Next: Complete Mediation
Up: Analysis
Previous: Economy of Mechanism
Name space management and stack introspection have similar fail-safe
behavior. If a potentially dangerous system resource has been
properly modified to work with the system, it will default to deny
access. With name space management, the protected resource cannot be
named by a program, so it is not reachable. With stack introspection,
requests to enable a privilege will fail by default. Likewise, when
no enabled privilege is found on the stack, access to the resource
will be denied by default. (Microsoft sacrifices this property for
compatibility reasons.)
In a fully capability-based system, a program cannot do anything
unless an appropriate capability is available. In this respect, a
capability system has very good fail-safe behavior.
Dan Wallach
7/26/1997