Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
Capability-based security
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
{{short description|Computer safety concept}} '''Capability-based security''' is a concept in the design of [[Computer security|secure computing]] systems, one of the existing [[Computer security model|security models]]. A '''capability''' (known in some systems as a '''key''') is a communicable, unforgeable [[Access token|token]] of authority. It refers to a value that [[reference (computer science)|references]] an [[object (computer science)|object]] along with an associated set of [[access control|access rights]]. A [[user (computing)|user]] [[Computer program|program]] on a [[capability-based operating system]] must use a capability to access an object. Capability-based security refers to the principle of designing user programs such that they directly share capabilities with each other according to the [[principle of least privilege]], and to the operating system infrastructure necessary to make such transactions efficient and secure. Capability-based security is to be contrasted with an approach that uses [[File-system permissions|traditional UNIX permissions]] and [[access-control list|access control lists]]. Although most operating systems implement a facility which resembles capabilities, they typically do not provide enough support to allow for the exchange of capabilities among possibly mutually untrusting entities to be the primary means of granting and distributing access rights throughout the system. A capability-based system, in contrast, is designed with that goal in mind. ==Introduction== Capabilities achieve their objective of improving system security by being used in place of forgeable [[reference (computer science)|references]]. A forgeable reference (for example, a [[path (computing)|path name]]) identifies an object, but does not specify which access rights are appropriate for that object and the user program which holds that reference. Consequently, any attempt to access the referenced object must be validated by the operating system, based on the [[ambient authority]] of the requesting program, typically via the use of an [[access-control list]] (ACL). Instead, in a system with capabilities, the mere fact that a user program possesses that capability entitles it to use the referenced object in accordance with the rights that are specified by that capability. In theory, a system with capabilities removes the need for any access control list or similar mechanism by giving all entities all and only the capabilities they will actually need. A capability is typically implemented as a [[privilege (computing)|privileged]] [[data structure]] that consists of a section that specifies access rights, and a section that uniquely identifies the object to be accessed. The user does not access the data structure or object directly, but instead via a [[Handle (computing)|handle]]. In practice, it is used much like a [[file descriptor]] in a traditional operating system (a traditional handle), but to access every object on the system. Capabilities are typically stored by the operating system in a list, with some mechanism in place to prevent the program from directly modifying the contents of the capability (so as to forge access rights or change the object it points to). Some systems have also been based on [[capability-based addressing]] (hardware support for capabilities), such as [[Plessey System 250]]. Programs possessing capabilities can perform functions on them, such as passing them on to other programs, converting them to a less-privileged version, or deleting them. The operating system must ensure that only specific operations can occur to the capabilities in the system, in order to maintain the integrity of the security policy. Capabilities as discussed in this article should not be confused with Portable Operating System Interface ([[POSIX]]) 1e/2c "[[#POSIX capabilities|Capabilities]]". The latter are coarse-grained privileges that cannot be transferred between processes. ==Examples== A capability is defined to be a protected [[object (computer science)|object]] reference which, by virtue of its possession by a user process, grants that process the capability (hence the name) to interact with an object in certain ways. Those ways might include reading data associated with an object, modifying the object, executing the data in the object as a process, and other conceivable access rights. The capability logically consists of a reference that uniquely identifies a particular object and a set of one or more of these rights. Suppose that, in a user process's memory space, there exists the following string: /etc/passwd Although this identifies a unique object on the system, it does not specify access rights and hence is not a capability. Suppose there is instead the following pair of values: /etc/passwd O_RDWR This pair identifies an object along with a set of access rights. The pair, however, is still not a capability because the user process's ''possession'' of these values says nothing about whether that access would actually be legitimate. Now suppose that the user program successfully executes the following statement: <syntaxhighlight lang="c">int fd = open("/etc/passwd", O_RDWR);</syntaxhighlight> The variable <code>fd</code> now contains the index of a file descriptor in the process's file descriptor table. This file descriptor ''is'' a capability. Its existence in the process's file descriptor table is sufficient to show that the process does indeed have legitimate access to the object. A key feature of this arrangement is that the file descriptor table is in [[kernel (operating system)|kernel memory]] and cannot be directly manipulated by the user program. ==Sharing between processes== In traditional operating systems, programs often communicate with each other and with storage using references like those in the first two examples. Path names are often passed as command-line parameters, sent via sockets, and stored on disk. These references are not capabilities, and must be validated before they can be used. In these systems, a central question is "on whose ''authority'' is a given reference to be evaluated?" This becomes a critical issue especially for processes which must act on behalf of two different authority-bearing entities. They become susceptible to a programming error known as the [[confused deputy problem]], very frequently resulting in a [[security hole]]. In a capability-based system, the capabilities themselves are passed between processes and storage using a mechanism that is known by the operating system to maintain the integrity of those capabilities. One novel approach to solving this problem involves the use of an [[Orthogonal persistence|orthogonally persistent]] operating system. In such a system, there is no need for entities to be discarded and their capabilities be invalidated, and hence require an ACL-like mechanism to restore those capabilities at a later time. The operating system maintains the integrity and security of the capabilities contained within all storage, both volatile and nonvolatile, at all times; in part by performing all [[serialization]] tasks by itself, rather than requiring user programs to do so, as is the case in most operating systems. Because user programs are relieved of this responsibility, there is no need to trust them to reproduce only legal capabilities, nor to validate requests for access using an [[access control]] mechanism. An example implementation is the [[Flex machine]] from the early 1980s. ==POSIX capabilities== Portable Operating System Interface (POSIX) draft 1003.1e specifies a concept of permissions called "capabilities". However, POSIX capabilities differ from capabilities in this article. A POSIX capability is not associated with any object; a process having CAP_NET_BIND_SERVICE capability can listen on any TCP port under 1024. This system is found in Linux.<ref>{{man|7|capabilities|Linux}}</ref> In contrast, [[Capsicum (Unix)|Capsicum]] Unix hybridizes a true capability-system model with a Unix design and POSIX API. Capsicum capabilities are a refined form of file descriptor, a delegable right between processes and additional object types beyond classic POSIX, such as processes, can be referenced via capabilities. In Capsicum capability mode, processes are unable to utilize global namespaces (such as the filesystem namespace) to look up objects, and must instead inherit or be delegated them. This system is found natively in FreeBSD, but patches are available to other systems.<ref>{{man|4|capsicum|FreeBSD}}</ref> ==Implementations== Notable research and commercial systems employing capability-based security include the following: * [[Tahoe-LAFS]], an open-source capability-based filesystem * [[GNOSIS]], an operating system developed at [[Tymshare]] **[[KeyKOS]], successor to GNOSIS *** EROS, The [[Extremely Reliable Operating System]], successor to KeyKOS * [[Cambridge CAP computer]] * [[Hydra (operating system)]], part of the [[C.mmp]] project at [[Carnegie Mellon University]] * StarOS, part of the CM* project at [[Carnegie Mellon University]] * IBM [[System/38]] and [[AS/400]] * [[Intel iAPX 432]] * [[Plessey 250|Plessey System 250]] * [[Flex machine|Flex]] * [[L4 microkernel family]]: **OKL4 from Open Kernel Labs **[[SeL4]] from NICTA **Fiasco.OC and NOVA from [[TU Dresden]] * [[Amoeba (operating system)|Amoeba]] distributed operating system * [[FreeBSD]] [[Capsicum (Unix)|Capsicum]]<ref>{{Cite web|url=https://www.freebsd.org/cgi/man.cgi?capsicum(4)|title = Capsicum(4)}}</ref><ref>[https://www.cl.cam.ac.uk/research/security/capsicum/papers/2010usenix-security-capsicum-website.pdf Capsicum: practical capabilities for UNIX]. Retrieved 9 July 2024</ref> * [[Genode]]<ref>{{Cite web |title=Genode OS: a breath of fresh air in operating system and software security |url=https://rudd-o.com/linux-and-free-software/genode-os-a-breath-of-fresh-air-in-operating-system-and-software-security |access-date=2023-12-21 |website=Rudd-O.com |language=en}}</ref> * [[Google Fuchsia]]<ref>{{Cite web |date=2016-08-14 |title=Google's Fuchsia operating system runs on virtually anything |url=https://www.engadget.com/2016-08-13-google-fuchsia-operating-system.html |access-date=2023-12-21 |website=Engadget |language=en-US}}</ref> * [[HarmonyOS]] ([[OpenHarmony]]) <ref>{{cite web |last1=DΔckΓ½ |first1=Martin |title=Microkernel-based and Capability-based Operating Systems |url=https://d3s.mff.cuni.cz/files/teaching/nswi161/martin-decky-microkernels-capabilities.pdf |website=D3S |access-date=23 December 2023}}</ref><ref>{{Cite web |title=docs/en/application-dev/security/accesstoken-overview.md at master Β· openharmony/docs |url=https://github.com/openharmony/docs/blob/master/en/application-dev/security/accesstoken-overview.md |access-date=2024-05-04 |website=GitHub |language=en}}</ref><ref>{{Cite web |last=DARKNAVY |date=2024-06-11 |title=AVSS Report: System Security Adversarial Capability Preliminary Evaluation of iOS, Android, and HarmonyOS - Kernel |url=https://www.darknavy.org/blog/avss_report_kernel/ |access-date=2024-07-04 |website=DARKNAVY |language=en}}</ref> *[[Phantom OS]]<ref>{{cite web |last1=Dziuba |first1=Ted |title=Russian rides Phantom to OS immortality |url=https://www.theregister.com/2009/02/03/phantom_russian_os/ |website=The Register |access-date=31 December 2023}}</ref> * [[WebAssembly]] System Interface (WASI) ==References== {{Reflist}} * Levy, Henry M., ''*[http://portal.acm.org/citation.cfm?id=538134&dl=ACM&coll=&CFID=15151515&CFTOKEN=6184618 Capability-Based Computer Systems]'', Digital Equipment Corporation 1984. {{ISBN|0-932376-22-3}}. An electronic version is available [http://www.cs.washington.edu/homes/levy/capabook/ here]. * [https://web.archive.org/web/20031029002231/http://www.eros-os.org/ The EROS Project] * [[E programming language|E]], a programming language based around capability security ([http://www.erights.org/ ERights.org]) * Mark S. Miller, Ka-Ping Yee, Jonathan Shapiro. ''Capability Myths Demolished'', Technical Report SRL2003-02, Systems Research Laboratory, Johns Hopkins University. [http://srl.cs.jhu.edu/pubs/SRL2003-02.pdf Available online.] * [http://www.cs.washington.edu/homes/levy/capabook/Chapter5.pdf The Cambridge CAP Computer], Levy, 1988 ==Further reading== * [[Capability-based addressing]]: {{cite journal | author= Theodore A. Linden |title=Operating System Structures to Support Security and Reliable Software | journal = [[ACM Computing Surveys]] | pages=409β445 | volume=8 | issue=4 |date=December 1976 |issn=0360-0300 | doi= 10.1145/356678.356682 | hdl=2027/mdp.39015086560037 |s2cid=16720589 | hdl-access=free }} * [[Li Gong (computer scientist)|Li Gong]], ''[http://doi.ieeecomputersociety.org/10.1109/SECPRI.1989.36277 A Secure Identity-Based Capability System]'', sp, p. 56, 1989 IEEE Symposium on Security and Privacy, 1989 * [http://portal.acm.org/citation.cfm?id=361070&dl=ACM&coll=&CFID=15151515&CFTOKEN=6184618 Capability-based addressing] * [http://portal.acm.org/citation.cfm?id=850709&dl=ACM&coll=&CFID=15151515&CFTOKEN=6184618 A hardware implementation of capability-based addressing] * [http://portal.acm.org/citation.cfm?id=850701&coll=&dl=ACM&CFID=15151515&CFTOKEN=6184618 An implementation of capabilities on the PDP-11/45] * [http://portal.acm.org/citation.cfm?id=801885&dl=ACM&coll=&CFID=15151515&CFTOKEN=6184618 IBM System/38 support for capability-based addressing] * [http://portal.acm.org/citation.cfm?id=319163&dl=ACM&coll=&CFID=15151515&CFTOKEN=6184618 EROS: a fast capability system] POSIX "capabilities" in Linux: * [http://www.friedhoff.org/posixfilecaps.html POSIX Capabilities & Files] * [http://www.ibm.com/developerworks/library/l-posixcap/ POSIX file capabilities: Parceling the power of root] * [http://www.linuxjournal.com/magazine/making-root-unprivileged Making Root Unprivileged] * [http://www.sevagas.com/?POSIX-file-capabilities-the-dark Security issues and new risks linked to POSIX file capabilities] * [http://man7.org/linux/man-pages/man7/capabilities.7.html Linux manual page for "capabilities(7)"] * [https://www.vultr.com/docs/working-with-linux-capabilities Working with Linux capabilities] ==External links== * [https://archive.today/20130112225523/http://www.eros-os.org/essays/capintro.html "What is a Capability?"] * [https://archive.today/20130414162939/http://www.eros-os.org/pipermail/cap-talk/2003-March/001133.html Reviews of 'Capability Myths Demolished'] * [http://www.cap-lore.com/CapTheory/index.html Capability Theory by Sound Bytes] {{Object-capability security}} {{DEFAULTSORT:Capability-Based Security}} [[Category:Computer security models]] [[Category:Access control]] [[Category:Capability systems| ]]
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)
Pages transcluded onto the current version of this page
(
help
)
:
Template:Cite journal
(
edit
)
Template:Cite web
(
edit
)
Template:ISBN
(
edit
)
Template:Man
(
edit
)
Template:Object-capability security
(
edit
)
Template:Reflist
(
edit
)
Template:Short description
(
edit
)