Topic: security by capabilities

topics > computer science > Group: security

data type by access rights
key distribution
memory management by paging
one-way hash function
operating system security
password protection
security by access rights
Subtopic: what is a capability up

Quote: a computation proceeds within a sphere of protection as defined by a list of capabilities [»dennJB3_1966]
Quote: a capability is a pointer to a computing object and the actions that the computation may perform on that object; e.g., segment capabilities for reading, writing, and executing
Quote: system sharing by capabilities checks upon first access, providing a reference to an object for future access; e.g., a Unix file descriptor [»kampPH7_2004]
Quote: a capability is a signed delegation for a complete chain of trust; e.g., an open file descriptor; efficient; more complicated setup and revocation [»lampBW6_2004]
Quote: a capability is an ID for a computing object and the allowed actions
Quote: separate authentication, authorization, and access control; authentication provides a set of authorizations for access control [»karpAH12_2003]
Quote: a capability is the unique name of an object plus an associated access code; each domain has a list of capabilities [»dennPJ_1980, OK]
Quote: a Helix server provides 96-bit capabilities which encrypt access rights to an object with 40 bits padding [»fridM5_1985]
Quote: Helix capabilities will not be regenerated in about twenty years [»fridM5_1985]
Quote: in Helix, clients can only access objects which they create or were given capabilities for [»fridM5_1985]
Quote: all Amoeba objects are named and cryptographically protected by capabilities; e.g., access a file by a capability [»vanrR10_1988]
Quote: Amoeba assigns a 128- or 256-bit capability to every object; contains server port, object number, rights field, and check field [»taneAS12_1990]
Quote: internal names for persistent objects by a 48-bit unique id followed by a 48-bit random id; protects name access [»birrAD9_1980]
Quote: a list of capabilities defines a computation's protections [»dennJB3_1966]

Subtopic: advantages of capabilities up

Quote: capabilities provide a unique, secure, system-wide, fixed length name for each object [»taneAS12_1990]
Quote: principle of least privilege--capabilities allow a procedure to only have the privileges it needs; highly fault-tolerant [»dennPJ_1980]
Quote: in a banking program, instructions must have permission before they are executed [»mckeWM_1975]
Quote: in a large system, capabilities will leak out; but a compromised capability only affects the security of one object [»taneAS12_1990]
Quote: capabilities are good for managing access-control information; only a few procedures have these capabilities [»dennPJ_1980]

Subtopic: authentication capability up

Quote: Andrew uses authentication tokens to prove identity; like a capability; established by secret and clear tokens [»satyM8_1989]
Quote: used 20-digit cryptographic tokens; provides man-machine interface between customer and electricity meter [»andeRJ5_1996]
Quote: print 20-digit cryptographic token in two lines of four-digit groups; significantly reduced error rate [»andeRJ5_1996]

Subtopic: data type and capability up

Quote: Vault's type system is based on Capability Calculus and alias types [»deliR6_2001]
Quote: Capability Language (CL) propagates capabilities for region-based memory operations; provably safe type system; lexical scope not required; e.g., extensible systems and continuation-passing style [»walkD7_2000]
Quote: track non-aliasing of memory regions via tagged capabilities and type system [»walkD7_2000]
Quote: use capabilities for exclusive access to user data from kernel processes, and mutually exclusive access to shared mutable data [»walkD7_2000]
Quote: if capabilities include the object type, the owner may deallocate or reuse the capability's memory; allows safe deallocation of objects [»walkD7_2000]
Quote: associate capability and type with each object; guarantees exclusive ownership for deallocation or reuse; extends linear type systems [»walkD7_2000]

Subtopic: memory access and capability up

Quote: SPIN capabilities are Modula pointers; pointers cannot be forged or dereferenced incorrectly; minimal overhead [»bersBN12_1995]
Quote: an exokernel uses capabilities to guard access to physical memory pages [»englDR12_1995]
Quote: Capability Language (CL), provably safe intermediate language for region-based memory management; supports aliasing and extensible OS; best for continuation-passing languages [»walkD7_2000]
Quote: region-based, capability language tracks unique memory accesses; i.e., non-aliased accesses [»walkD7_2000]
Quote: a sealed EMPIRIC segment can be externally accessed only by intentions that bear the same seal [»wilkMV8_1986]
Quote: associate a descriptor with an EMPIRIC segment by writing an intention [»wilkMV8_1986]
Quote: a capability is a pointer to a computing object and the actions that the computation may perform on that object; e.g., segment capabilities for reading, writing, and executing

Subtopic: file system capability up

Quote: Amoeba file reads are 2-3 times faster than Sun NFS; large file writes are faster; capability overhead is constant [»taneAS12_1990]
Quote: Amoeba's create-file operation generates a capability; generating and encrypting the random number is costly (120 msec) [»vanrR10_1988]
Quote: each major client of a file server needs a charging capability to account for file creation and storage [»birrAD9_1980]
Quote: CapaFS uses capability file names for ubiquitous access and delegation; separates user identification from authorization [»regaJT8_2001]
Quote: a CapaFS file name consists of the server in plain text and encrypted path name, access rights, and timeout; use secure channel and capability revocation [»regaJT8_2001]
Quote: refer to objects via the index of a capability pointing to a directory [»dennJB3_1966]
Quote: each principal has a root directory of retained objects

Subtopic: communication capability up

Quote: Accent required that a process have a capability to a port; allowed automatic notification for port failures and prevented hidden communication [»rashRF11_1986]
Quote: access to a port is granted by receiving a capability to send or receive to the port

Subtopic: operating system capabilities up

Quote: assign security IDs to threads, extensions, and other objects; operations require permission; access mode is a 64-bit vector of permissions and permission objects [»grimR2_2001]
Quote: EROS is a large space of capability-protected objects; memory pages, capability nodes, CPU time, network connections; only way to invoke operations [»shapJS1_2002]
Quote: EROS uses capabilities to run active systems of user code; allows broken or hostile code [»shapJS1_2002]
Quote: trace every operation to an authorizing capability; every procedure call identifies capabilities; applications require a schedule capability [»shapJS1_2002]
QuoteRef: robiL9_1975 ;;6 can create a capability, same or new id, with same or fewer operations

Subtopic: transfering capability up

Quote: EROS allows transmission of capabilities across authorized communication paths; this does not limit security [»shapJS1_2002]
Quote: initiate a process by sending a capability for accessing arguments and environment; returns a capability for the new process [»taneAS12_1990]
Quote: a Helix client collects a set of capabilities needed for a user session [»fridM5_1985]
Quote: V's 'send' can pass read or write access to a segment of process memory
Quote: since V can pass access to a segment, the recipient can control how much gets transmitted and where the data is stored; e.g., for debugger [»cherDR4_1984]
Quote: a process may pass a subset of its permissions to other domains if it has 'copy' permission [»dennPJ_1980]

Subtopic: short-term capability up

Quote: hybrid access control gives a short-term capability; e.g., channel id while a file is opened [»giffDK7_1985, OK]

Subtopic: timestamps for capabilities up

Quote: globally synchronize clocks to 1/10'th second by exchanging messages with 3 other nodes every 4 minutes; for protocols, authentication, capabilities [»liskB9_1989]

Subtopic: verifing capability up

Quote: Amoeba verifies a derived capability with partial rights by checking the one-way function of the xor of rights field with table entry
Quote: Amoeba verifies an owner capability with full rights by comparing check field with table entry
Quote: EROS uses kernel-protected capabilities; Amoeba treats capabilities as data and can not distinguish them from data [»shapJS1_2002]

Subtopic: invalid capability up

Quote: when a Helix server receives an invalid capability, it should report and log the problem [»fridM5_1985]

Subtopic: history up

Quote: the capability list came from the Burroughs B5000 program reference table [»dennJB3_1966]

Subtopic: problems with capabilities up

Quote: Amoeba capabilities are vulnerable to intruders; may need link encryption; if so, are capabilities needed? [»taneAS12_1990]
Quote: capabilities are stored in user directories; difficult to revoke access rights [»fridM5_1985]
Quote: capabilities are more efficient for exercising permissions but access lists are better for managing permissions; should have a mix of methods

Related Topics up

Topic: authentication (93 items)
Topic: data type by access rights (20 items)
Topic: encryption (45 items)
Topic: key distribution (35 items)
Topic: memory management by paging (23 items)
Topic: one-way hash function (24 items)
Topic: operating system security (18 items)
Topic: password protection (44 items)
Topic: security by access rights
(38 items)

Updated barberCB 6/05
Copyright © 2002-2008 by C. Bradford Barber. All rights reserved.
Thesa is a trademark of C. Bradford Barber.