Capability-based addressing

In

kernel or some other privileged process authorised to do so. Thus, a kernel can limit application code and other subsystems access to the minimum necessary portions of memory (and disable write access where appropriate), without the need to use separate address spaces and therefore require a context switch

when an access occurs.

Practical implementations

Two techniques are available for implementation:

Require capabilities to be stored in a particular area of memory that cannot be written to by the process that will use them. For example, the Plessey System 250 required that all capabilities be stored in capability-list segments.
Extend memory with an additional bit, writable only in supervisor mode, that indicates that a particular location is a capability. This is a generalization of the use of
Burroughs large systems, and it was used to protect capabilities in the IBM System/38
.

Capability addressing in the IBM System/38 and AS/400

The System/38 supported two types of object pointer – authorized pointers, and unauthorized pointers, the former was the platform's implementation of capability-based addressing.^[2] Both types of pointer could only be manipulated using privileged instructions, and differed by whether object authorizations (i.e. access rights) were encoded in the contents of the pointer. Unauthorized pointers did not encode object authorizations, and required the operating system to check the object's authorization separately to determine if access to the object was allowed. Authorized pointers encoded object authorizations, meaning that possession of the pointer implied access, and the operating system was not required to verify authorization separately. Authorized pointers were irrevocable by design - if the object's authorizations were altered, it would not alter the encoded authorizations in any authorized pointers which already existed.

Early versions of the

AS/400 also supported authorized pointers, and by extension capability-based addressing. However, authorized pointers were removed in the V1R3 release of OS/400 as their irrevocable nature became seen as a security liability.^[3]

All versions of OS/400 (later IBM i) since rely solely on unauthorized pointers which do not support capability-based addressing.

Chronology of systems adopting capability-based addressing

1969:
System 250 – Plessey
Company

1970–77:

University of Cambridge Computer Laboratory

1978:

System/38

– IBM

1980: Flex machine – Royal Signals and Radar Establishment (RSRE) Malvern
1981: Intel iAPX 432 – Intel
2014: CHERI (adds capabilities to existing ISAs for safer programming, even in C and C++)
2020: CHEx86
2022: ARM Morello (AArch64 with CHERI capabilities)

References

ISBN 978-1-4831-0106-4
.

ISBN 978-1-4831-0106-4
.

ISBN 978-1-882419-66-1
.

Further reading

Fabry, R. S. (1974). "Capability-based addressing". S2CID 5702682
.

S2CID 8011765
.

S2CID 207736773
.

Levy, Henry M. (1984). Capability-based computer systems. Maynard, Mass: Digital Press.
ISBN 978-0-932376-22-0
.

Linden, Theodore A. (December 1976). "Operating System Structures to Support Security and Reliable Software". ACM Computing Surveys. 8 (4): 409–445.
S2CID 16720589. same document as report for US NIST

Berstis, Viktors (May 6–8, 1980). "Security and protection of data in the IBM System/38". Proceedings of the 7th annual symposium on Computer Architecture. La Baule, United States. pp. 245–252.
doi:10.1145/800053.801932
.

S2CID 14245116
.

S2CID 17390439
.

Houdek, M. E.; Soltis, F. G.; Hoffman, R. L. (May 1981). "IBM System/38 support for capability-based addressing". Proceedings of the 8th ACM International Symposium on Computer Architecture. ACM/IEEE. pp. 341–348.

Buzzard, G. D.; Mudge, T. N. (August 1983). Object-based Computer Systems and the Ada Programming Language (Report). The University of Michigan – Computer Research Laboratory and Robotics Research Laboratory Department of Electrical and Computer Engineering.
hdl:2027.42/3992
.

External links

"On the Spread of the Capability Approach". cap-talk (Mailing list). Archived from the original on 2013-04-14. Retrieved 2007-07-16.

v
t
e
Object-capability security
Concepts

Principle of least privilege (PoLP)

Confused deputy problem

Ambient authority

File descriptor

C-list

Object-capability model

Capability-based security

Capability-based addressing

Zooko's triangle

Petnames

Operating systems, kernels

Capsicum

Fuchsia

Genode

GNOSIS → KeyKOS → EROS → CapROS

Hydra

iMAX 432

Midori

NLTSS

seL4

HarmonyOS (HarmonyOS NEXT)

Phantom OS

Programming languages

Cajita

E

Joe-E

Joule

File systems

Tahoe-LAFS

Specialised hardware

BiiN

Cambridge CAP

Flex

IBM System/38

Intel iAPX 432

Plessey System 250

CHERI

Retrieved from "https://en.wikipedia.org/w/index.php?title=Capability-based_addressing&oldid=1271563151"

[1] ISBN 978-1-4831-0106-4
.

[2] ISBN 978-1-4831-0106-4
.

[3] ISBN 978-1-882419-66-1
.

[2]

[3]