Features of Capability Systems
A Field Guide for Capability Systems
Early Design Freezes
- Can’t read the bits—cannot turn caps into bits.
- Can’t write the bits—cannot turn bits into caps.
- All interactions by caps.
- Caps are invokable by using them to address a message.
- Can pass caps in messages.
- Caps can be detected in messages and in memory.
- Non-delagatable caps (which cannot be included in messages)
- Stack or other continuation mechanism.
- Turn code into behavior—new behavior can be added.
- Caps can define memory. (RO or RW)
- Weak or Sensory memory caps
- Synergy—can compare caps for equality.
- Efficient Synergy—sealers or brands.
- Caps for space authority
- Caps for processing authority
#1 and #2 are redundant but beware that reading bits from caps may indirectly reveal secrets.
#3 needs qualifications concerning noise.
#6: If code comes from some untrusted source one may need to know what caps it holds before turning it into behavior.
Membranes require searching messages for caps.
#7 is an anti feature, I think.
#8 is necessary if the code to define objects is itself subject to capability discipline.
#9 by indirection, I presume.
Without #14 (C++’s private attribute) and membranes are impossible.
I do not try here to analyze using secrets as capabilities.
I do not claim that secrets cannot serve as capabilities.
The art of using secrets for caps merges onto crypto, which is hard.
Using secrets seems incompatible with some goals such as confinement.
These design freezes effect both (kernel or runtime) and application design.
Some code will not care about #11 thru #16.