comp.lang.ada
 help / color / mirror / Atom feed
* The Ravenscar profile and capabilities paradigm
@ 2021-10-11 13:33 Doctor Who
  2021-10-11 14:48 ` Luke A. Guest
                   ` (2 more replies)
  0 siblings, 3 replies; 31+ messages in thread
From: Doctor Who @ 2021-10-11 13:33 UTC (permalink / raw)


Hello,
someone knows how to introduce the capabilities paradigm in Ada,
specifically for programs written using the Ravenscar profile ?


^ permalink raw reply	[flat|nested] 31+ messages in thread

* Re: The Ravenscar profile and capabilities paradigm
  2021-10-11 13:33 The Ravenscar profile and capabilities paradigm Doctor Who
@ 2021-10-11 14:48 ` Luke A. Guest
  2021-10-11 19:25   ` Doctor Who
  2021-10-11 15:32 ` Simon Wright
  2021-10-11 15:48 ` Shark8
  2 siblings, 1 reply; 31+ messages in thread
From: Luke A. Guest @ 2021-10-11 14:48 UTC (permalink / raw)


On 11/10/2021 14:33, Doctor Who wrote:
> Hello,
> someone knows how to introduce the capabilities paradigm in Ada,
> specifically for programs written using the Ravenscar profile ?
> 
> 

Capabilities are just a set of operations that an object / user can 
perform, or not. So, it's merely a bitset. A bitset which can form 
derived bitsets.


^ permalink raw reply	[flat|nested] 31+ messages in thread

* Re: The Ravenscar profile and capabilities paradigm
  2021-10-11 13:33 The Ravenscar profile and capabilities paradigm Doctor Who
  2021-10-11 14:48 ` Luke A. Guest
@ 2021-10-11 15:32 ` Simon Wright
  2021-10-11 19:24   ` Doctor Who
  2021-10-11 15:48 ` Shark8
  2 siblings, 1 reply; 31+ messages in thread
From: Simon Wright @ 2021-10-11 15:32 UTC (permalink / raw)


Doctor Who <doc@tardis.org> writes:

> someone knows how to introduce the capabilities paradigm in Ada,
> specifically for programs written using the Ravenscar profile ?

Google hasn't helped me to understand what you're getting at. Perhaps
you could expand?

^ permalink raw reply	[flat|nested] 31+ messages in thread

* Re: The Ravenscar profile and capabilities paradigm
  2021-10-11 13:33 The Ravenscar profile and capabilities paradigm Doctor Who
  2021-10-11 14:48 ` Luke A. Guest
  2021-10-11 15:32 ` Simon Wright
@ 2021-10-11 15:48 ` Shark8
  2021-10-11 19:25   ` Doctor Who
  2 siblings, 1 reply; 31+ messages in thread
From: Shark8 @ 2021-10-11 15:48 UTC (permalink / raw)


On Monday, October 11, 2021 at 7:33:53 AM UTC-6, Doctor Who wrote:
> Hello, 
> someone knows how to introduce the capabilities paradigm in Ada, 
> specifically for programs written using the Ravenscar profile ?
I'm not quite sure what you mean by "capabilities paradigm", could you elaborate on it a bit.

If my gut intuition is anything to go off of, you're referring to the ability to program against a type and operations thereon, correct?
If so, then Ada has this in the form of Generics: you can pass types, subprograms, values & objects, and generic packages via formal parameters.

^ permalink raw reply	[flat|nested] 31+ messages in thread

* Re: The Ravenscar profile and capabilities paradigm
  2021-10-11 15:32 ` Simon Wright
@ 2021-10-11 19:24   ` Doctor Who
  2021-10-12 15:01     ` Shark8
  0 siblings, 1 reply; 31+ messages in thread
From: Doctor Who @ 2021-10-11 19:24 UTC (permalink / raw)


On Mon, 11 Oct 2021 16:32:13 +0100, Simon Wright <simon@pushface.org>
wrote:

>Doctor Who <doc@tardis.org> writes:
>
>> someone knows how to introduce the capabilities paradigm in Ada,
>> specifically for programs written using the Ravenscar profile ?
>
>Google hasn't helped me to understand what you're getting at. Perhaps
>you could expand?


wikipedia has a good explanation:
https://en.wikipedia.org/wiki/Capability-based_security

^ permalink raw reply	[flat|nested] 31+ messages in thread

* Re: The Ravenscar profile and capabilities paradigm
  2021-10-11 15:48 ` Shark8
@ 2021-10-11 19:25   ` Doctor Who
  0 siblings, 0 replies; 31+ messages in thread
From: Doctor Who @ 2021-10-11 19:25 UTC (permalink / raw)


On Mon, 11 Oct 2021 08:48:53 -0700 (PDT), Shark8
<onewingedshark@gmail.com> wrote:

>On Monday, October 11, 2021 at 7:33:53 AM UTC-6, Doctor Who wrote:
>> Hello, 
>> someone knows how to introduce the capabilities paradigm in Ada, 
>> specifically for programs written using the Ravenscar profile ?
>I'm not quite sure what you mean by "capabilities paradigm", could you elaborate on it a bit.
>
>If my gut intuition is anything to go off of, you're referring to the ability to program against a type and operations thereon, correct?
>If so, then Ada has this in the form of Generics: you can pass types, subprograms, values & objects, and generic packages via formal parameters.


I am referring to capability-based security.

^ permalink raw reply	[flat|nested] 31+ messages in thread

* Re: The Ravenscar profile and capabilities paradigm
  2021-10-11 14:48 ` Luke A. Guest
@ 2021-10-11 19:25   ` Doctor Who
  2021-10-11 19:36     ` Luke A. Guest
  0 siblings, 1 reply; 31+ messages in thread
From: Doctor Who @ 2021-10-11 19:25 UTC (permalink / raw)


On Mon, 11 Oct 2021 15:48:37 +0100, "Luke A. Guest"
<laguest@archeia.com> wrote:

>On 11/10/2021 14:33, Doctor Who wrote:
>> Hello,
>> someone knows how to introduce the capabilities paradigm in Ada,
>> specifically for programs written using the Ravenscar profile ?
>> 
>> 
>
>Capabilities are just a set of operations that an object / user can 
>perform, or not. So, it's merely a bitset. A bitset which can form 
>derived bitsets.
>

no it is another thing,
https://en.wikipedia.org/wiki/Capability-based_security

^ permalink raw reply	[flat|nested] 31+ messages in thread

* Re: The Ravenscar profile and capabilities paradigm
  2021-10-11 19:25   ` Doctor Who
@ 2021-10-11 19:36     ` Luke A. Guest
  2021-10-11 19:50       ` Doctor Who
  0 siblings, 1 reply; 31+ messages in thread
From: Luke A. Guest @ 2021-10-11 19:36 UTC (permalink / raw)


On 11/10/2021 20:25, Doctor Who wrote:
> On Mon, 11 Oct 2021 15:48:37 +0100, "Luke A. Guest"
> <laguest@archeia.com> wrote:
> 
>> On 11/10/2021 14:33, Doctor Who wrote:
>>> Hello,
>>> someone knows how to introduce the capabilities paradigm in Ada,
>>> specifically for programs written using the Ravenscar profile ?
>>>
>>>
>>
>> Capabilities are just a set of operations that an object / user can
>> perform, or not. So, it's merely a bitset. A bitset which can form
>> derived bitsets.
>>
> 
> no it is another thing,
> https://en.wikipedia.org/wiki/Capability-based_security
> 

I know what it is. It is still a set of bits, or, permissions, or 
capabilities. The capabilities are usually provided by the OS services.

But as you didn't specify whether you wanted to map onto an existing OS' 
capabilities or if you wanted to implement your own, I went with the latter.

^ permalink raw reply	[flat|nested] 31+ messages in thread

* Re: The Ravenscar profile and capabilities paradigm
  2021-10-11 19:36     ` Luke A. Guest
@ 2021-10-11 19:50       ` Doctor Who
  2021-10-12  0:45         ` Luke A. Guest
  2021-10-12  5:17         ` Richard Iswara
  0 siblings, 2 replies; 31+ messages in thread
From: Doctor Who @ 2021-10-11 19:50 UTC (permalink / raw)


On Mon, 11 Oct 2021 20:36:46 +0100, "Luke A. Guest"
<laguest@archeia.com> wrote:

>On 11/10/2021 20:25, Doctor Who wrote:
>> On Mon, 11 Oct 2021 15:48:37 +0100, "Luke A. Guest"
>> <laguest@archeia.com> wrote:
>> 
>>> On 11/10/2021 14:33, Doctor Who wrote:
>>>> Hello,
>>>> someone knows how to introduce the capabilities paradigm in Ada,
>>>> specifically for programs written using the Ravenscar profile ?
>>>>
>>>>
>>>
>>> Capabilities are just a set of operations that an object / user can
>>> perform, or not. So, it's merely a bitset. A bitset which can form
>>> derived bitsets.
>>>
>> 
>> no it is another thing,
>> https://en.wikipedia.org/wiki/Capability-based_security
>> 
>
>I know what it is. It is still a set of bits, or, permissions, or 
>capabilities. The capabilities are usually provided by the OS services.
>
>But as you didn't specify whether you wanted to map onto an existing OS' 
>capabilities or if you wanted to implement your own, I went with the latter.

there isn't any existing OS that provides capability-security from the
ground up, I intend to implement my own.

^ permalink raw reply	[flat|nested] 31+ messages in thread

* Re: The Ravenscar profile and capabilities paradigm
  2021-10-11 19:50       ` Doctor Who
@ 2021-10-12  0:45         ` Luke A. Guest
  2021-10-12  0:47           ` Luke A. Guest
  2021-10-12  2:29           ` Doctor Who
  2021-10-12  5:17         ` Richard Iswara
  1 sibling, 2 replies; 31+ messages in thread
From: Luke A. Guest @ 2021-10-12  0:45 UTC (permalink / raw)


On 11/10/2021 20:50, Doctor Who wrote:
> On Mon, 11 Oct 2021 20:36:46 +0100, "Luke A. Guest"
> <laguest@archeia.com> wrote:
> 
>> On 11/10/2021 20:25, Doctor Who wrote:
>>> On Mon, 11 Oct 2021 15:48:37 +0100, "Luke A. Guest"
>>> <laguest@archeia.com> wrote:
>>>
>>>> On 11/10/2021 14:33, Doctor Who wrote:
>>>>> Hello,
>>>>> someone knows how to introduce the capabilities paradigm in Ada,
>>>>> specifically for programs written using the Ravenscar profile ?
>>>>>
>>>>>
>>>>
>>>> Capabilities are just a set of operations that an object / user can
>>>> perform, or not. So, it's merely a bitset. A bitset which can form
>>>> derived bitsets.
>>>>
>>>
>>> no it is another thing,
>>> https://en.wikipedia.org/wiki/Capability-based_security
>>>
>>
>> I know what it is. It is still a set of bits, or, permissions, or
>> capabilities. The capabilities are usually provided by the OS services.
>>
>> But as you didn't specify whether you wanted to map onto an existing OS'
>> capabilities or if you wanted to implement your own, I went with the latter.
> 
> there isn't any existing OS that provides capability-security from the
> ground up, I intend to implement my own.
> 

CapOS/KeyOS don't exist then?

Windows has capabilities.

Pretty sure iOS has them too.

^ permalink raw reply	[flat|nested] 31+ messages in thread

* Re: The Ravenscar profile and capabilities paradigm
  2021-10-12  0:45         ` Luke A. Guest
@ 2021-10-12  0:47           ` Luke A. Guest
  2021-10-12  2:31             ` Doctor Who
  2021-10-12  2:29           ` Doctor Who
  1 sibling, 1 reply; 31+ messages in thread
From: Luke A. Guest @ 2021-10-12  0:47 UTC (permalink / raw)



On 12/10/2021 01:45, Luke A. Guest wrote:

> CapOS/KeyOS don't exist then?

Might be called KeyKos.

^ permalink raw reply	[flat|nested] 31+ messages in thread

* Re: The Ravenscar profile and capabilities paradigm
  2021-10-12  0:45         ` Luke A. Guest
  2021-10-12  0:47           ` Luke A. Guest
@ 2021-10-12  2:29           ` Doctor Who
  2021-10-12  2:35             ` Doctor Who
  2021-10-12  3:19             ` Doctor Who
  1 sibling, 2 replies; 31+ messages in thread
From: Doctor Who @ 2021-10-12  2:29 UTC (permalink / raw)


On Tue, 12 Oct 2021 01:45:40 +0100, "Luke A. Guest"
<laguest@archeia.com> wrote:

>On 11/10/2021 20:50, Doctor Who wrote:
>> On Mon, 11 Oct 2021 20:36:46 +0100, "Luke A. Guest"
>> <laguest@archeia.com> wrote:
>> 
>>> On 11/10/2021 20:25, Doctor Who wrote:
>>>> On Mon, 11 Oct 2021 15:48:37 +0100, "Luke A. Guest"
>>>> <laguest@archeia.com> wrote:
>>>>
>>>>> On 11/10/2021 14:33, Doctor Who wrote:
>>>>>> Hello,
>>>>>> someone knows how to introduce the capabilities paradigm in Ada,
>>>>>> specifically for programs written using the Ravenscar profile ?
>>>>>>
>>>>>>
>>>>>
>>>>> Capabilities are just a set of operations that an object / user can
>>>>> perform, or not. So, it's merely a bitset. A bitset which can form
>>>>> derived bitsets.
>>>>>
>>>>
>>>> no it is another thing,
>>>> https://en.wikipedia.org/wiki/Capability-based_security
>>>>
>>>
>>> I know what it is. It is still a set of bits, or, permissions, or
>>> capabilities. The capabilities are usually provided by the OS services.
>>>
>>> But as you didn't specify whether you wanted to map onto an existing OS'
>>> capabilities or if you wanted to implement your own, I went with the latter.
>> 
>> there isn't any existing OS that provides capability-security from the
>> ground up, I intend to implement my own.
>> 
>
>CapOS/KeyOS don't exist then?
>
>Windows has capabilities.
>
>Pretty sure iOS has them too.


only CapROS at the moment, KeyKOS only survives as an ancestor
reference to CapROS and Coyotos.

But Coyotos development has been sleeping for years now, and CapROS is
starting to revive only now.

But yes, I would chose CapROS now.

^ permalink raw reply	[flat|nested] 31+ messages in thread

* Re: The Ravenscar profile and capabilities paradigm
  2021-10-12  0:47           ` Luke A. Guest
@ 2021-10-12  2:31             ` Doctor Who
  0 siblings, 0 replies; 31+ messages in thread
From: Doctor Who @ 2021-10-12  2:31 UTC (permalink / raw)


On Tue, 12 Oct 2021 01:47:28 +0100, "Luke A. Guest"
<laguest@archeia.com> wrote:

>
>On 12/10/2021 01:45, Luke A. Guest wrote:
>
>> CapOS/KeyOS don't exist then?
>
>Might be called KeyKos.


KeyKOS is the dead ancestor of EROS, Coyotos and CapROS.

GNOSIS was the ancestor of KeyKOS.


^ permalink raw reply	[flat|nested] 31+ messages in thread

* Re: The Ravenscar profile and capabilities paradigm
  2021-10-12  2:29           ` Doctor Who
@ 2021-10-12  2:35             ` Doctor Who
  2021-10-12  3:19             ` Doctor Who
  1 sibling, 0 replies; 31+ messages in thread
From: Doctor Who @ 2021-10-12  2:35 UTC (permalink / raw)


On Tue, 12 Oct 2021 04:29:42 +0200, Doctor Who <doc@tardis.org> wrote:

>On Tue, 12 Oct 2021 01:45:40 +0100, "Luke A. Guest"
><laguest@archeia.com> wrote:
>
>>On 11/10/2021 20:50, Doctor Who wrote:
>>> On Mon, 11 Oct 2021 20:36:46 +0100, "Luke A. Guest"
>>> <laguest@archeia.com> wrote:
>>> 
>>>> On 11/10/2021 20:25, Doctor Who wrote:
>>>>> On Mon, 11 Oct 2021 15:48:37 +0100, "Luke A. Guest"
>>>>> <laguest@archeia.com> wrote:
>>>>>
>>>>>> On 11/10/2021 14:33, Doctor Who wrote:
>>>>>>> Hello,
>>>>>>> someone knows how to introduce the capabilities paradigm in Ada,
>>>>>>> specifically for programs written using the Ravenscar profile ?
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> Capabilities are just a set of operations that an object / user can
>>>>>> perform, or not. So, it's merely a bitset. A bitset which can form
>>>>>> derived bitsets.
>>>>>>
>>>>>
>>>>> no it is another thing,
>>>>> https://en.wikipedia.org/wiki/Capability-based_security
>>>>>
>>>>
>>>> I know what it is. It is still a set of bits, or, permissions, or
>>>> capabilities. The capabilities are usually provided by the OS services.
>>>>
>>>> But as you didn't specify whether you wanted to map onto an existing OS'
>>>> capabilities or if you wanted to implement your own, I went with the latter.
>>> 
>>> there isn't any existing OS that provides capability-security from the
>>> ground up, I intend to implement my own.
>>> 
>>
>>CapOS/KeyOS don't exist then?
>>
>>Windows has capabilities.
>>
>>Pretty sure iOS has them too.
>
>
>only CapROS at the moment, KeyKOS only survives as an ancestor
>reference to CapROS and Coyotos.
>
>But Coyotos development has been sleeping for years now, and CapROS is
>starting to revive only now.
>
>But yes, I would chose CapROS now.


I have participated to the development of Coyotos since 2000 until it
completely stopped in 2013.

^ permalink raw reply	[flat|nested] 31+ messages in thread

* Re: The Ravenscar profile and capabilities paradigm
  2021-10-12  2:29           ` Doctor Who
  2021-10-12  2:35             ` Doctor Who
@ 2021-10-12  3:19             ` Doctor Who
  1 sibling, 0 replies; 31+ messages in thread
From: Doctor Who @ 2021-10-12  3:19 UTC (permalink / raw)


On Tue, 12 Oct 2021 04:29:42 +0200, Doctor Who <doc@tardis.org> wrote:

>On Tue, 12 Oct 2021 01:45:40 +0100, "Luke A. Guest"
><laguest@archeia.com> wrote:
>
>>On 11/10/2021 20:50, Doctor Who wrote:
>>> On Mon, 11 Oct 2021 20:36:46 +0100, "Luke A. Guest"
>>> <laguest@archeia.com> wrote:
>>> 
>>>> On 11/10/2021 20:25, Doctor Who wrote:
>>>>> On Mon, 11 Oct 2021 15:48:37 +0100, "Luke A. Guest"
>>>>> <laguest@archeia.com> wrote:
>>>>>
>>>>>> On 11/10/2021 14:33, Doctor Who wrote:
>>>>>>> Hello,
>>>>>>> someone knows how to introduce the capabilities paradigm in Ada,
>>>>>>> specifically for programs written using the Ravenscar profile ?
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> Capabilities are just a set of operations that an object / user can
>>>>>> perform, or not. So, it's merely a bitset. A bitset which can form
>>>>>> derived bitsets.
>>>>>>
>>>>>
>>>>> no it is another thing,
>>>>> https://en.wikipedia.org/wiki/Capability-based_security
>>>>>
>>>>
>>>> I know what it is. It is still a set of bits, or, permissions, or
>>>> capabilities. The capabilities are usually provided by the OS services.
>>>>
>>>> But as you didn't specify whether you wanted to map onto an existing OS'
>>>> capabilities or if you wanted to implement your own, I went with the latter.
>>> 
>>> there isn't any existing OS that provides capability-security from the
>>> ground up, I intend to implement my own.
>>> 
>>
>>CapOS/KeyOS don't exist then?
>>
>>Windows has capabilities.
>>
>>Pretty sure iOS has them too.
>
>
>only CapROS at the moment, KeyKOS only survives as an ancestor
>reference to CapROS and Coyotos.
>
>But Coyotos development has been sleeping for years now, and CapROS is
>starting to revive only now.

see the discussion here
https://groups.google.com/g/cap-talk/c/ThxbBiMcyFk/m/DnqbkZWGAQAJ


>
>But yes, I would chose CapROS now.

^ permalink raw reply	[flat|nested] 31+ messages in thread

* Re: The Ravenscar profile and capabilities paradigm
  2021-10-11 19:50       ` Doctor Who
  2021-10-12  0:45         ` Luke A. Guest
@ 2021-10-12  5:17         ` Richard Iswara
  2021-10-12  6:42           ` Doctor Who
  1 sibling, 1 reply; 31+ messages in thread
From: Richard Iswara @ 2021-10-12  5:17 UTC (permalink / raw)


On 12/10/2021 02.50, Doctor Who wrote:
> On Mon, 11 Oct 2021 20:36:46 +0100, "Luke A. Guest"
> <laguest@archeia.com> wrote:
> 
>> On 11/10/2021 20:25, Doctor Who wrote:
>>> On Mon, 11 Oct 2021 15:48:37 +0100, "Luke A. Guest"
>>> <laguest@archeia.com> wrote:
>>>
>>>> On 11/10/2021 14:33, Doctor Who wrote:
>>>>> Hello,
>>>>> someone knows how to introduce the capabilities paradigm in Ada,
>>>>> specifically for programs written using the Ravenscar profile ?
>>>>>
>>>>>
>>>>
>>>> Capabilities are just a set of operations that an object / user can
>>>> perform, or not. So, it's merely a bitset. A bitset which can form
>>>> derived bitsets.
>>>>
>>>
>>> no it is another thing,
>>> https://en.wikipedia.org/wiki/Capability-based_security
>>>
>>
>> I know what it is. It is still a set of bits, or, permissions, or
>> capabilities. The capabilities are usually provided by the OS services.
>>
>> But as you didn't specify whether you wanted to map onto an existing OS'
>> capabilities or if you wanted to implement your own, I went with the latter.
> 
> there isn't any existing OS that provides capability-security from the
> ground up, I intend to implement my own.
> 
seL4? The whitepaper includes the proofs also.

^ permalink raw reply	[flat|nested] 31+ messages in thread

* Re: The Ravenscar profile and capabilities paradigm
  2021-10-12  5:17         ` Richard Iswara
@ 2021-10-12  6:42           ` Doctor Who
  2021-10-12 11:51             ` Richard Iswara
  0 siblings, 1 reply; 31+ messages in thread
From: Doctor Who @ 2021-10-12  6:42 UTC (permalink / raw)


On Tue, 12 Oct 2021 12:17:00 +0700, Richard Iswara
<haujekchifan@gmail.com> wrote:

>On 12/10/2021 02.50, Doctor Who wrote:
>> On Mon, 11 Oct 2021 20:36:46 +0100, "Luke A. Guest"
>> <laguest@archeia.com> wrote:
>> 
>>> On 11/10/2021 20:25, Doctor Who wrote:
>>>> On Mon, 11 Oct 2021 15:48:37 +0100, "Luke A. Guest"
>>>> <laguest@archeia.com> wrote:
>>>>
>>>>> On 11/10/2021 14:33, Doctor Who wrote:
>>>>>> Hello,
>>>>>> someone knows how to introduce the capabilities paradigm in Ada,
>>>>>> specifically for programs written using the Ravenscar profile ?
>>>>>>
>>>>>>
>>>>>
>>>>> Capabilities are just a set of operations that an object / user can
>>>>> perform, or not. So, it's merely a bitset. A bitset which can form
>>>>> derived bitsets.
>>>>>
>>>>
>>>> no it is another thing,
>>>> https://en.wikipedia.org/wiki/Capability-based_security
>>>>
>>>
>>> I know what it is. It is still a set of bits, or, permissions, or
>>> capabilities. The capabilities are usually provided by the OS services.
>>>
>>> But as you didn't specify whether you wanted to map onto an existing OS'
>>> capabilities or if you wanted to implement your own, I went with the latter.
>> 
>> there isn't any existing OS that provides capability-security from the
>> ground up, I intend to implement my own.
>> 
>seL4? The whitepaper includes the proofs also.


eh yes, I forgot seL4, however it isn't much used I think

^ permalink raw reply	[flat|nested] 31+ messages in thread

* Re: The Ravenscar profile and capabilities paradigm
  2021-10-12  6:42           ` Doctor Who
@ 2021-10-12 11:51             ` Richard Iswara
  2021-10-12 11:58               ` Luke A. Guest
  0 siblings, 1 reply; 31+ messages in thread
From: Richard Iswara @ 2021-10-12 11:51 UTC (permalink / raw)


On Tuesday, October 12, 2021 at 1:42:27 PM UTC+7, Doctor Who wrote:
> On Tue, 12 Oct 2021 12:17:00 +0700, Richard Iswara 
> <haujek...@gmail.com> wrote: 
> 
> >On 12/10/2021 02.50, Doctor Who wrote: 
> >> On Mon, 11 Oct 2021 20:36:46 +0100, "Luke A. Guest" 
> >> <lag...@archeia.com> wrote: 
> >> 
> >>> On 11/10/2021 20:25, Doctor Who wrote: 
> >>>> On Mon, 11 Oct 2021 15:48:37 +0100, "Luke A. Guest" 
> >>>> <lag...@archeia.com> wrote: 
> >>>> 
> >>>>> On 11/10/2021 14:33, Doctor Who wrote: 
> >>>>>> Hello, 
> >>>>>> someone knows how to introduce the capabilities paradigm in Ada, 
> >>>>>> specifically for programs written using the Ravenscar profile ? 
> >>>>>> 
> >>>>>> 
> >>>>> 
> >>>>> Capabilities are just a set of operations that an object / user can 
> >>>>> perform, or not. So, it's merely a bitset. A bitset which can form 
> >>>>> derived bitsets. 
> >>>>> 
> >>>> 
> >>>> no it is another thing, 
> >>>> https://en.wikipedia.org/wiki/Capability-based_security 
> >>>> 
> >>> 
> >>> I know what it is. It is still a set of bits, or, permissions, or 
> >>> capabilities. The capabilities are usually provided by the OS services. 
> >>> 
> >>> But as you didn't specify whether you wanted to map onto an existing OS' 
> >>> capabilities or if you wanted to implement your own, I went with the latter. 
> >> 
> >> there isn't any existing OS that provides capability-security from the 
> >> ground up, I intend to implement my own. 
> >> 
> >seL4? The whitepaper includes the proofs also.
> eh yes, I forgot seL4, however it isn't much used I think
Has Qualcomm and Apple iOS abandoned it when it changed from OKL4 to seL4?
I thought they use it for isolating their modem firmware from general OS.

^ permalink raw reply	[flat|nested] 31+ messages in thread

* Re: The Ravenscar profile and capabilities paradigm
  2021-10-12 11:51             ` Richard Iswara
@ 2021-10-12 11:58               ` Luke A. Guest
  2021-10-12 15:04                 ` Doctor Who
  0 siblings, 1 reply; 31+ messages in thread
From: Luke A. Guest @ 2021-10-12 11:58 UTC (permalink / raw)



On 12/10/2021 12:51, Richard Iswara wrote:

>>>> there isn't any existing OS that provides capability-security from the
>>>> ground up, I intend to implement my own.
>>>>
>>> seL4? The whitepaper includes the proofs also.
>> eh yes, I forgot seL4, however it isn't much used I think
> Has Qualcomm and Apple iOS abandoned it when it changed from OKL4 to seL4?
> I thought they use it for isolating their modem firmware from general OS.
> 

The biggest flaw in L4 I found is that sigma0 cannot claim memory back 
from processes when it runs out. There was apparently work being done, 
but I don't know if they did it.

^ permalink raw reply	[flat|nested] 31+ messages in thread

* Re: The Ravenscar profile and capabilities paradigm
  2021-10-11 19:24   ` Doctor Who
@ 2021-10-12 15:01     ` Shark8
  2021-10-12 15:02       ` Luke A. Guest
  2021-10-14  3:46       ` Doctor Who
  0 siblings, 2 replies; 31+ messages in thread
From: Shark8 @ 2021-10-12 15:01 UTC (permalink / raw)


On Monday, October 11, 2021 at 1:24:48 PM UTC-6, Doctor Who wrote:
> On Mon, 11 Oct 2021 16:32:13 +0100, Simon Wright wrote:
> >Doctor Who writes: 
> > 
> >> someone knows how to introduce the capabilities paradigm in Ada, 
> >> specifically for programs written using the Ravenscar profile ? 
> > 
> >Google hasn't helped me to understand what you're getting at. Perhaps 
> >you could expand?
> wikipedia has a good explanation: 
> https://en.wikipedia.org/wiki/Capability-based_security
Ah.
Limited Private, unknown-discriminant types.

Package Capabilities is
   -- Enumeration of the particular capabilities.
   Type Capability is ( Read, Copy, Whatever ); 
   -- A Boolean set for delineating a set of Capabilities.
   Type Capability_List is Array(Capability) of Boolean;
   -- An instance of a set of capabilities; note that:
   -- (1) LIMITED means there is no predefined assignment/copy.
   -- (2) PRIVATE means there is no public view to the components.
   -- (3) Unknown discriminants mean there is no object-creation w/o a function-call. 
   Type Instance(<>) is limited private;
   -- Create an instance; add any other needed parameters.
   Function Create( Capabilities : Capability_List ) return Instance;
   -- No permissions.
   Function No_Permissions return Instance;
Private
   Type Instance is record
      Permissions : Capability_List:= (raise Program_Error with "Capabilities-Instance must be initialized.");
      -- (others => False); -- Or maybe default to no permissions.
      -- OTHER DATA, IF NEEDED; PERHAPS TASK-/PROCESS-ID.
   End record;
   
   Function Create( Capabilities : Capability_List ) return Instance is
      ( Permissions => Capabilities );
   Function No_Permissions return Instance is
      ( Create( Capability_List'(others => False) ) );
End Capabilities;

You could also extend things with a Task-ID, assuming you want this prevalent/pervasive across the OS, you could make a TASK INTERFACE with an accessor (Function Get_Capabilities(Task : OS_Task_Interface) return Capabilities.Instance is (Capabilities.No_Permissions); -- Override to give permissions.) and/or possibly a registry to manage permissions (on a finer-grained level) if you need it. A lot depends on how you architect/model it, but the "limited private unknown-discriminant type" perfectly fits what you need at the fundamental levels.

^ permalink raw reply	[flat|nested] 31+ messages in thread

* Re: The Ravenscar profile and capabilities paradigm
  2021-10-12 15:01     ` Shark8
@ 2021-10-12 15:02       ` Luke A. Guest
  2021-10-12 15:33         ` Shark8
  2021-10-14  3:46       ` Doctor Who
  1 sibling, 1 reply; 31+ messages in thread
From: Luke A. Guest @ 2021-10-12 15:02 UTC (permalink / raw)


On 12/10/2021 16:01, Shark8 wrote:
> On Monday, October 11, 2021 at 1:24:48 PM UTC-6, Doctor Who wrote:
>> On Mon, 11 Oct 2021 16:32:13 +0100, Simon Wright wrote:
>>> Doctor Who writes:
>>>
>>>> someone knows how to introduce the capabilities paradigm in Ada,
>>>> specifically for programs written using the Ravenscar profile ?
>>>

>     Type Capability is ( Read, Copy, Whatever );

There can be a capabiity for literally anything, even ownership and can 
be different depending on object/os service.

I'd say a tagged type is better than an enum.


^ permalink raw reply	[flat|nested] 31+ messages in thread

* Re: The Ravenscar profile and capabilities paradigm
  2021-10-12 11:58               ` Luke A. Guest
@ 2021-10-12 15:04                 ` Doctor Who
  0 siblings, 0 replies; 31+ messages in thread
From: Doctor Who @ 2021-10-12 15:04 UTC (permalink / raw)


On Tue, 12 Oct 2021 12:58:48 +0100, "Luke A. Guest"
<laguest@archeia.com> wrote:

>
>On 12/10/2021 12:51, Richard Iswara wrote:
>
>>>>> there isn't any existing OS that provides capability-security from the
>>>>> ground up, I intend to implement my own.
>>>>>
>>>> seL4? The whitepaper includes the proofs also.
>>> eh yes, I forgot seL4, however it isn't much used I think
>> Has Qualcomm and Apple iOS abandoned it when it changed from OKL4 to seL4?
>> I thought they use it for isolating their modem firmware from general OS.
>> 
>
>The biggest flaw in L4 I found is that sigma0 cannot claim memory back 
>from processes when it runs out. There was apparently work being done, 
>but I don't know if they did it.


in any case CapROS development is starting again and it promises to be
really interesting

^ permalink raw reply	[flat|nested] 31+ messages in thread

* Re: The Ravenscar profile and capabilities paradigm
  2021-10-12 15:02       ` Luke A. Guest
@ 2021-10-12 15:33         ` Shark8
  2021-10-12 15:43           ` Luke A. Guest
  0 siblings, 1 reply; 31+ messages in thread
From: Shark8 @ 2021-10-12 15:33 UTC (permalink / raw)


On Tuesday, October 12, 2021 at 9:04:09 AM UTC-6, Luke A. Guest wrote:
> On 12/10/2021 16:01, Shark8 wrote: 
> > On Monday, October 11, 2021 at 1:24:48 PM UTC-6, Doctor Who wrote: 
> >> On Mon, 11 Oct 2021 16:32:13 +0100, Simon Wright wrote: 
> >>> Doctor Who writes: 
> >>> 
> >>>> someone knows how to introduce the capabilities paradigm in Ada, 
> >>>> specifically for programs written using the Ravenscar profile ? 
> >>>
> > Type Capability is ( Read, Copy, Whatever );
> There can be a capabiity for literally anything, even ownership and can 
> be different depending on object/os service. 
> 
> I'd say a tagged type is better than an enum.
Possibly.
But there's no reason to complicate the general idea in example-form: even if it's a tagged type you're going to want the capability-instance to be limited-private; the implementation of the "permissions" component being a Boolean-array or a vector of Capability'Class [most obviously having Capability be an abstract tagged null record] is mostly irrelevant for that demonstration. (And using a vector of tagged-type instead of the array would have bogged the example down with importing and instantiating the Vector container and setting up multiple non-abstract Capability-descendants, cluttering the point of the example.)

^ permalink raw reply	[flat|nested] 31+ messages in thread

* Re: The Ravenscar profile and capabilities paradigm
  2021-10-12 15:33         ` Shark8
@ 2021-10-12 15:43           ` Luke A. Guest
  2021-10-12 18:21             ` Doctor Who
  0 siblings, 1 reply; 31+ messages in thread
From: Luke A. Guest @ 2021-10-12 15:43 UTC (permalink / raw)


On 12/10/2021 16:33, Shark8 wrote:
> On Tuesday, October 12, 2021 at 9:04:09 AM UTC-6, Luke A. Guest wrote:
>> On 12/10/2021 16:01, Shark8 wrote:
>>> On Monday, October 11, 2021 at 1:24:48 PM UTC-6, Doctor Who wrote:
>>>> On Mon, 11 Oct 2021 16:32:13 +0100, Simon Wright wrote:
>>>>> Doctor Who writes:
>>>>>
>>>>>> someone knows how to introduce the capabilities paradigm in Ada,
>>>>>> specifically for programs written using the Ravenscar profile ?
>>>>>
>>> Type Capability is ( Read, Copy, Whatever );
>> There can be a capabiity for literally anything, even ownership and can
>> be different depending on object/os service.
>>
>> I'd say a tagged type is better than an enum.
> Possibly.
> But there's no reason to complicate the general idea in example-form: even if it's a tagged type you're going to want the capability-instance to be limited-private; the implementation of the "permissions" component being a Boolean-array or a vector of Capability'Class [most obviously having Capability be an abstract tagged null record] is mostly irrelevant for that demonstration. (And using a vector of tagged-type instead of the array would have bogged the example down with importing and instantiating the Vector container and setting up multiple non-abstract Capability-descendants, cluttering the point of the example.)
> 

Capabilities allow granting and revoking of access, iirc, the kernel has 
access to all, the kernel then grants access to certain processes, i.e. 
memory server, filesystem server, etc. each of those processes can 
further grant and revoke caps.


^ permalink raw reply	[flat|nested] 31+ messages in thread

* Re: The Ravenscar profile and capabilities paradigm
  2021-10-12 15:43           ` Luke A. Guest
@ 2021-10-12 18:21             ` Doctor Who
  2021-10-12 18:24               ` Doctor Who
  0 siblings, 1 reply; 31+ messages in thread
From: Doctor Who @ 2021-10-12 18:21 UTC (permalink / raw)


On Tue, 12 Oct 2021 16:43:07 +0100, "Luke A. Guest"
<laguest@archeia.com> wrote:

>On 12/10/2021 16:33, Shark8 wrote:
>> On Tuesday, October 12, 2021 at 9:04:09 AM UTC-6, Luke A. Guest wrote:
>>> On 12/10/2021 16:01, Shark8 wrote:
>>>> On Monday, October 11, 2021 at 1:24:48 PM UTC-6, Doctor Who wrote:
>>>>> On Mon, 11 Oct 2021 16:32:13 +0100, Simon Wright wrote:
>>>>>> Doctor Who writes:
>>>>>>
>>>>>>> someone knows how to introduce the capabilities paradigm in Ada,
>>>>>>> specifically for programs written using the Ravenscar profile ?
>>>>>>
>>>> Type Capability is ( Read, Copy, Whatever );
>>> There can be a capabiity for literally anything, even ownership and can
>>> be different depending on object/os service.
>>>
>>> I'd say a tagged type is better than an enum.
>> Possibly.
>> But there's no reason to complicate the general idea in example-form: even if it's a tagged type you're going to want the capability-instance to be limited-private; the implementation of the "permissions" component being a Boolean-array or a vector of Capability'Class [most obviously having Capability be an abstract tagged null record] is mostly irrelevant for that demonstration. (And using a vector of tagged-type instead of the array would have bogged the example down with importing and instantiating the Vector container and setting up multiple non-abstract Capability-descendants, cluttering the point of the example.)
>> 
>
>Capabilities allow granting and revoking of access, iirc, the kernel has 
>access to all, the kernel then grants access to certain processes, i.e. 
>memory server, filesystem server, etc. each of those processes can 
>further grant and revoke caps.
>

thank you all for the help, I hope this discussion goes far.
the most useful approach is the microkernel, where access to, and
operation of, each service is mediated by capabilities.

I would go so far to define and implement a capability-based
microkernel written in Ada using the Ravenscar profile.

^ permalink raw reply	[flat|nested] 31+ messages in thread

* Re: The Ravenscar profile and capabilities paradigm
  2021-10-12 18:21             ` Doctor Who
@ 2021-10-12 18:24               ` Doctor Who
  0 siblings, 0 replies; 31+ messages in thread
From: Doctor Who @ 2021-10-12 18:24 UTC (permalink / raw)


On Tue, 12 Oct 2021 20:21:28 +0200, Doctor Who <doc@tardis.org> wrote:

>On Tue, 12 Oct 2021 16:43:07 +0100, "Luke A. Guest"
><laguest@archeia.com> wrote:
>
>>On 12/10/2021 16:33, Shark8 wrote:
>>> On Tuesday, October 12, 2021 at 9:04:09 AM UTC-6, Luke A. Guest wrote:
>>>> On 12/10/2021 16:01, Shark8 wrote:
>>>>> On Monday, October 11, 2021 at 1:24:48 PM UTC-6, Doctor Who wrote:
>>>>>> On Mon, 11 Oct 2021 16:32:13 +0100, Simon Wright wrote:
>>>>>>> Doctor Who writes:
>>>>>>>
>>>>>>>> someone knows how to introduce the capabilities paradigm in Ada,
>>>>>>>> specifically for programs written using the Ravenscar profile ?
>>>>>>>
>>>>> Type Capability is ( Read, Copy, Whatever );
>>>> There can be a capabiity for literally anything, even ownership and can
>>>> be different depending on object/os service.
>>>>
>>>> I'd say a tagged type is better than an enum.
>>> Possibly.
>>> But there's no reason to complicate the general idea in example-form: even if it's a tagged type you're going to want the capability-instance to be limited-private; the implementation of the "permissions" component being a Boolean-array or a vector of Capability'Class [most obviously having Capability be an abstract tagged null record] is mostly irrelevant for that demonstration. (And using a vector of tagged-type instead of the array would have bogged the example down with importing and instantiating the Vector container and setting up multiple non-abstract Capability-descendants, cluttering the point of the example.)
>>> 
>>
>>Capabilities allow granting and revoking of access, iirc, the kernel has 
>>access to all, the kernel then grants access to certain processes, i.e. 
>>memory server, filesystem server, etc. each of those processes can 
>>further grant and revoke caps.
>>
>
>thank you all for the help, I hope this discussion goes far.
>the most useful approach is the microkernel, where access to, and
>operation of, each service is mediated by capabilities.
>
>I would go so far to define and implement a capability-based
>microkernel written in Ada using the Ravenscar profile.

I like SweetAda, and I would like to implement something similar but
using the approach I described so far.

^ permalink raw reply	[flat|nested] 31+ messages in thread

* Re: The Ravenscar profile and capabilities paradigm
  2021-10-12 15:01     ` Shark8
  2021-10-12 15:02       ` Luke A. Guest
@ 2021-10-14  3:46       ` Doctor Who
  2021-10-14 15:16         ` Shark8
  1 sibling, 1 reply; 31+ messages in thread
From: Doctor Who @ 2021-10-14  3:46 UTC (permalink / raw)


On Tue, 12 Oct 2021 08:01:26 -0700 (PDT), Shark8
<onewingedshark@gmail.com> wrote:

>On Monday, October 11, 2021 at 1:24:48 PM UTC-6, Doctor Who wrote:
>> On Mon, 11 Oct 2021 16:32:13 +0100, Simon Wright wrote:
>> >Doctor Who writes: 
>> > 
>> >> someone knows how to introduce the capabilities paradigm in Ada, 
>> >> specifically for programs written using the Ravenscar profile ? 
>> > 
>> >Google hasn't helped me to understand what you're getting at. Perhaps 
>> >you could expand?
>> wikipedia has a good explanation: 
>> https://en.wikipedia.org/wiki/Capability-based_security
>Ah.
>Limited Private, unknown-discriminant types.
>
>Package Capabilities is
>   -- Enumeration of the particular capabilities.
>   Type Capability is ( Read, Copy, Whatever ); 
>   -- A Boolean set for delineating a set of Capabilities.
>   Type Capability_List is Array(Capability) of Boolean;
>   -- An instance of a set of capabilities; note that:
>   -- (1) LIMITED means there is no predefined assignment/copy.
>   -- (2) PRIVATE means there is no public view to the components.
>   -- (3) Unknown discriminants mean there is no object-creation w/o a function-call. 
>   Type Instance(<>) is limited private;
>   -- Create an instance; add any other needed parameters.
>   Function Create( Capabilities : Capability_List ) return Instance;
>   -- No permissions.
>   Function No_Permissions return Instance;
>Private
>   Type Instance is record
>      Permissions : Capability_List:= (raise Program_Error with "Capabilities-Instance must be initialized.");
>      -- (others => False); -- Or maybe default to no permissions.
>      -- OTHER DATA, IF NEEDED; PERHAPS TASK-/PROCESS-ID.
>   End record;
>   
>   Function Create( Capabilities : Capability_List ) return Instance is
>      ( Permissions => Capabilities );
>   Function No_Permissions return Instance is
>      ( Create( Capability_List'(others => False) ) );
>End Capabilities;
>
>You could also extend things with a Task-ID, assuming you want this prevalent/pervasive across the OS, you could make a TASK INTERFACE with an accessor (Function Get_Capabilities(Task : OS_Task_Interface) return Capabilities.Instance is (Capabilities.No_Permissions); -- Override to give permissions.) and/or possibly a registry to manage permissions (on a finer-grained level) if you need it. A lot depends on how you architect/model it, but the "limited private unknown-discriminant type" perfectly fits what you need at the fundamental levels.


a Process Capability looks like this:

Operations:
a. "Read", address; > data;
b. "Write", address, data; > ;
c. "Take", index; > ; capability
d. "Give", index; capability > ;
e. "Find", index, count; capability > result, index;
f. "Start"; > ;
g. "Stop"; > ;

Semantics: The "Read" and "Write" operations allow access to the
process's memory. For example, in the "Read" operation, the literal
string "Read" (or a recognizable OP code) is passed along with an
address. The data word at the address is returned.

The "Give" and "Take" operations allow access to the process's C-list.
For example, the "Give" operation passes the string "Give", an index
into the C-list, and a capability to be stored at the passed index.
Such a stored capability could be invoked by the process if it were
"Start"ed.

The "Find" operation allows a slightly optimized sort of compare
operation for capabilities. The process's C-list is searched, starting
at the passed index, for the passed capability until either:

1. The passed capability is found in the C-list. In this case, the
operation returns "Yes" and the first index where the capability was
found, or

2. The count is exhausted. In this case the operation returns "No" and
the passed index plus count. 


in addition there is a Nil Capability:
Nil Capability: When a process is initially created its C-list
contains only Nils. These are empty place holders. Nil always returns
"Empty".

^ permalink raw reply	[flat|nested] 31+ messages in thread

* Re: The Ravenscar profile and capabilities paradigm
  2021-10-14  3:46       ` Doctor Who
@ 2021-10-14 15:16         ` Shark8
  2021-10-14 16:38           ` Doctor Who
  0 siblings, 1 reply; 31+ messages in thread
From: Shark8 @ 2021-10-14 15:16 UTC (permalink / raw)


On Wednesday, October 13, 2021 at 9:46:34 PM UTC-6, Doctor Who wrote:
> On Tue, 12 Oct 2021 08:01:26 -0700 (PDT), Shark8 
> >On Monday, October 11, 2021 at 1:24:48 PM UTC-6, Doctor Who wrote: 
> >> On Mon, 11 Oct 2021 16:32:13 +0100, Simon Wright wrote: 
> >> >Doctor Who writes: 
> >> > 
> >> >> someone knows how to introduce the capabilities paradigm in Ada, 
> >> >> specifically for programs written using the Ravenscar profile ? 
> >> > 
> >> >Google hasn't helped me to understand what you're getting at. Perhaps 
> >> >you could expand? 
> >> wikipedia has a good explanation: 
> >> https://en.wikipedia.org/wiki/Capability-based_security 
> >Ah. 
> >Limited Private, unknown-discriminant types. 
> > 
> >Package Capabilities is 
> > -- Enumeration of the particular capabilities. 
> > Type Capability is ( Read, Copy, Whatever ); 
> > -- A Boolean set for delineating a set of Capabilities. 
> > Type Capability_List is Array(Capability) of Boolean; 
> > -- An instance of a set of capabilities; note that: 
> > -- (1) LIMITED means there is no predefined assignment/copy. 
> > -- (2) PRIVATE means there is no public view to the components. 
> > -- (3) Unknown discriminants mean there is no object-creation w/o a function-call. 
> > Type Instance(<>) is limited private; 
> > -- Create an instance; add any other needed parameters. 
> > Function Create( Capabilities : Capability_List ) return Instance; 
> > -- No permissions. 
> > Function No_Permissions return Instance; 
> >Private 
> > Type Instance is record 
> > Permissions : Capability_List:= (raise Program_Error with "Capabilities-Instance must be initialized."); 
> > -- (others => False); -- Or maybe default to no permissions. 
> > -- OTHER DATA, IF NEEDED; PERHAPS TASK-/PROCESS-ID. 
> > End record; 
> > 
> > Function Create( Capabilities : Capability_List ) return Instance is 
> > ( Permissions => Capabilities ); 
> > Function No_Permissions return Instance is 
> > ( Create( Capability_List'(others => False) ) ); 
> >End Capabilities; 
> > 
> >You could also extend things with a Task-ID, assuming you want this prevalent/pervasive across the OS, you could make a TASK INTERFACE with an accessor (Function Get_Capabilities(Task : OS_Task_Interface) return Capabilities.Instance is (Capabilities.No_Permissions); -- Override to give permissions.) and/or possibly a registry to manage permissions (on a finer-grained level) if you need it. A lot depends on how you architect/model it, but the "limited private unknown-discriminant type" perfectly fits what you need at the fundamental levels.
> a Process Capability looks like this: 
> 
> Operations: 
> a. "Read", address; > data; 
> b. "Write", address, data; > ; 
> c. "Take", index; > ; capability 
> d. "Give", index; capability > ; 
> e. "Find", index, count; capability > result, index; 
> f. "Start"; > ; 
> g. "Stop"; > ; 
Does it?
Why?
Or is this just one possible implementation of 'capabilities' operations?
Operations on a type correspond to subprograms in Ada; nothing you present seems (at first glance) incompatible with the structure/types I gave you.
> 
> Semantics: The "Read" and "Write" operations allow access to the 
> process's memory. For example, in the "Read" operation, the literal 
> string "Read" (or a recognizable OP code) is passed along with an 
> address. The data word at the address is returned. 
I think you're jumping the gun.
You need to have a good model, and why are you jumping straight into implementation?
(Literal string? Recognizable OP code? -- All implementation details; forget them right now, concentrate on the modeling of the problem, not the details of how to implement, and AFTER getting the model down, THEN consider code.)
> The "Give" and "Take" operations allow access to the process's C-list. 
> For example, the "Give" operation passes the string "Give", an index 
> into the C-list, and a capability to be stored at the passed index. 
> Such a stored capability could be invoked by the process if it were 
> "Start"ed. 
This part of your explanation makes it sound like you do not understand the code I presented, or the reasoning behind it; forgive me for poorly communicating it.
The reason you want a "limited private type with unknown discriminants" is because:
1)  It hides the implementation, meaning clients cannot alter it indiscriminately.
2)  It prohibits automatic initialization, forcing the usage of an initialization subprogram.
3)  It forces usage of the public interface for clients, private details can manipulate it though.
4)  Any public operations, again, have to go through the public interface.
5)  Copying is strictly prohibited, hence "limited".

In the model I had envisioned the Capabilities-list (Capabilities.Instance) would be an integral part of the TASK, and there would likely be a Get_Capabilities function which would return the proper value, some set-operations, and a new creation-function:
  Function Create( Object : OS_Task_Interface; Capabilities : Capability_List ) return Instance is
     Parent : Instance renames Get_Capabilities( Object );
     Caps : Capability_List renames Parent.Permissions;
  Begin
     Return Intersect( Caps, Capabilities ); -- The granted capabilities cannot be ones the parent does not have, nor may it be ones not requested.
  End Create;
The above, I think, does the work you are putting into TAKE and GIVE.
> The "Find" operation allows a slightly optimized sort of compare 
> operation for capabilities. The process's C-list is searched, starting 
> at the passed index, for the passed capability until either: 
> 
> 1. The passed capability is found in the C-list. In this case, the 
> operation returns "Yes" and the first index where the capability was 
> found, or 
> 
> 2. The count is exhausted. In this case the operation returns "No" and 
> the passed index plus count.
Why are you bothering with a list?
Why are you even bothering with an index?
The implementation I gave you has the capabilities enumerated; you would add an operation to the capabilities package:
Function Has( Object : Instance; Permission : Capability) return Boolean is
Begin
   Return Object.Permissions( Permission ); -- Just use the enumeration-index of the permissions field.
End Has;
Done.
> 
> 
> in addition there is a Nil Capability: 
> Nil Capability: When a process is initially created its C-list 
> contains only Nils. These are empty place holders. Nil always returns 
> "Empty".
This... sounds like you are not understanding, at all, the Ada code I presented you.
Look at the creation function No_Permissions.

^ permalink raw reply	[flat|nested] 31+ messages in thread

* Re: The Ravenscar profile and capabilities paradigm
  2021-10-14 15:16         ` Shark8
@ 2021-10-14 16:38           ` Doctor Who
  2021-10-14 21:20             ` Simon Wright
  0 siblings, 1 reply; 31+ messages in thread
From: Doctor Who @ 2021-10-14 16:38 UTC (permalink / raw)


On Thu, 14 Oct 2021 08:16:30 -0700 (PDT), Shark8
<onewingedshark@gmail.com> wrote:

>On Wednesday, October 13, 2021 at 9:46:34 PM UTC-6, Doctor Who wrote:
>> On Tue, 12 Oct 2021 08:01:26 -0700 (PDT), Shark8 
>> >On Monday, October 11, 2021 at 1:24:48 PM UTC-6, Doctor Who wrote: 
>> >> On Mon, 11 Oct 2021 16:32:13 +0100, Simon Wright wrote: 
>> >> >Doctor Who writes: 
>> >> > 
>> >> >> someone knows how to introduce the capabilities paradigm in Ada, 
>> >> >> specifically for programs written using the Ravenscar profile ? 
>> >> > 
>> >> >Google hasn't helped me to understand what you're getting at. Perhaps 
>> >> >you could expand? 
>> >> wikipedia has a good explanation: 
>> >> https://en.wikipedia.org/wiki/Capability-based_security 
>> >Ah. 
>> >Limited Private, unknown-discriminant types. 
>> > 
>> >Package Capabilities is 
>> > -- Enumeration of the particular capabilities. 
>> > Type Capability is ( Read, Copy, Whatever ); 
>> > -- A Boolean set for delineating a set of Capabilities. 
>> > Type Capability_List is Array(Capability) of Boolean; 
>> > -- An instance of a set of capabilities; note that: 
>> > -- (1) LIMITED means there is no predefined assignment/copy. 
>> > -- (2) PRIVATE means there is no public view to the components. 
>> > -- (3) Unknown discriminants mean there is no object-creation w/o a function-call. 
>> > Type Instance(<>) is limited private; 
>> > -- Create an instance; add any other needed parameters. 
>> > Function Create( Capabilities : Capability_List ) return Instance; 
>> > -- No permissions. 
>> > Function No_Permissions return Instance; 
>> >Private 
>> > Type Instance is record 
>> > Permissions : Capability_List:= (raise Program_Error with "Capabilities-Instance must be initialized."); 
>> > -- (others => False); -- Or maybe default to no permissions. 
>> > -- OTHER DATA, IF NEEDED; PERHAPS TASK-/PROCESS-ID. 
>> > End record; 
>> > 
>> > Function Create( Capabilities : Capability_List ) return Instance is 
>> > ( Permissions => Capabilities ); 
>> > Function No_Permissions return Instance is 
>> > ( Create( Capability_List'(others => False) ) ); 
>> >End Capabilities; 
>> > 
>> >You could also extend things with a Task-ID, assuming you want this prevalent/pervasive across the OS, you could make a TASK INTERFACE with an accessor (Function Get_Capabilities(Task : OS_Task_Interface) return Capabilities.Instance is (Capabilities.No_Permissions); -- Override to give permissions.) and/or possibly a registry to manage permissions (on a finer-grained level) if you need it. A lot depends on how you architect/model it, but the "limited private unknown-discriminant type" perfectly fits what you need at the fundamental levels.
>> a Process Capability looks like this: 
>> 
>> Operations: 
>> a. "Read", address; > data; 
>> b. "Write", address, data; > ; 
>> c. "Take", index; > ; capability 
>> d. "Give", index; capability > ; 
>> e. "Find", index, count; capability > result, index; 
>> f. "Start"; > ; 
>> g. "Stop"; > ; 
>Does it?
>Why?
>Or is this just one possible implementation of 'capabilities' operations?

it is the one I would like to implement.


>Operations on a type correspond to subprograms in Ada; nothing you present seems (at first glance) incompatible with the structure/types I gave you.

exactly


>> 
>> Semantics: The "Read" and "Write" operations allow access to the 
>> process's memory. For example, in the "Read" operation, the literal 
>> string "Read" (or a recognizable OP code) is passed along with an 
>> address. The data word at the address is returned. 
>I think you're jumping the gun.
>You need to have a good model, and why are you jumping straight into implementation?

http://www.webstart.com/jed/papers/DCCS/


>(Literal string? Recognizable OP code? -- All implementation details; forget them right now, concentrate on the modeling of the problem, not the details of how to implement, and AFTER getting the model down, THEN consider code.)
>> The "Give" and "Take" operations allow access to the process's C-list. 
>> For example, the "Give" operation passes the string "Give", an index 
>> into the C-list, and a capability to be stored at the passed index. 
>> Such a stored capability could be invoked by the process if it were 
>> "Start"ed. 
>This part of your explanation makes it sound like you do not understand the code I presented, or the reasoning behind it; forgive me for poorly communicating it.
>The reason you want a "limited private type with unknown discriminants" is because:
>1)  It hides the implementation, meaning clients cannot alter it indiscriminately.
>2)  It prohibits automatic initialization, forcing the usage of an initialization subprogram.
>3)  It forces usage of the public interface for clients, private details can manipulate it though.
>4)  Any public operations, again, have to go through the public interface.
>5)  Copying is strictly prohibited, hence "limited".
>
>In the model I had envisioned the Capabilities-list (Capabilities.Instance) would be an integral part of the TASK, and there would likely be a Get_Capabilities function which would return the proper value, some set-operations, and a new creation-function:
>  Function Create( Object : OS_Task_Interface; Capabilities : Capability_List ) return Instance is
>     Parent : Instance renames Get_Capabilities( Object );
>     Caps : Capability_List renames Parent.Permissions;
>  Begin
>     Return Intersect( Caps, Capabilities ); -- The granted capabilities cannot be ones the parent does not have, nor may it be ones not requested.
>  End Create;
>The above, I think, does the work you are putting into TAKE and GIVE.
>> The "Find" operation allows a slightly optimized sort of compare 
>> operation for capabilities. The process's C-list is searched, starting 
>> at the passed index, for the passed capability until either: 
>> 
>> 1. The passed capability is found in the C-list. In this case, the 
>> operation returns "Yes" and the first index where the capability was 
>> found, or 
>> 
>> 2. The count is exhausted. In this case the operation returns "No" and 
>> the passed index plus count.
>Why are you bothering with a list?
>Why are you even bothering with an index?
>The implementation I gave you has the capabilities enumerated; you would add an operation to the capabilities package:
>Function Has( Object : Instance; Permission : Capability) return Boolean is
>Begin
>   Return Object.Permissions( Permission ); -- Just use the enumeration-index of the permissions field.
>End Has;
>Done.
>> 
>> 
>> in addition there is a Nil Capability: 
>> Nil Capability: When a process is initially created its C-list 
>> contains only Nils. These are empty place holders. Nil always returns 
>> "Empty".
>This... sounds like you are not understanding, at all, the Ada code I presented you.
>Look at the creation function No_Permissions.

^ permalink raw reply	[flat|nested] 31+ messages in thread

* Re: The Ravenscar profile and capabilities paradigm
  2021-10-14 16:38           ` Doctor Who
@ 2021-10-14 21:20             ` Simon Wright
  2021-10-15 11:21               ` Doctor Who
  0 siblings, 1 reply; 31+ messages in thread
From: Simon Wright @ 2021-10-14 21:20 UTC (permalink / raw)


Doctor Who <doc@tardis.org> writes:

> http://www.webstart.com/jed/papers/DCCS/

Not the most understandable of papers. Haven't things improved since 1976?

^ permalink raw reply	[flat|nested] 31+ messages in thread

* Re: The Ravenscar profile and capabilities paradigm
  2021-10-14 21:20             ` Simon Wright
@ 2021-10-15 11:21               ` Doctor Who
  0 siblings, 0 replies; 31+ messages in thread
From: Doctor Who @ 2021-10-15 11:21 UTC (permalink / raw)


On Thu, 14 Oct 2021 22:20:54 +0100, Simon Wright <simon@pushface.org>
wrote:

>Doctor Who <doc@tardis.org> writes:
>
>> http://www.webstart.com/jed/papers/DCCS/
>
>Not the most understandable of papers. Haven't things improved since 1976?


Yes!
but this is a basic concept that has been carried on in the years.

^ permalink raw reply	[flat|nested] 31+ messages in thread

end of thread, other threads:[~2021-10-15 11:21 UTC | newest]

Thread overview: 31+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-10-11 13:33 The Ravenscar profile and capabilities paradigm Doctor Who
2021-10-11 14:48 ` Luke A. Guest
2021-10-11 19:25   ` Doctor Who
2021-10-11 19:36     ` Luke A. Guest
2021-10-11 19:50       ` Doctor Who
2021-10-12  0:45         ` Luke A. Guest
2021-10-12  0:47           ` Luke A. Guest
2021-10-12  2:31             ` Doctor Who
2021-10-12  2:29           ` Doctor Who
2021-10-12  2:35             ` Doctor Who
2021-10-12  3:19             ` Doctor Who
2021-10-12  5:17         ` Richard Iswara
2021-10-12  6:42           ` Doctor Who
2021-10-12 11:51             ` Richard Iswara
2021-10-12 11:58               ` Luke A. Guest
2021-10-12 15:04                 ` Doctor Who
2021-10-11 15:32 ` Simon Wright
2021-10-11 19:24   ` Doctor Who
2021-10-12 15:01     ` Shark8
2021-10-12 15:02       ` Luke A. Guest
2021-10-12 15:33         ` Shark8
2021-10-12 15:43           ` Luke A. Guest
2021-10-12 18:21             ` Doctor Who
2021-10-12 18:24               ` Doctor Who
2021-10-14  3:46       ` Doctor Who
2021-10-14 15:16         ` Shark8
2021-10-14 16:38           ` Doctor Who
2021-10-14 21:20             ` Simon Wright
2021-10-15 11:21               ` Doctor Who
2021-10-11 15:48 ` Shark8
2021-10-11 19:25   ` Doctor Who

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox