Capability Theory by Sound Bytes

This is a collection of insights for designing capability based systems. It may have some pertinence to object oriented design. Here is a short introduction for the non computer specialist.

This longish note is an excellent introduction to capabilities. It makes many important points that do not appear on my pages. Be entertained and informed, but come back. This is a good nuts and bolts description of why and how.

The Confused Deputy is a paper that describes a complex scenario that convinced me that capabilities were more than merely neat. Abstraction Mechanisms for Access Control shows how capabilities are largely another perspective on the protection mechanisms found in classic object languages. Mark Miller gives this Security Taxonomy, and his capabilities based language E. Read at least the abstract of this paper. Here are references to a few operating systems that have followed these principles. Here are some capability ideas conveyed by a real writer, and some introductory essays by Shapiro and a suite of mail lists about capabilities and such. Alan Bomberger’s truck metaphor. Capability Myths Demolished (shorter) reports and rectifies several persistent misperceptions of capabilities. I have not internalized Fred Spiessen’s thesis where he reasons about what programs are in a position to know and act upon concerning security. Such reasoning is important but left implicit or informal in my pages. Contrary to this article, we claim that there are computer security solutions. Here I deplore Apple’s drift toward the walled garden.

Saltzer & Schroeder wrote a comprehensive paper in 1975 on computer security. Mark Miller’s Thesis organizes and extends many of the ideas described here. Here are some other perspectives on computer security. This paper addresses some OS requirements beyond those originally considered in Keykos, but from a capability perspective. A significant paper on the excessive authority in conventional platforms. A 2012 survey of recent work.

The Sound Bytes

Notes on Keykos
Preliminary notes on seL4
Rhetorical but important The Apartment
kinds of capability systems
Two fundamental notions
Object Logic
Objects & Facets
Contrasting authority of programs in different OS Architectures
Confinement and The Factory; The Factory Patent, Observer Status, discreet, nexus on Covert channels
Fragmentary notes on Durability
Other styles of limiting information flow: Insulation
Don’t show the bits in capabilities.
The Blind Sort
Synergy: Rights Amplification, Sibling Communications, Sealers
Rescinding or Revoking

Communications Stuff

The membrane
Capabilities to Resources
Vantage Points for new functionality
Reasoning about the periphery
Application Installation, Application Structure
Rampant Protocols
Principal; On whose behalf?
Early Hardware for Security, cap oriented hardware;
System Implementation Styles
Recent Complexity Bites, Vague New Hardware Ideas, Nexus on capability mapped memory
Ruminations on “Address Space”
fragmentary disk ideas
Security GUI, too, Affordance
Nature of Trust; too
Concept Bridges for Design
The language connection
Blinding Capabilities ala Chaum
Capabilities in disguise
Other Computer Science Issues Related to Capability Designs
Upgrading object behavior
Foreign Travel
Notes on access control lists (ACL)
Metering Access to Data
Tracking access to data
Fighting over “Capability Based”
Preliminary harping on “Capabilities” for Linux.
Microsoft’s NGSCB (Palladium)
Disorganized Fragments
Feeble connection to Physics
quarter baked notes
Accretion of Software Systems
The Perimeter
Modulating Access
Bug or Feature
Cross Talk
Insecurity from anonymous messages
Capability History
Design Parameters for Capabilities
Flexible Foundations
Variations on Capability notions
Capability like Ideas
General rules for capability systems
The Luring Attack
Monopoly => Complexity?
User Interface
‘Capabilities’ in Unix
Reactions to Malware
Note on Tanenbaum’s “Can We Make Operating Systems Reliable and Secure?”
Note on Schneier’s Blog
Some limits to arguing about security
The Application Platform
Violating Rules to Enforce Rules
Web search and Security
the C-list
Bleeding Bugs
why platform
Casual Caps
Virtualizing other platforms, Virtualization as solution?
The Meeting
Explaining Abstractions
A Reliable Program

Unfinished business

External Links

Hank Levy’s book on capability hardware; λ; On Virus Filters; Language references as capabilities; VISC .; Biin Specs; Capsicum; CHERI; Cambridge MIPS Hardware; NDA; Shill (shell); Carl Ellison’s perspective on PKI. His Establishing Identity Without Certification Authorities.
Jed Donnelly’s early (first?) paper on distributed capabilities.
E’s Pluribus protocol; Some meat with types perhaps.

New E stuff: VatTP, CapTP

Mach at Apple, MIT
Mac entitlements
OsOrg is not about caps, but is a trove of info for kernels.
These people see a market, have they the technology?
Bank Security


Security of IoT and backdoors
Menger sponge