Capability Foundations

It has just occurred to me that a top level perspective on Keykos design is that capabilities are at the foundation of security, in a way, for instance, that they are not in Java or in the AS/400 design. This perspective is most in evidence in the note on custom security where it nearly comes to the surface. In that note we observe that by the strategic wielding and withholding of capabilities a very large world of security policies can be implemented without change to the underlying TCB.

First to contrast with Java I note the similarity of object references to capabilities. Security sensitive matters, however, are supposed by the designers of the Java libraries, to be handled by a security policy module. By contrast, Keykos, can hold to the simple and efficient rule that holding a capability is necessary and sufficient to invoke it.

The AS/400 has a concept of “authorized capabilities” in contrast to unauthorized ones. The process of authorizing a capability is slow when necessary, and involves the patterns that cause security problems in Unix.