a precise definition of platform I can’t prove this.
Here are a few examples of “platform”:
Each of these systems can serve the needs of guest programs and is in a
position to seize and abuse the authority of those programs.
- Computer with no operating system
- Computer with MacOS or Windows
- Computer with Unix
- Computer with Keykos
- Scheme running on one of the above
- Java virtual machine running on one of the above
- E-vat running on one of the above.
I think that a central processor within a computer is also capable of
doing this but perhaps only in an environment where untrusted confederate
code is allowed.
These same points are made from a bit different perspective in
Capabilities As A Cryptographic Protocol.