
Objects as Secure Capabilities - insulanian
http://joeduffyblog.com/2015/11/10/objects-as-secure-capabilities/
======
Natanael_L
I would love to see a full client OS developed based on a Capabilities model.
Imagine if Qubes OS didn't have to settle with VM:s that are essentially large
sandboxes, but it could isolate software and grant access directly managed
trough these secure tokens.

Ideally even regular software packages would then be split up in smaller
pieces that in turn had their own capabilities, so that a web browser could
restrict the capabilities of the rendering thread/process by simply not giving
it all the capabilities of the main thread of the software. Instead of just
threading software or using process isolation you'd define capabilities for
every sensitive interaction and could be a whole lot more fine-grained.

~~~
icebraining
_Ideally even regular software packages would then be split up in smaller
pieces that in turn had their own capabilities, so that a web browser could
restrict the capabilities of the rendering thread /process by simply not
giving it all the capabilities of the main thread of the software._

That's exactly what Chrome does, by the way. The rendering processes can't do
basically anything beyond communicating with the parent process on a channel.
Anything else - files, network, etc - is barred using seccomp-bpf (and
equivalent on Windows).

~~~
Natanael_L
The difference is that in such an enviroment, that sandbox would be created by
- doing _nothing_. Chrome has to go out of its way to define such a sandbox
for rendering processes.

