- This work was supported by DARPA
under Contract N66001-96-C-852.
- PLAN version 3.2 is implemented in OCaml, version 2.02. While
this document attempts to be as implementation-independent as possible,
certain aspects are implementation dependent, and will refer to OCaml as
necessary. An earlier, Java-based version of PLAN (2.2) is also available
and has its own documentation suite. PLAN 2.2 does not have any of the
service-level security features described herein.
- The IP address of
m is printed in the diagnostic messages. Here this address is printed as
the loopback address, 127.0.0.1 for expositional purposes.
- In effect, this defines the default environment as all
services registered by the node minus the ones indicated as privileged by
the node policy. However, this implies that these restrictions may be known
statically, which is true for the monolithic and hierarchical
implementations, but not for ephemeral ones. Thus, to allow for this
possibility, we should alter our implementation to specify the default
service environment explicitly rather than implicitly.
- This is an artifact of the fact that QCM does not allow
width-subtyping in record pattern-matches. The QCM developers assure
us that this feature will be added at some point, at which time we'll alter
our policy implementation.
- The actual code contains ifdef's that are needed
for debugging and because usage-based security is not implemented without
QCM; these are elided here for clarity.
- In all of these examples,
m is the machine on which this example is run---i.e. your machine's
hostname, as understood by the PLAN DNS service. See the tutorial or the
FAQ if you run into problems.
- This is, in fact, not a very reasonable policy: the default
user should get much more state, since it represents all untrusted users of
the network. We use this policy for demonstration purposes.