Capability-based security is a concept in the design of
secure computing systems, one of the existing
security models. A capability (known in some systems as a key) is a communicable, unforgeable
token
Token may refer to:
Arts, entertainment, and media
* Token, a game piece or counter, used in some games
* The Tokens, a vocal music group
* Tolkien Black, a recurring character on the animated television series ''South Park,'' formerly known as ...
of authority. It refers to a value that
references
Reference is a relationship between objects in which one object designates, or acts as a means by which to connect to or link to, another object. The first object in this relation is said to ''refer to'' the second object. It is called a ''name'' ...
an
object along with an associated set of
access rights. A
user
Ancient Egyptian roles
* User (ancient Egyptian official), an ancient Egyptian nomarch (governor) of the Eighth Dynasty
* Useramen, an ancient Egyptian vizier also called "User"
Other uses
* User (computing), a person (or software) using an ...
program on a
capability-based operating system must use a capability to access an object. Capability-based security refers to the principle of designing user programs such that they directly share capabilities with each other according to the
principle of least privilege, and to the operating system infrastructure necessary to make such transactions efficient and secure. Capability-based security is to be contrasted with an approach that uses
traditional UNIX permissions and
Access Control Lists.
Although most operating systems implement a facility which resembles capabilities, they typically do not provide enough support to allow for the exchange of capabilities among possibly mutually untrusting entities to be the primary means of granting and distributing access rights throughout the system. A capability-based system, in contrast, is designed with that goal in mind.
Introduction
Capabilities achieve their objective of improving system security by being used in place of forgeable
references
Reference is a relationship between objects in which one object designates, or acts as a means by which to connect to or link to, another object. The first object in this relation is said to ''refer to'' the second object. It is called a ''name'' ...
. A forgeable reference (for example, a
path name) identifies an object, but does not specify which access rights are appropriate for that object and the user program which holds that reference. Consequently, any attempt to access the referenced object must be validated by the operating system, based on the
ambient authority
Ambient authority is a term used in the study of access control systems.
A subject, such as a computer program, is said to be using ''ambient authority'' if it only needs to specify the names of the involved object(s) and the operation to be perfo ...
of the requesting program, typically via the use of an
access control list
In computer security, an access-control list (ACL) is a list of permissions associated with a system resource (object). An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on giv ...
(ACL). Instead, in a system with capabilities, the mere fact that a user program possesses that capability entitles it to use the referenced object in accordance with the rights that are specified by that capability. In theory, a system with capabilities removes the need for any access control list or similar mechanism by giving all entities all and only the capabilities they will actually need.
A capability is typically implemented as a
privileged data structure
In computer science, a data structure is a data organization, management, and storage format that is usually chosen for Efficiency, efficient Data access, access to data. More precisely, a data structure is a collection of data values, the rel ...
that consists of a section that specifies access rights, and a section that uniquely identifies the object to be accessed. The user does not access the data structure or object directly, but instead via a
handle
A handle is a part of, or attachment to, an object that allows it to be grasped and manipulated by hand. The design of each type of handle involves substantial ergonomic issues, even where these are dealt with intuitively or by following tr ...
. In practice, it is used much like a
file descriptor
In Unix and Unix-like computer operating systems, a file descriptor (FD, less frequently fildes) is a process-unique identifier ( handle) for a file or other input/output resource, such as a pipe or network socket.
File descriptors typically ...
in a traditional operating system (a traditional handle), but to access every object on the system. Capabilities are typically stored by the operating system in a list, with some mechanism in place to prevent the program from directly modifying the contents of the capability (so as to forge access rights or change the object it points to). Some systems have also been based on
capability-based addressing (hardware support for capabilities), such as
Plessey System 250.
Programs possessing capabilities can perform functions on them, such as passing them on to other programs, converting them to a less-privileged version, or deleting them. The operating system must ensure that only specific operations can occur to the capabilities in the system, in order to maintain the integrity of the security policy.
Capabilities as discussed in this article should not be confused with Portable Operating System Interface (
POSIX
The Portable Operating System Interface (POSIX) is a family of standards specified by the IEEE Computer Society for maintaining compatibility between operating systems. POSIX defines both the system- and user-level application programming inte ...
) 1e/2c "
Capabilities". The latter are coarse-grained privileges that cannot be transferred between processes.
Examples
A capability is defined to be a protected
object reference which, by virtue of its possession by a user process, grants that process the capability (hence the name) to interact with an object in certain ways. Those ways might include reading data associated with an object, modifying the object, executing the data in the object as a process, and other conceivable access rights. The capability logically consists of a reference that uniquely identifies a particular object and a set of one or more of these rights.
Suppose that, in a user process's memory space, there exists the following string:
/etc/passwd
Although this identifies a unique object on the system, it does not specify access rights and hence is not a capability. Suppose there is instead the following pair of values:
/etc/passwd
O_RDWR
This pair identifies an object along with a set of access rights. The pair, however, is still not a capability because the user process's ''possession'' of these values says nothing about whether that access would actually be legitimate.
Now suppose that the user program successfully executes the following statement:
int fd = open("/etc/passwd", O_RDWR);
The variable
fd
now contains the index of a file descriptor in the process's file descriptor table. This file descriptor ''is'' a capability. Its existence in the process's file descriptor table is sufficient to show that the process does indeed have legitimate access to the object. A key feature of this arrangement is that the file descriptor table is in
kernel memory
The kernel is a computer program at the core of a computer's operating system and generally has complete control over everything in the system. It is the portion of the operating system code that is always resident in memory and facilitates in ...
and cannot be directly manipulated by the user program.
Sharing between processes
In traditional operating systems, programs often communicate with each other and with storage using references like those in the first two examples. Path names are often passed as command-line parameters, sent via sockets, and stored on disk. These references are not capabilities, and must be validated before they can be used. In these systems, a central question is "on whose ''authority'' is a given reference to be evaluated?" This becomes a critical issue especially for processes which must act on behalf of two different authority-bearing entities. They become susceptible to a programming error known as the
confused deputy problem, very frequently resulting in a
security hole.
In a capability-based system, the capabilities themselves are passed between processes and storage using a mechanism that is known by the operating system to maintain the integrity of those capabilities.
One novel approach to solving this problem involves the use of an
orthogonally persistent operating system. In such a system, there is no need for entities to be discarded and their capabilities be invalidated, and hence require an ACL-like mechanism to restore those capabilities at a later time. The operating system maintains the integrity and security of the capabilities contained within all storage, both volatile and nonvolatile, at all times; in part by performing all
serialization
In computing, serialization (or serialisation) is the process of translating a data structure or object state into a format that can be stored (e.g. files in secondary storage devices, data buffers in primary storage devices) or transmitted (e ...
tasks by itself, rather than requiring user programs to do so, as is the case in most operating systems. Because user programs are relieved of this responsibility, there is no need to trust them to reproduce only legal capabilities, nor to validate requests for access using an
access control
In the fields of physical security and information security, access control (AC) is the selective restriction of access to a place or other resource, while access management describes the process. The act of ''accessing'' may mean consuming ...
mechanism. An example implementation is the
Flex machine from the early 1980s.
POSIX capabilities
Portable Operating System Interface (POSIX) draft 1003.1e specifies a concept of permissions called "capabilities". However, POSIX capabilities differ from capabilities in this article. A POSIX capability is not associated with any object; a process having CAP_NET_BIND_SERVICE capability can listen on any TCP port under 1024. This system is found in Linux.
In contrast,
Capsicum
''Capsicum'' () is a genus of flowering plants in the nightshade family Solanaceae, native to the Americas, cultivated worldwide for their chili pepper or bell pepper fruit.
Etymology and names
The generic name may come from Latin , mean ...
Unix hybridizes a true capability-system model with a Unix design and POSIX API. Capsicum capabilities are a refined form of file descriptor, a delegable right between processes and additional object types beyond classic POSIX, such as processes, can be referenced via capabilities. In Capsicum capability mode, processes are unable to utilize global namespaces (such as the filesystem namespace) to look up objects, and must instead inherit or be delegated them. This system is found natively in FreeBSD, but patches are available to other systems.
Implementations
Notable research and commercial systems employing capability-based security include the following:
*
Tahoe-LAFS, an open-source capability-based filesystem
*
GNOSIS
Gnosis is the common Greek noun for knowledge ( γνῶσις, ''gnōsis'', f.). The term was used among various Hellenistic religions and philosophies in the Greco-Roman world. It is best known for its implication within Gnosticism, where it s ...
, an operating system developed at
Tymshare
**
KeyKOS, successor to GNOSIS
*** EROS, The
Extremely Reliable Operating System, successor to KeyKOS
****
CapROS, a project to further develop the EROS code base for commercial use
*
Cambridge CAP computer
The Cambridge CAP computer was the first successful experimental computer that demonstrated the use of security capabilities, both in hardware and software.Levy, p.96 It was developed at the University of Cambridge Computer Laboratory in the 19 ...
*
Hydra (operating system), part of the
C.mmp project at
Carnegie Mellon University
Carnegie Mellon University (CMU) is a private research university in Pittsburgh, Pennsylvania. One of its predecessors was established in 1900 by Andrew Carnegie as the Carnegie Technical Schools; it became the Carnegie Institute of Technology ...
* StarOS, part of the CM* project at
Carnegie Mellon University
Carnegie Mellon University (CMU) is a private research university in Pittsburgh, Pennsylvania. One of its predecessors was established in 1900 by Andrew Carnegie as the Carnegie Technical Schools; it became the Carnegie Institute of Technology ...
* IBM
System/38 and
AS/400
*
Intel iAPX 432
*
Plessey System 250
*
Flex
*
L4 microkernel family:
**OKL4 from Open Kernel Labs
**seL4 from NICTA
**Fiasco.OC and NOVA from
TU Dresden
TU Dresden (for german: Technische Universität Dresden, abbreviated as TUD and often wrongly translated as "Dresden University of Technology") is a public research university, the largest institute of higher education