Codie Wells
Key Logic
5200 Great America Parkway
Santa Clara, CA 95054-1108
This note originally appeared in Operating Systems Review, vol. 22 no. 4.
Carole Hogan, in a recent Operating Systems Review article [1], presented the requirements and characteristics of operating systems adhering to the principle of complete mediation. Her discussion does not apply to contemporary capability-based systems technology.
This note considers the principle of complete mediation from a capability point of view.. As Hogan states: "complete mediation advocates verifying that every access to every object is authorized," but this does not support her statement that "it implies that a foolproof method for identifying the source of every request must be devised." Such is not the case in capability-based technology.
In capability-based systems the possession of a capability is sufficient authority to invoke the object it designates; requests can only be made if one holds the appropriate capability. Therefore, every request for access to an object is legitimate. Possession of a capability is like pre-authorized access privilege. Security policies enforced by capability systems have nothing to do with invoking capabilities, and have everything to do with the control of their propagation.
KeyKOS is a capability-based system [2] in production since 1983, and currently in the Developmental Evaluation Program under the auspices of the National Computer Security Center. In this system, ``factories'' (U.S. patent No. 4,584,639) provide for the secure creation of sets of objects in compartments with discernible external communications capabilities. Since capabilities can only be communicated between such compartments by these external communications capabilities, one can control their propagation and enforce a range of security policies.
Security policies ranging from open systems (where any user may access any object), through high-level mandatory security policies [3], to policies which support mutually suspicious users, and defeat Trojan horse, virus, and similar security threats, are supported by KevKOS [4].