Tagged/Capability Architectures

Conventional computer architectures provide little or no hardware support for enforcing data security. Access control, if implemented, is left to the operating system, which typically means that access lists are maintained by the system on a per-object basis. However, a class of machines called capability architectures exists in which hardware support for security checking has been implemented. Capability concepts have also been implemented at the operating-system level so that they may be utilized on processors without such hardware support. A capability is defined as a tag, token, or key that gives the possessor of the capability permissions on an entity or object [2]. It is specific to the object, not the possessor, and is usually implemented as an object identifier paired with an identifier for the particular access rights on that object. Thus, a capability system is one in which security is enforced by issuing object or process capabilities to the entities that require them rather than maintaining access control lists for each object or process. There are several benefits and consequences to such a security implementation. For example, capabilities must be unforgeable, since they are not associated with particular processes. Also, capabilities must be unmodifiable – it should not be possible for a process to change its “read” capabilities into “write” capabilities without express permission. Another property is context-independence, as any use of a capability means the same thing for any user, in whatever way it is used. Capabilities are easily transferred from one entity to another, so a process may grant its capabilities to any other process. However, once such capabilities are granted, they are not easily revoked, since the capabilities that belong to both processes are identical. Finally, by encapsulating accesses to memory, filesystems, devices, etc. with capabilities, a capability architecture can present a uniform means of access to the shared resources of a system. To visualize capability models versus access-control models, it is helpful to consider the system object access matrix. Along the horizontal axis, the system objects (files, devices, etc.) are listed, and along the vertical axis, those entities that may access objects are listed. At each intersection, access rights for that particular entity to that particular object are listed. Within this framework, the traditional access-control list consists of a column of this matrix – for each object, the system maintains a list of access permissions for the users that have access. Capability