Capability-based security is a concept in the design of

secure computing Secure Computing Corporation (SCC) was a public company that developed and sold computer security appliances and hosted services to protect users and data. McAfee acquired the company in 2008. The company also developed filtering systems used ...

systems, one of the existing security models. A capability (known in some systems as a key) is a communicable, unforgeable

token Token may refer to: Arts, entertainment, and media * Token, a game piece or counter, used in some games * The Tokens, a vocal music group * Tolkien Black, a recurring character on the animated television series ''South Park,'' formerly known a ...

of authority. It refers to a value that

references Reference is a relationship between objects in which one object designates, or acts as a means by which to connect to or link to, another object. The first object in this relation is said to ''refer to'' the second object. It is called a ''name'' ...

object Object may refer to: General meanings * Object (philosophy), a thing, being, or concept ** Object (abstract), an object which does not exist at any particular time or place ** Physical object, an identifiable collection of matter * Goal, an ...

along with an associated set of access rights. A

user Ancient Egyptian roles * User (ancient Egyptian official), an ancient Egyptian nomarch (governor) of the Eighth Dynasty * Useramen, an ancient Egyptian vizier also called "User" Other uses * User (computing), a person (or software) using an ...

program Program, programme, programmer, or programming may refer to: Business and management * Program management, the process of managing several related projects * Time management * Program, a part of planning Arts and entertainment Audio * Programm ...

on a

capability-based operating system Capability-based operating system generally refers to an operating system that uses capability-based security. Examples include: * Hydra *KeyKOS * EROS *CapROS * Midori *seL4 *Genode *Fuchsia *Control Program Facility Control Program Facility ( ...

must use a capability to access an object. Capability-based security refers to the principle of designing user programs such that they directly share capabilities with each other according to the

principle of least privilege In information security, computer science, and other fields, the principle of least privilege (PoLP), also known as the principle of minimal privilege (PoMP) or the principle of least authority (PoLA), requires that in a particular abstraction la ...

, and to the operating system infrastructure necessary to make such transactions efficient and secure. Capability-based security is to be contrasted with an approach that uses traditional UNIX permissions and

Access Control Lists In computer security, an access-control list (ACL) is a list of permissions associated with a system resource (object). An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on gi ...

. Although most operating systems implement a facility which resembles capabilities, they typically do not provide enough support to allow for the exchange of capabilities among possibly mutually untrusting entities to be the primary means of granting and distributing access rights throughout the system. A capability-based system, in contrast, is designed with that goal in mind.

Introduction

Capabilities achieve their objective of improving system security by being used in place of forgeable

. A forgeable reference (for example, a path name) identifies an object, but does not specify which access rights are appropriate for that object and the user program which holds that reference. Consequently, any attempt to access the referenced object must be validated by the operating system, based on the

ambient authority Ambient authority is a term used in the study of access control systems. A subject, such as a computer program, is said to be using ''ambient authority'' if it only needs to specify the names of the involved object(s) and the operation to be perfo ...

of the requesting program, typically via the use of an

access control list In computer security, an access-control list (ACL) is a list of permissions associated with a system resource (object). An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on gi ...

(ACL). Instead, in a system with capabilities, the mere fact that a user program possesses that capability entitles it to use the referenced object in accordance with the rights that are specified by that capability. In theory, a system with capabilities removes the need for any access control list or similar mechanism by giving all entities all and only the capabilities they will actually need. A capability is typically implemented as a privileged

data structure In computer science, a data structure is a data organization, management, and storage format that is usually chosen for efficient access to data. More precisely, a data structure is a collection of data values, the relationships among them, ...

that consists of a section that specifies access rights, and a section that uniquely identifies the object to be accessed. The user does not access the data structure or object directly, but instead via a handle. In practice, it is used much like a

file descriptor In Unix and Unix-like computer operating systems, a file descriptor (FD, less frequently fildes) is a process-unique identifier ( handle) for a file or other input/output resource, such as a pipe or network socket. File descriptors typically ha ...

in a traditional operating system (a traditional handle), but to access every object on the system. Capabilities are typically stored by the operating system in a list, with some mechanism in place to prevent the program from directly modifying the contents of the capability (so as to forge access rights or change the object it points to). Some systems have also been based on

capability-based addressing In computer science, capability-based addressing is a scheme used by some computers to control access to memory as an efficient implementation of capability-based security. Under a capability-based addressing scheme, pointers are replaced by prote ...

(hardware support for capabilities), such as

Plessey System 250 Plessey System 250, also known as PP250, was the first operational computer to implement capability-based addressing, to check and balance the computation as a pure Church–Turing machine. Plessey built the systems for a British Army message ro ...

. Programs possessing capabilities can perform functions on them, such as passing them on to other programs, converting them to a less-privileged version, or deleting them. The operating system must ensure that only specific operations can occur to the capabilities in the system, in order to maintain the integrity of the security policy. Capabilities as discussed in this article should not be confused with Portable Operating System Interface (

POSIX The Portable Operating System Interface (POSIX) is a family of standards specified by the IEEE Computer Society for maintaining compatibility between operating systems. POSIX defines both the system- and user-level application programming in ...

) 1e/2c " Capabilities". The latter are coarse-grained privileges that cannot be transferred between processes.

Examples

A capability is defined to be a protected

reference which, by virtue of its possession by a user process, grants that process the capability (hence the name) to interact with an object in certain ways. Those ways might include reading data associated with an object, modifying the object, executing the data in the object as a process, and other conceivable access rights. The capability logically consists of a reference that uniquely identifies a particular object and a set of one or more of these rights. Suppose that, in a user process's memory space, there exists the following string: /etc/passwd Although this identifies a unique object on the system, it does not specify access rights and hence is not a capability. Suppose there is instead the following pair of values: /etc/passwd O_RDWR This pair identifies an object along with a set of access rights. The pair, however, is still not a capability because the user process's ''possession'' of these values says nothing about whether that access would actually be legitimate. Now suppose that the user program successfully executes the following statement: int fd = open("/etc/passwd", O_RDWR); The variable fd now contains the index of a file descriptor in the process's file descriptor table. This file descriptor ''is'' a capability. Its existence in the process's file descriptor table is sufficient to show that the process does indeed have legitimate access to the object. A key feature of this arrangement is that the file descriptor table is in

kernel memory The kernel is a computer program at the core of a computer's operating system and generally has complete control over everything in the system. It is the portion of the operating system code that is always resident in memory and facilitates i ...

and cannot be directly manipulated by the user program.

Sharing between processes

In traditional operating systems, programs often communicate with each other and with storage using references like those in the first two examples. Path names are often passed as command-line parameters, sent via sockets, and stored on disk. These references are not capabilities, and must be validated before they can be used. In these systems, a central question is "on whose ''authority'' is a given reference to be evaluated?" This becomes a critical issue especially for processes which must act on behalf of two different authority-bearing entities. They become susceptible to a programming error known as the

confused deputy problem In information security, a confused deputy is a computer program that is tricked by another program (with fewer privileges or less rights) into misusing its authority on the system. It is a specific type of privilege escalation. The confused dep ...

, very frequently resulting in a security hole. In a capability-based system, the capabilities themselves are passed between processes and storage using a mechanism that is known by the operating system to maintain the integrity of those capabilities. One novel approach to solving this problem involves the use of an orthogonally persistent operating system. In such a system, there is no need for entities to be discarded and their capabilities be invalidated, and hence require an ACL-like mechanism to restore those capabilities at a later time. The operating system maintains the integrity and security of the capabilities contained within all storage, both volatile and nonvolatile, at all times; in part by performing all

serialization In computing, serialization (or serialisation) is the process of translating a data structure or object state into a format that can be stored (e.g. files in secondary storage devices, data buffers in primary storage devices) or transmitted (e ...

tasks by itself, rather than requiring user programs to do so, as is the case in most operating systems. Because user programs are relieved of this responsibility, there is no need to trust them to reproduce only legal capabilities, nor to validate requests for access using an

access control In the fields of physical security and information security, access control (AC) is the selective restriction of access to a place or other resource, while access management describes the process. The act of ''accessing'' may mean consuming ...

mechanism. An example implementation is the Flex machine from the early 1980s.

POSIX capabilities

Portable Operating System Interface (POSIX) draft 1003.1e specifies a concept of permissions called "capabilities". However, POSIX capabilities differ from capabilities in this article. A POSIX capability is not associated with any object; a process having CAP_NET_BIND_SERVICE capability can listen on any TCP port under 1024. This system is found in Linux. In contrast,

Capsicum ''Capsicum'' () is a genus of flowering plants in the nightshade family Solanaceae, native to the Americas, cultivated worldwide for their chili pepper or bell pepper fruit. Etymology and names The generic name may come from Latin , me ...

Unix hybridizes a true capability-system model with a Unix design and POSIX API. Capsicum capabilities are a refined form of file descriptor, a delegable right between processes and additional object types beyond classic POSIX, such as processes, can be referenced via capabilities. In Capsicum capability mode, processes are unable to utilize global namespaces (such as the filesystem namespace) to look up objects, and must instead inherit or be delegated them. This system is found natively in FreeBSD, but patches are available to other systems.

Implementations

Notable research and commercial systems employing capability-based security include the following: *

Tahoe-LAFS Tahoe-LAFS (Tahoe Least-Authority File Store) is a free and open, secure, decentralized, fault-tolerant, distributed data store and distributed file system. It can be used as an online backup system, or to serve as a file or Web host similar t ...

, an open-source capability-based filesystem *

GNOSIS Gnosis is the common Greek noun for knowledge ( γνῶσις, ''gnōsis'', f.). The term was used among various Hellenistic religions and philosophies in the Greco-Roman world. It is best known for its implication within Gnosticism, where it ...

, an operating system developed at Tymshare **

KeyKOS KeyKOS is a persistent, pure capability-based operating system for the IBM S/370 mainframe computers. It allows emulating the environments of VM, MVS, and Portable Operating System Interface ( POSIX). It is a predecessor of the Extremely R ...

, successor to GNOSIS *** EROS, The

Extremely Reliable Operating System Extremely Reliable Operating System (EROS) is an operating system developed starting in 1991 at the University of Pennsylvania, and then Johns Hopkins University, and The EROS Group, LLC. Features include automatic data and process persistence ...

, successor to KeyKOS ****

CapROS Capability-based Reliable Operating System (CapROS) is an operating system incorporating pure capability-based security. It features automatic persistence of data and processes, even across system reboots. Capability systems naturally support th ...

, a project to further develop the EROS code base for commercial use * Cambridge CAP computer *

Hydra (operating system) Hydra (stylized as HYDRA) is an early, discontinued, capability-based, object-oriented microkernel designed to support a wide range of possible operating systems to run on it.Wulf 74 pp. 337–345 Hydra was created as part of the C.mmp project at ...

, part of the

C.mmp The C.mmp was an early ''multiple instruction, multiple data'' ( MIMD) multiprocessor system developed at Carnegie Mellon University (CMU) by William Wulf (1971). The notation ''C.mmp'' came from the PMS notation of Gordon Bell and Allen Newell ...

project at

Carnegie Mellon University Carnegie Mellon University (CMU) is a private research university in Pittsburgh, Pennsylvania. One of its predecessors was established in 1900 by Andrew Carnegie as the Carnegie Technical Schools; it became the Carnegie Institute of Technology ...

* StarOS, part of the CM* project at

* IBM System/38 and

AS/400 The IBM AS/400 (Application System/400) is a family of midrange computers from IBM announced in June 1988 and released in August 1988. It was the successor to the System/36 and System/38 platforms, and ran the OS/400 operating system. Lower-co ...

Intel iAPX 432 The iAPX 432 (''Intel Advanced Performance Architecture'') is a discontinued computer architecture introduced in 1981. It was Intel's first 32-bit processor design. The main processor of the architecture, the ''general data processor'', is im ...

Flex Flex or FLEX may refer to: Computing * Flex (language), developed by Alan Kay * FLEX (operating system), a single-tasking operating system for the Motorola 6800 * FlexOS, an operating system developed by Digital Research * FLEX (protocol), a com ...

* L4 microkernel family: **OKL4 from Open Kernel Labs **seL4 from NICTA **Fiasco.OC and NOVA from TU Dresden *

Amoeba An amoeba (; less commonly spelled ameba or amœba; plural ''am(o)ebas'' or ''am(o)ebae'' ), often called an amoeboid, is a type of cell or unicellular organism with the ability to alter its shape, primarily by extending and retracting pseudop ...

distributed operating system *

FreeBSD FreeBSD is a free and open-source Unix-like operating system descended from the Berkeley Software Distribution (BSD), which was based on Research Unix. The first version of FreeBSD was released in 1993. In 2005, FreeBSD was the most popular ...

Genode Genode is a free and open-source software operating system (OS) framework consisting of a microkernel abstraction layer and a set of user space components. The framework is notable as one of the few open-source operating systems not derived from ...

Google Fuchsia Fuchsia is an open-source capability-based operating system developed by Google. In contrast to Google's Linux-based operating systems such as ChromeOS and Android, Fuchsia is based on a custom kernel named Zircon. It publicly debuted as a self ...

WebAssembly WebAssembly (sometimes abbreviated Wasm) defines a portable binary-code format and a corresponding text format for executable programs as well as software interfaces for facilitating interactions between such programs and their host environmen ...

System Interface (WASI)

References

* Levy, Henry M., '
Capability-Based Computer Systems
', Digital Equipment Corporation 1984. . An electronic version is availabl
here

The EROS Project
* E, a programming language based around capability security
ERights.org
* Mark S. Miller, Ka-Ping Yee, Jonathan Shapiro. ''Capability Myths Demolished'', Technical Report SRL2003-02, Systems Research Laboratory, Johns Hopkins University
Available online.

The Cambridge CAP Computer
Levy, 1988

External links

{{DEFAULTSORT:Capability-Based Security Computer security models Access control