Variations on ‘What is a Capability’

There are perceptible variations on the elevator answer to “What is a Capability?”. Some of these are distinctions without a difference, some differences are real yet insignificant, and some are significant. We try here to examine some of these differences and show, in some cases, why they are insignificant.

A capability always resides within some capability system and its function can be described only within that system. Capability systems assume some combination of hardware and software that together provide the resources necessary for application code to carry out its plans. This includes denying to other applications within the same system the ability to interfere with those plans. Other technologies, such as actors, eschew hardware and ‘provided software’ but provide crypto protocols to provide similar remote cooperation along with protection from interference with plans.

I dismiss POSIX like ‘capabilities’ without further comment which are to specific to particular operations, but not to particular operands.

Permission Bits

Among systems that hide capability bits from the holder of a capability some include in their semantics a ‘permissions field’ in the capability that determines which operations on the designated object are permitted to the holder. Depending on the system these bits may be visible to the holder or not. Often there are operations for creating a new capability like an old but with some of the permission bits set to 0. This pattern predominated in early capability hardware where the classic permission bit was ‘write’ for a capability that denoted memory.

Other systems deny the existence of any permissions bits but achieve the same functionality by adding code to the behavior of any object to permissions naturally apply, that returns a weakened capability to the same object.

In Keykos there is a polymorphic order on any memory object capability to return a weaker capability to the same memory object. The data byte in a start key is often used as permissions bits by the code that defines the behavior of Keykos objects that are implements as domains. In systems where there is a visible permissions field there may be a minuscule amount of shared code to turn off permissions bits.

Visibility of permissions bits is an insignificant difference.

Messages Exclusively

Some capability systems decree that one can only invoke a capability or pass a capability in the process of invoking another capability. To invoke a capability to an object is to execute the code that defines the behavior of that object. As that code runs it has access to the passed capabilities plus capabilities held by the object before the invocation.

Other systems, such as Keykos, include kernel implemented capabilities which the kernel connives to delegate directly to the hardware. Attempts to sugar the facts so as to pretend that this is all message passing have not been entirely successful. As a result there it is possible to construct memory objects which have no rescindable version. The partial solution to this conundrum is not to construct such objects.

I see this is a slightly significant difference.

Eq?

Most capability platforms provide a primitive to compare two capabilities for equality. Some do not. Several Keykos patterns rely on this primitive and I don’t know in general how to solve the problems those patterns solve, without Eq?.

I think is a significant difference.

Efficient Synergy

Some systems provide objects that can be reliably recognized as members of some dynamically defined class. This can be done with Eq? but not efficiently.

This is practically a very significant difference.

Accountability

Some systems support applications that are not vulnerable to other application in the same platform that attempt to claim unlimited resources. As a further step some applications allow distructive recall of storage from aberrant applications. Most language based capability systems do neither.

Depending on the applications, this may be significant.

Crypto Capabilities

Here a capability is a secret and the holders of a capability are just those programs that know, or can easily compute the bits of a capability. I recall thinking that the Monash system could confine but now I think not. Such systems cannot allow data to be passed in messages or storage without also allowing capabilities there. This breaks some practiced Keykos patterns. It breaks most membrane patterns.

This is a significant difference.

This is thus a distinction in the mode of documentation.