Capability Theory by Sound Bytes

This is a collection of insights for designing capability based systems. It may have some pertinence to object oriented design.

The Confused Deputy is a paper that describes a complex scenario that convinced me that capabilities were more than merely neat. Abstraction Mechanisms for Access Control shows how capabilities are largely another perspective on the protection mechanisms found in classic object languages. Mark Miller gives this Security Taxonomy, and his capabilities based language E. Here are a few references to operating systems that have followed these principles. Here are some capability ideas conveyed by a real writer, and some introductory essays by Shapiro and a suite of mail lists about capabilities and such. Capability Myths Demolished reports and rectifies several persistent misperceptions of capabilities. I have not internalized Fred Spiessen’s thesis where he reasons about what programs are in a position to know and act upon concerning security. Such reasoning is left implicit and unidentified in my pages.

Saltzer & Schroeder wrote a comprehensive paper in 1975 on computer security. Here are some other perspectives on computer security.

The Sound Bytes

A slightly intemperate Introduction
Glossary
The Natural Security of Capabilities
About names: Name as Parameter; Don’t separate names and authority.; Names and Capabilities
The PC and the U.S. Congress; My musings about Disney inside
Make Everything into an object.
Objects & Facets
Don’t Prohibit what you can’t Prevent.
Authority and the User
Other Stake Holders in the Private Computer
Building your own Security Mechanisms
Contrasting authority of programs in different OS Architectures
Notes on Keykos
Confinement and The Factory; The Factory Patent, Observer Status, nexus on Covert channels
Fragmentary notes on Durability
Other styles of limiting information flow: Insulation
Auditing
Don’t show the bits in capabilities.
Synergy: Rights Amplification, Sibling Communications
Rescinding or Revoking
Transferring Rights
EQ
The word “Authority”

Communications Stuff

Significant other work on capabilities and communications.
Public Key Crypto Connection
Symmetric Key Crypto Connection
Distributed Applications, capabilities on untrusted wires.
Foreign Travel, a metaphor
Security without Firewalls
The nature of a Distributed TCB
An active network with local capabilities
Web Security

Capabilities to Resources
Vantage Points for new functionality
Reasoning about the periphery
Law and Order among Installers
Rampant Protocols
Principal; On whose behalf?
Notes on trusting guest code
Early Hardware for Security; Recent Complexity Bites
Ruminations on “Address Space”
Security GUI, too
The Apartment
Nature of Trust
Concept Bridges for Design
The language connection
Blinding Capabilities ala Chaum
Capabilities in disguise
Other Computer Science Issues Related to Capability Designs
Upgrading object behavior
Foreign Travel
Notes on access control lists (ACL)
Metering Access to Data
Tracking access to data
Fighting over “Capability Based”
Preliminary harping on “Capabilities” for Linux.
Microsoft’s NGSCB (Palladium)
Disorganized Fragments
Feeble connection to Physics
quarter baked notes
Patterns,
On Virus Filters
Accretion of Software Systems
The Perimeter
Modulating Access
Bug or Feature
Cross Talk
Insecurity from anonymous messages
Capability History
Capability like Ideas
The Luring Attack
Monopoly => Complexity?
User Interface
Unix as Capability System
Note on Tanenbaum’s “Can We Make Operating Systems Reliable and Secure?”