Capability-based security
Encyclopedia
Capability-based security is a concept in the design of secure computing
systems, one of the existing security models
. A capability (known in some systems as a key) is a communicable, unforgeable token of authority. It refers to a value that references
an object
along with an associated set of access rights
. A user
program
on a capability-based operating system
must use a capability to access an object. Capability-based security refers to the principle of designing user programs such that they directly share capabilities with each other according to the principle of least privilege
, and to the operating system infrastructure necessary to make such transactions efficient and secure. Capability-based security is to be contrasted with an approach that uses hierarchical protection domains
.
Although most operating systems implement a facility which resembles capabilities, they typically do not provide enough support to allow for the exchange of capabilities among possibly mutually untrusting entities to be the primary means of granting and distributing access rights throughout the system. A capability-based system, in contrast, is designed with that goal in mind.
Capabilities as discussed in this article should not be confused with POSIX
1e/2c "Capabilities". The latter are coarse-grained privileges that cannot be transferred between processes.
. A forgeable reference (for example, a path name
) identifies an object, but does not specify which access rights are appropriate for that object and the user program which holds that reference. Consequently, any attempt to access the referenced object must be validated by the operating system, typically via the use of an access control list
(ACL). Instead, in a system with capabilities, the mere fact that a user program possesses that capability entitles it to use the referenced object in accordance with the rights that are specified by that capability. In theory, a system with capabilities removes the need for any access control list or similar mechanism by giving all entities all and only the capabilities they will actually need.
A capability is typically implemented as a privileged data structure
that consists of a section that specifies access rights, and a section that uniquely identifies the object to be accessed. In practice, it is used much like a file descriptor
in a traditional operating system, but to access every object on the system. Capabilities are typically stored by the operating system in a list, with some mechanism in place to prevent the program from directly modifying the contents of the capability (so as to forge access rights or change the object it points to). Some systems have also been based on capability-based addressing
(hardware support for capabilities), such as Plessey System 250
.
Programs possessing capabilities can perform functions on them, such as passing them on to other programs, converting them to a less-privileged version, or deleting them. The operating system must ensure that only specific operations can occur to the capabilities in the system, in order to maintain the integrity of the security policy.
systems.)
A capability is defined to be a protected object
reference which, by virtue of its possession by a user process, grants that process the capability (hence the name) to interact with an object in certain ways. Those ways might include reading data associated with an object, modifying the object, executing the data in the object as a process, and other conceivable access rights. The capability logically consists of a reference that uniquely identifies a particular object and a set of one or more of these rights.
Suppose that, in a user process's memory space, there exists the following string:
/etc/passwd
Although this identifies a unique object on the system, it does not specify access rights and hence is not a capability. Suppose there is instead the following two values:
/etc/passwd
O_RDWR
This identifies an object along with a set of access rights. It, however, is still not a capability because the user process's possession of these values says nothing about whether that access would actually be legitimate.
Now suppose that the user program successfully executes the following statement:
int fd = open("/etc/passwd", O_RDWR);
The variable fd now contains the index of a file descriptor in the process's file descriptor table. This file descriptor is a capability. Its existence in the process's file descriptor table is sufficient to know that the process does indeed have legitimate access to the object. A key feature of this arrangement is that the file descriptor table is in kernel memory and cannot be directly manipulated by the user program.
, very frequently resulting in a security hole.
In a capability-based system, the capabilities themselves are passed between processes and storage using a mechanism that is known by the operating system to maintain the integrity of those capabilities.
Although many operating systems implement facilities very similar to capabilities through the use of file descriptor
s or file handles — for example, in UNIX
, file descriptors can be discarded (closed), inherited by child processes, and even sent to other processes via sockets
— there are several obstacles that prevent all of the benefits of a capability-based addressing
system from being realized in a traditional operating system environment . Chief among these obstacles is the fact that entities which might hold capabilities (such as processes
and file
s) cannot be made persistent
in such a way that maintains the integrity of the secure information that a capability re presents. The operating system cannot trust a user program to read back a capability and not tamper with the object reference or the access rights, and has no built-in facilities to control such tampering. Consequently, when a program wishes to regain access to an object that is referenced on disk, the operating system must have some way of validating that access request, and an access control list or similar mechanism is mandated.
One novel approach to solving this problem involves the use of an orthogonally persistent operating system. (This was realised in the Flex machine
. See Ten15
). In such a system, there is no need for entities to be discarded and their capabilities be invalidated, and hence require an ACL-like mechanism to restore those capabilities at a later time. The operating system maintains the integrity and security of the capabilities contained within all storage, both volatile and nonvolatile, at all times; in part by performing all serialization
tasks by itself, rather than requiring user programs to do so, as is the case in most operating systems. Because user programs are relieved of this responsibility, there is no need to trust them to reproduce only legal capabilities, nor to validate requests for access using an access control
mechanism.
Secure Computing
Secure Computing Corporation, or SCC, was a public company that developed and sold computer security appliances and hosted services to protect users and data...
systems, one of the existing security models
Computer security model
A computer security model is a scheme for specifying and enforcing security policies.A security model may be founded upon a formal model of access rights, a model of computation, a model of distributed computing, or no particular theoretical grounding at all....
. A capability (known in some systems as a key) is a communicable, unforgeable token of authority. It refers to a value that references
Reference (computer science)
In computer science, a reference is a value that enables a program to indirectly access a particular data item, such as a variable or a record, in the computer's memory or in some other storage device. The reference is said to refer to the data item, and accessing those data is called...
an object
Object (computer science)
In computer science, an object is any entity that can be manipulated by the commands of a programming language, such as a value, variable, function, or data structure...
along with an associated set of access rights
Access rights
Access rights can refer to:*Access to Information Act, a Canadian act that allows public access to government information*Disability rights movement, disabled access to public and private locations is a key issue...
. A user
User (computing)
A user is an agent, either a human agent or software agent, who uses a computer or network service. A user often has a user account and is identified by a username , screen name , nickname , or handle, which is derived from the identical Citizen's Band radio term.Users are...
program
Computer program
A computer program is a sequence of instructions written to perform a specified task with a computer. A computer requires programs to function, typically executing the program's instructions in a central processor. The program has an executable form that the computer can use directly to execute...
on a capability-based operating system
Operating system
An operating system is a set of programs that manage computer hardware resources and provide common services for application software. The operating system is the most important type of system software in a computer system...
must use a capability to access an object. Capability-based security refers to the principle of designing user programs such that they directly share capabilities with each other according to the principle of least privilege
Principle of least privilege
In information security, computer science, and other fields, the principle of least privilege, also known as the principle of minimal privilege or just least privilege, requires that in a particular abstraction layer of a computing environment, every module must be able to access only the...
, and to the operating system infrastructure necessary to make such transactions efficient and secure. Capability-based security is to be contrasted with an approach that uses hierarchical protection domains
Ring (computer security)
In computer science, hierarchical protection domains, often called protection rings, are a mechanism to protect data and functionality from faults and malicious behaviour . This approach is diametrically opposite to that of capability-based security.Computer operating systems provide different...
.
Although most operating systems implement a facility which resembles capabilities, they typically do not provide enough support to allow for the exchange of capabilities among possibly mutually untrusting entities to be the primary means of granting and distributing access rights throughout the system. A capability-based system, in contrast, is designed with that goal in mind.
Capabilities as discussed in this article should not be confused with POSIX
POSIX
POSIX , an acronym for "Portable Operating System Interface", is a family of standards specified by the IEEE for maintaining compatibility between operating systems...
1e/2c "Capabilities". The latter are coarse-grained privileges that cannot be transferred between processes.
Capabilities and capability-based security
Capabilities achieve their objective of improving system security by being used in place of forgeable referencesReference (computer science)
In computer science, a reference is a value that enables a program to indirectly access a particular data item, such as a variable or a record, in the computer's memory or in some other storage device. The reference is said to refer to the data item, and accessing those data is called...
. A forgeable reference (for example, a path name
Path (computing)
A path, the general form of a filename or of a directory name, specifies a unique location in a file system. A path points to a file system location by following the directory tree hierarchy expressed in a string of characters in which path components, separated by a delimiting character, represent...
) identifies an object, but does not specify which access rights are appropriate for that object and the user program which holds that reference. Consequently, any attempt to access the referenced object must be validated by the operating system, typically via the use of an access control list
Access control list
An access control list , with respect to a computer file system, is a list of permissions attached to an object. An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects. Each entry in a typical ACL specifies a subject...
(ACL). Instead, in a system with capabilities, the mere fact that a user program possesses that capability entitles it to use the referenced object in accordance with the rights that are specified by that capability. In theory, a system with capabilities removes the need for any access control list or similar mechanism by giving all entities all and only the capabilities they will actually need.
A capability is typically implemented as a privileged data structure
Data structure
In computer science, a data structure is a particular way of storing and organizing data in a computer so that it can be used efficiently.Different kinds of data structures are suited to different kinds of applications, and some are highly specialized to specific tasks...
that consists of a section that specifies access rights, and a section that uniquely identifies the object to be accessed. In practice, it is used much like a file descriptor
File descriptor
In computer programming, a file descriptor is an abstract indicator for accessing a file. The term is generally used in POSIX operating systems...
in a traditional operating system, but to access every object on the system. Capabilities are typically stored by the operating system in a list, with some mechanism in place to prevent the program from directly modifying the contents of the capability (so as to forge access rights or change the object it points to). Some systems have also been based on capability-based addressing
Capability-based addressing
In computer science, capability-based addressing is a scheme used by some computers to control access to memory. Under a capability-based addressing scheme, pointers are replaced by protected objects that can only be created through the use of privileged instructions which may only be executed by...
(hardware support for capabilities), such as Plessey System 250
Plessey System 250
-History:Manufactured by Plessey company plc in the United Kingdom in 1970, it was successfully deployed by the Ministry of Defence for the British Army Ptarmigan project and served in the first Gulf War as a tactical mobile communication network switch....
.
Programs possessing capabilities can perform functions on them, such as passing them on to other programs, converting them to a less-privileged version, or deleting them. The operating system must ensure that only specific operations can occur to the capabilities in the system, in order to maintain the integrity of the security policy.
Introduction to capability-based security
(The following introduction assumes some basic knowledge of UnixUnix
Unix is a multitasking, multi-user computer operating system originally developed in 1969 by a group of AT&T employees at Bell Labs, including Ken Thompson, Dennis Ritchie, Brian Kernighan, Douglas McIlroy, and Joe Ossanna...
systems.)
A capability is defined to be a protected object
Object (computer science)
In computer science, an object is any entity that can be manipulated by the commands of a programming language, such as a value, variable, function, or data structure...
reference which, by virtue of its possession by a user process, grants that process the capability (hence the name) to interact with an object in certain ways. Those ways might include reading data associated with an object, modifying the object, executing the data in the object as a process, and other conceivable access rights. The capability logically consists of a reference that uniquely identifies a particular object and a set of one or more of these rights.
Suppose that, in a user process's memory space, there exists the following string:
/etc/passwd
Although this identifies a unique object on the system, it does not specify access rights and hence is not a capability. Suppose there is instead the following two values:
/etc/passwd
O_RDWR
This identifies an object along with a set of access rights. It, however, is still not a capability because the user process's possession of these values says nothing about whether that access would actually be legitimate.
Now suppose that the user program successfully executes the following statement:
int fd = open("/etc/passwd", O_RDWR);
The variable fd now contains the index of a file descriptor in the process's file descriptor table. This file descriptor is a capability. Its existence in the process's file descriptor table is sufficient to know that the process does indeed have legitimate access to the object. A key feature of this arrangement is that the file descriptor table is in kernel memory and cannot be directly manipulated by the user program.
Sharing of capabilities between processes
In traditional operating systems, programs often communicate with each other and with storage using references like those in the first two examples. Path names are often passed as command-line parameters, sent via sockets, and stored on disk. These references are not capabilities, and must be validated before they can be used. In these systems, a central question is "on whose authority is a given reference to be evaluated?" This becomes a critical issue especially for processes which must act on behalf of two different authority-bearing entities. They become susceptible to a programming error known as the confused deputy problemConfused deputy problem
A confused deputy is a computer program that is innocently fooled by some other party into misusing its authority. It is a specific type of privilege escalation...
, very frequently resulting in a security hole.
In a capability-based system, the capabilities themselves are passed between processes and storage using a mechanism that is known by the operating system to maintain the integrity of those capabilities.
Although many operating systems implement facilities very similar to capabilities through the use of file descriptor
File descriptor
In computer programming, a file descriptor is an abstract indicator for accessing a file. The term is generally used in POSIX operating systems...
s or file handles — for example, in UNIX
Unix
Unix is a multitasking, multi-user computer operating system originally developed in 1969 by a group of AT&T employees at Bell Labs, including Ken Thompson, Dennis Ritchie, Brian Kernighan, Douglas McIlroy, and Joe Ossanna...
, file descriptors can be discarded (closed), inherited by child processes, and even sent to other processes via sockets
Unix domain socket
A Unix domain socket or IPC socket is a data communications endpoint for exchanging data between processes executing within the same host operating system. While similar in functionality to...
— there are several obstacles that prevent all of the benefits of a capability-based addressing
Capability-based addressing
In computer science, capability-based addressing is a scheme used by some computers to control access to memory. Under a capability-based addressing scheme, pointers are replaced by protected objects that can only be created through the use of privileged instructions which may only be executed by...
system from being realized in a traditional operating system environment . Chief among these obstacles is the fact that entities which might hold capabilities (such as processes
Process (computing)
In computing, a process is an instance of a computer program that is being executed. It contains the program code and its current activity. Depending on the operating system , a process may be made up of multiple threads of execution that execute instructions concurrently.A computer program is a...
and file
Computer file
A computer file is a block of arbitrary information, or resource for storing information, which is available to a computer program and is usually based on some kind of durable storage. A file is durable in the sense that it remains available for programs to use after the current program has finished...
s) cannot be made persistent
Persistence (computer science)
Persistence in computer science refers to the characteristic of state that outlives the process that created it. Without this capability, state would only exist in RAM, and would be lost when this RAM loses power, such as a computer shutdown....
in such a way that maintains the integrity of the secure information that a capability re presents. The operating system cannot trust a user program to read back a capability and not tamper with the object reference or the access rights, and has no built-in facilities to control such tampering. Consequently, when a program wishes to regain access to an object that is referenced on disk, the operating system must have some way of validating that access request, and an access control list or similar mechanism is mandated.
One novel approach to solving this problem involves the use of an orthogonally persistent operating system. (This was realised in the Flex machine
Flex machine
In computing, there have been multiple systems named FLEX.-Alan Kay's FLEX system:Alan Kay developed his Flex system in the late 1960s while exploring ideas that would later evolve into the Smalltalk programming language.-RSRE FLEX Computer System:...
. See Ten15
Ten15
Ten15 is an algebraically specified abstract machine. It was developed by Foster, Currie et al. at the Royal Signals and Radar Establishment at Malvern, Worcestershire, during the 1980s. It arose from earlier work on the Flex machine, which was a capability computer implemented via microcode...
). In such a system, there is no need for entities to be discarded and their capabilities be invalidated, and hence require an ACL-like mechanism to restore those capabilities at a later time. The operating system maintains the integrity and security of the capabilities contained within all storage, both volatile and nonvolatile, at all times; in part by performing all serialization
Serialization
In computer science, in the context of data storage and transmission, serialization is the process of converting a data structure or object state into a format that can be stored and "resurrected" later in the same or another computer environment...
tasks by itself, rather than requiring user programs to do so, as is the case in most operating systems. Because user programs are relieved of this responsibility, there is no need to trust them to reproduce only legal capabilities, nor to validate requests for access using an access control
Access control
Access control refers to exerting control over who can interact with a resource. Often but not always, this involves an authority, who does the controlling. The resource can be a given building, group of buildings, or computer-based information system...
mechanism.
POSIX Capabilities
POSIX draft 1003.1e specifies a concept of permissions called “capabilities”. However POSIX capabilities differ from capabilities in this article — POSIX capability is not associated with any object — a process having CAP_NET_BIND_SERVICE capability can listen on any TCP port under 1024.Research and commercial systems
- Tahoe-LAFSTahoe Least-Authority FilesystemThe Tahoe Least-Authority Filesystem is an open source, secure, decentralized, fault-tolerant, peer-to-peer filesystem. It is being used as an online backup system by . It can also serve as a file or web host similar to Freenet, depending on the front-end used to insert and access files in the...
- Open Source capability-based filesystem - KeyKOSKeyKOSKeyKOS is a persistent, pure capability-based operating system for the IBM S/370 mainframe computers. It allows emulating the VM, MVS, and POSIX environments. It is a predecessor of the Extremely Reliable Operating System , and its successors, the CapROS and Coyotos operating systems...
- EROS - The Extremely Reliable Operating SystemExtremely Reliable Operating SystemEROS is an operating system developed by The EROS Group, LLC., the Johns Hopkins University, and the University of Pennsylvania. Features include automatic data and process persistence, some preliminary real-time support, and capability-based security. EROS is purely a research operating system,...
- KeyKOS successor- CapROSCapROSCapROS is an open source operating system. It is a pure capability-based system that features automatic persistence of data and processes, even across system reboots. Capability systems naturally support the principle of least authority, which improves security and fault tolerance.CapROS is an...
- EROS successor, project to further develop EROS code base for commercial use - CoyotosCoyotosCoyotos is a capability-based security-focused microkernel operating system developed by The EROS Group, LLC. It is a successor to the EROS system that was created at the University of Pennsylvania and Johns Hopkins University.- History :...
- EROS successor, for research
- CapROS
- EROS - The Extremely Reliable Operating System
- kanetonKanetonkaneton is a microkernel project which aims at providing a very clear, extensible and powerful design. The kaneton project is part of the Opaak educational trilogy along with the kastor and kayou projects.- Branches :...
- Cambridge CAP computer
- Carnegie Mellon UniversityCarnegie Mellon UniversityCarnegie Mellon University is a private research university in Pittsburgh, Pennsylvania, United States....
C.mmpC.mmpThe C.mmp was an early MIMD multiprocessor system developed at Carnegie Mellon University by William Wulf . The notation C.mmp came from the PMS notation of Bell and Newell, where a CPU was designated as C and a variant was noted by the dot notation; mmp stood for Multi-Mini-ProcessorSixteen...
with Hydra (operating system)Hydra (operating system)HYDRA was an early capability-based, object-oriented, microkernel designed to support a wide range of possible operating systems to run on top of it... - Carnegie Mellon UniversityCarnegie Mellon UniversityCarnegie Mellon University is a private research university in Pittsburgh, Pennsylvania, United States....
CM* with StarOS - IBM System/38System/38The System/38 was a midrange computer server platform manufactured and sold by the IBM Corporation. The system offered a number of innovative features, and was the brainchild of IBM engineer Dr. Frank Soltis...
and AS/400 - Intel iAPX 432Intel iAPX 432The Intel iAPX 432 was a commercially unsuccessful 32-bit microprocessor architecture, introduced in 1981.The project was Intel's first 32-bit microprocessor design, and intended to be the company's main product line for the 1980s. Many advanced multitasking and memory management features were...
- Plessey System 250
- SymbianSymbianSymbian is a mobile operating system and computing platform designed for smartphones and currently maintained by Accenture. The Symbian platform is the successor to Symbian OS and Nokia Series 60; unlike Symbian OS, which needed an additional user interface system, Symbian includes a user...
- FlexFlex machineIn computing, there have been multiple systems named FLEX.-Alan Kay's FLEX system:Alan Kay developed his Flex system in the late 1960s while exploring ideas that would later evolve into the Smalltalk programming language.-RSRE FLEX Computer System:...
- L4 microkernelL4 microkernel familyL4 is a family of second-generation microkernels, generally used to implement Unix-like operating systems, but also used in a variety of other systems.L4 was a response to the poor performance of earlier microkernel-base operating systems...
- Open Kernel Labs - OKL4 and NICTA - seL4, TU-Dresden - Fiasco.OC - Amoeba distributed operating systemAmoeba distributed operating systemAmoeba is an open source microkernel-based distributed operating system developed by Andrew S. Tanenbaum and others at the Vrije Universiteit. The aim of the Amoeba project is to build a timesharing system that makes an entire network of computers appear to the user as a single machine...
- Capsicum: practical capabilities for UNIX
- CTSRD - Rethinking the hardware-software security interface
External links
- The cap-talk mailing list
- Reviews of 'Capability Myths Demolished' Some criticism of the reference above.
- What is a Capability?: an informal introduction to capabilities.Rick Smith interviews Jonathan Shapiro, designer of EROSExtremely Reliable Operating SystemEROS is an operating system developed by The EROS Group, LLC., the Johns Hopkins University, and the University of Pennsylvania. Features include automatic data and process persistence, some preliminary real-time support, and capability-based security. EROS is purely a research operating system,...
, in 2000. - Capability Theory by Sound Bytes
- History of the Capability Approach