Capability System
Capability SystemIntroduction to capabilities at the homepage of ErosOs: http://www.eros-os.org/essays/capintro.html
Quoting from the essay mentioned above:
The term capability was introduced by Dennis and Van Horn in 1966 in a paper entitled Programming Semantics for Multiprogrammed Computations [DennisAndVanHorn]. The basic idea is this: suppose we design a computer system so that in order to access an object, a program must have a special token. This token designates an object and gives the program the authority to perform a specific set of actions (such as reading or writing) on that object. Such a token is known as a capability.
A capability is a lot like the keys on your key ring. As an example, consider your car key. It works on a specific car (it designates a particular object), and anyone holding the key can perform certain actions (locking or unlocking the car, starting the car, opening the glove compartment). You can hand your car key to me, after which I can open, lock, or start the car, but only on your car. Holding your car key won't let me test drive my neighbor's Lamborghini (which is just as well -- I would undoubtedly wrap it around a tree somewhere). Note that the car key doesn't know that it's me starting the car; it's sufficient that I possess the key. In the same way, capabilities do not care who uses them.
Car keys sometimes come in several variations. Two common ones are the valet key (starts, locks, and unlocks the car, but not the glove compartment) or the door key (locks/unlocks the car, but won't start it). In exactly this way, two capabilities can designate the same object (such as the car) but authorize different sets of actions. One program might hold a read-only capability to a file while another holds a read-write capability to the same file.
As with keys, you can give me a capability to a box full of other capabilities.
Capabilities can be delegated. If you give your car key to me, you are trusting me not to hand it to somebody else. If you don't want trust me, you shouldn't hand me the key.
Capabilities can be copied. If you give me your car key, there is nothing to stop me from going down to my local car dealer and having a duplicate key made. In practice, this isn't much of a problem, because you wouldn't have handed me the key if you didn't trust me. If it comes down to desperate measures, you can change the locks on the car, making all of the keys useless. This can be done with capabilities too; it is known as severing an object, which has the effect of rescinding all capabilities. A rescinded capability conveys no authority to do anything at all.
Unfortunately, the above story is great for explaining the CapabilitiesAsKeysModel, whereas ErosOs is actually in the ObjectCapabilityModel.
See CapabilityComputing, CapabilitySecurityModel.
EditText of this page
(last edited September 21, 2004)
or FindPage with title or text search