Object-accessibility and meta-level (was: HLL Primitives)

Massimo Dentico m.dentico@virgilio.it
Fri Feb 7 01:54:02 2003

Brian T Rice wrote:
> Francois-Rene Rideau wrote:
> [..]
>>As for a conceptual model for attributes, etc. - in Tunes,
>>I think that what I had in my mind when I wrote this page
>>was that the "state" of the system at any moment could be seen as a set
>>of (attribute, object(s), value(s)) tuples that are known to hold.

I don't understand what these "(attribute, object(s), value(s)) tuples"
without an explanation are supposed to be, but anyway ...

> [..]
> Alright. As for formalization, that's the task I'm attempting to
> undertake. For example, your triples are "attributions" by lexical
> derivative of the object-attribute concept. Unfortunately, "known to hold"
> isn't absolute. You say yourself under the Safety and Security sections
> that object-accessibility through capabilities or some enhanced notion
> determines visibility itself in a perspective-based way. If we had a
> single reflective tower, the simple answer would be that "the meta-level
> knows", but this is not the case.

A short digression to establish a minimum of context.

A capability is (for what I understand) a security mechanism which
gives to an agent(/actor/program/user):

a) the right to access a specific object
b) the right to perform some specific operations on such object.

Security depend on the fact that such capability is *not*
falsifiable (forgeable). At this end various techniques exist,
essentially (briefly): tagged architectures, capabilities in kernel
space, cryptography.

The difference with ACLs (Access Control Lists) stays in the fact
that in such model at each resource is associated a list of agents
with the right to access such resource and relative operations
allowed for each agent.

With capabilities, on the contrary, to each agent is given a set of
rights on specific resources. An agent is not even able to name (access)
a resource without an adequate capability. In some sense at each agent
is given a view (a set of capabilities) of the world in which it lives.
Such view is potentially dynamic (grant/revocation of capabilities
during the life-time of an agent).

For the profound implications of this difference (which apparently
seems trivial) see the relevant links on our CTO (Cliki.Tunes.Org):

  - http://cliki.tunes.org:8000/Capability

Now back to object-accessibility and meta-level.

1) Let be O' an object which belongs to a meta-object MO' and
    owns a capability C'.

2) Let be O" an object which belongs to a meta-object MO".

3) Let O', MO', C', O", MO" live in the current context CC.

A question immediately arises:

4) who is responsible for the "interpretation" of a capability (C')?
    The current context (CC) or the meta-obect (MO') which the capability
    owner (O') belongs?

In what follow I assume that:

5) the answer to 4) is MO';
6) MO' and MO" use different capability mechanisms.

Now if O' wants to grant C' to O" then musts exist a "translator" T
of C' into a capability C", that MO" can interpret:

7) T(C') -> C"

Another possibility is that, for 6) to hold, 3) musts be false
(MO' and MO" live in different contexts). Probably this is the
correct interpretation of "different reflective towers".

Brian, are these the kind of problems to which you refer?
Does this formulation make sense to you?


Massimo Dentico