[erlang-questions] Capability model? (was: Process declarations)

Mark S. Miller markm@REDACTED
Wed Oct 25 18:56:14 CEST 2006


Tony Finch wrote:
> On Thu, 5 Oct 2006, Joe Armstrong wrote:
> 
>> Process declarations:
>> Do away with spawn. Replace with a process keyword:
>> So that we can name processes. Things without names we cannot talk about.
> 
> I think this is a bad idea because it's moving away from the capability
> model, where posession of a pid implies permission to communicate with it,
> and if you don't have the pid you can't. The pid *is* the name. Also, I'm
> not sure how your proposal deals with multiple processes running the
> annotated code.


Currently, the underlying logic of Erlang perfectly supports the capability 
model, but current Erlang practice does not. The main problems as I see it:

* pids are currently forgeable, by unserialization from a guessable 
representation.

* Common Erlang practice is to register pids in a global name table.

* Common Erlang practice is for process A to perform an RPC to process B by 
giving the B direct access to A's pid, and for A to distinguish B's response 
from further requests by A's clients by forgeable convention. This practice 
permits B to make requests of A, and it permits other clients of A to send to 
A a forged response to A's outstanding call to B.


All these problems are easily fixed while keeping the sense of Erlang. Only 
the first is fundamental, but is probably also the least painful. As has been 
discussed here previously, A can fix the last problem by creating an 
intermediate process, A2, to receive the response to this one request. It 
would then give B A2's pid. This change would be the most painful, as it would 
require pervasive changes to existing libraries.

So Erlang is at a fork in the road. It is well positioned to move towards 
capabilities if there's enough interest, and enough willingness to pay the 
price. Or if not, it may as well move away, because there's no benefit to 
remaining in this middle ground.

When considering this choice, ask whether Erlang has any other plausible route 
for supporting distributed security.

-- 
Text by me above is hereby placed in the public domain

     Cheers,
     --MarkM



More information about the erlang-questions mailing list