Capability-Based Security for Redox: Namespace and CWD as Capabilities
Comments
als0
ambicapter
Could I get some examples? I'm interested in learning more.
kentonv
Cloudflare Workers is a big on capabilities.
The recently released Dynamic Workers directly provides an API for capability-based sandboxing: https://developers.cloudflare.com/dynamic-workers/usage/bind...
But the platform has used caps internally all along. Cloudflare makes heavy use of Cap'n Proto (https://capnproto.org/), a capability-based RPC protocol, and recently released Cap'n Web (https://capnweb.dev/), a JavaScript-oriented version of the same idea. The "Cap'n" in both is short for "Capabilities and". (Dynamic Workers sandboxing is based around Cap'n Web capabilities.)
Most successful sandboxes use capabilities, though it's not often something you hear about. Android's IPC system, Binder, is a capability system. And Chrome has a capability-based IPC system called "Mojo".
Capabilities really shine when used for sandboxing, but here's a blog post I wrote that tries to explain the benefits beyond sandboxing: https://blog.cloudflare.com/workers-environment-live-object-...
(I am the lead developer of Cloudflare Workers, and the creator of Cap'n Proto and Cap'n Web.)
als0
Implementations include seL4, Barrelfish, Google Fuchsia OS, Capsicum, and a slew of research systems too long to list. It's also worth checking out tangential things like the E programming language and Google's old Caja project.
Icathian
Cloudflare's developer platform uses them. That's what their "bindings" are.
aerzen
CapNProto RPC protocol
pugchat
[dead]
iam_circuit
[dead]
Good work. I'm happy to see this for Redox. There are numerous implementations of capabilities now, and they confirm that the concept really does simplify access control and sandboxing.