Capability (computers)
|
Missing image Merge_articles.png | It has been proposed that this article or section be merged with Capability-based security.
This request may be discussed on the article's talk page. |
A capability (also known as a key) is a concept in secure computing. It refers to a value that references an object along with an associated set of access rights. A user program on a capability-based operating system must use a capability to access an object.
A capability is typically implemented as a privileged data structure that consists of a section that specifies access rights, and a section that uniquely identifies the object to be accessed. In practice, it is used much like a file descriptor in a traditional operating system, but to access every object on the system. They are typically stored by the operating system in a list, with some mechanism in place to prevent the program from directly modifying the contents of the capability (so as to forge access rights or change the object it points to).
Programs possessing capabilities can perform functions on them, such as passing them on to other programs, converting them to a less-privileged version, or deleting them.
Capabilities achieve their objective of improving system security by being used in place of plain references. A plain reference (for example, a path name) uniquely identifies an object, but does not specify which access rights are appropriate for that object and the user program which holds that reference. Consequently, any attempt to access the referenced object must be validated by the operating system, typically via the use of an access control list (ACL). In contrast, in a pure capability-based system, the mere fact that a user program possesses that capability entitles it to use the referenced object in accordance with the rights that are specified by that capability. In theory, a pure capability-based system removes the need for any access control list or similar mechanism by giving all entities all and only the capabilities they will actually need.
Although many operating systems implement facilities very similar to capabilities through the use of file descriptors or file handles — for example, in BSD UNIX, file descriptors can be discarded (closed), inherited by child processes, and even sent to other processes via sockets — there are several obstacles that prevent all of the benefits of a pure capability-based system from being realized in a traditional operating system environment. Chief among these obstacles is the fact that entities which might hold capabilities (such as processes and files) cannot be made persistent in such a way that maintains the integrity of the secure information that a capability represents. The operating system cannot trust a user program to read back a capability and not tamper with the object reference or the access rights. Consequently, when a program wishes to regain access to an object that is referenced on disk, the operating system must have some way of validating that access request, and an access control list or similar mechanism is mandated.
One novel approach to solving this problem involves the use of an orthogonally persistent operating system. (This was realised in the Flex machine. See Ten15). In such a system, there is no need for entities to be discarded and their capabilities be invalidated, and hence require an ACL-like mechanism to restore those capabilities at a later time. The operating system maintains the integrity and security of the capabilities contained within all storage, both volatile and nonvolatile, at all times; in part by performing all serialization tasks by itself, rather than requiring user programs to do so, as is the case in most operating systems. Because user programs are relieved of this responsibility, there is no need to trust them to reproduce only legal capabilities, nor to validate requests for access using an access control mechanism.
References
- Levy, Henry M., Capability-Based Computer Systems, Digital Equipment Corporation 1984. ISBN 0-932376-22-3. An electronic version is available here (http://www.cs.washington.edu/homes/levy/capabook/).
- The EROS Project (http://www.eros-os.org/)
- ERights.org (http://www.erights.org/)
- Mark S. Miller, Ka-Ping Yee, Jonathan Shapiro. Capability Myths Demolished, Technical Report SRL2003-02, Systems Research Laboratory, Johns Hopkins University. Available online. (http://srl.cs.jhu.edu/pubs/SRL2003-02.pdf)
- The Cambridge CAP Computer (http://www.cs.washington.edu/homes/levy/capabook/Chapter5.pdf), Levy, 1988