The Protocol of the Month or the Unbounded TCB
It sometimes seems that every month a new network protocol or variation
comes along and a new deamon for Unix is thus required.
Naturally this new deamon requires
root privilege and comes with little or no documentation about how it will
use root authority, let alone any reason to believe that that the new code
wields this authority correctly.
Yet the modern Unix administrator is expected
to install it, with root privilege.
Let’s imagine that some new chat protocol comes along and that we share
a machine with a capability style operating system.
We must modify or encapsulate the new deamon but how do the system users
subscribe safely to the new service?
I am one of the user’s of the system and I value my attention.
I also want to try out the new service so I Invoke the newly provided factory
and pass the following capabilities:
- A space bank to which I retain a key with which I can zap the whole thing
- A meter to which I can retain a power switch in case I want to merely turn
the thing off at my discretion
- The authority to create one small window on my main screen.
The service will presumably announce new correspondents in this window.
I created the window capability and endowed it with