Capability-based addressing
In computer science, capability-based addressing is a scheme used by some computers to control access to memory as an efficient implementation of capability-based security. Under a capability-based addressing scheme, pointers are replaced by protected objects (named capabilities) which specify both a location in memory, along with access rights which define the set of operations which can be carried out on the memory location.{{cite book | last=Levy | first=Henry M. | title=Capability-Based Computer Systems | chapter=Capability and Object-Based System Concepts | chapter-url=https://homes.cs.washington.edu/~levy/capabook/Chapter1.pdf | publisher=Digital Press | date=2014-05-16 | isbn=978-1-4831-0106-4 | page=3-4}} Capabilities can only be created or modified through the use of privileged instructions which may be executed only by either the kernel or some other privileged process authorised to do so. Thus, a kernel can limit application code and other subsystems access to the minimum necessary portions of memory (and disable write access where appropriate), without the need to use separate address spaces and therefore require a context switch when an access occurs.
Practical implementations
Two techniques are available for implementation:
- Require capabilities to be stored in a particular area of memory that cannot be written to by the process that will use them. For example, the Plessey System 250 required that all capabilities be stored in capability-list segments.
- Extend memory with an additional bit, writable only in supervisor mode, that indicates that a particular location is a capability. This is a generalization of the use of tag bits to protect segment descriptors in the Burroughs large systems, and it was used to protect capabilities in the IBM System/38.
= Capability addressing in the IBM System/38 and AS/400 =
The System/38 supported two types of object pointer – authorized pointers, and unauthorized pointers, the former was the platform's implementation of capability-based addressing.{{cite book | last=Levy | first=Henry M. | title=Capability-Based Computer Systems | chapter=The IBM System/38 | chapter-url=https://homes.cs.washington.edu/~levy/capabook/Chapter8.pdf | publisher=Digital Press | date=2014-05-16 | isbn=978-1-4831-0106-4 | page=}} Both types of pointer could only be manipulated using privileged instructions, and differed by whether object authorizations (i.e. access rights) were encoded in the contents of the pointer. Unauthorized pointers did not encode object authorizations, and required the operating system to check the object's authorization separately to determine if access to the object was allowed. Authorized pointers encoded object authorizations, meaning that possession of the pointer implied access, and the operating system was not required to verify authorization separately. Authorized pointers were irrevocable by design - if the object's authorizations were altered, it would not alter the encoded authorizations in any authorized pointers which already existed.
Early versions of the OS/400 operating system for the AS/400 also supported authorized pointers, and by extension capability-based addressing. However, authorized pointers were removed in the V1R3 release of OS/400 as their irrevocable nature became seen as a security liability.{{cite book |last=Soltis |first=Frank |year=1997 |title=Inside the AS/400 – Featuring the AS400e series |publisher=Duke Press |isbn=978-1-882419-66-1 |edition=2nd |url=https://books.google.com/books?id=5DoPAAAACAAJ}} All versions of OS/400 (later IBM i) since rely solely on unauthorized pointers which do not support capability-based addressing.
Chronology of systems adopting capability-based addressing
- 1969: System 250 – Plessey Company
- 1970–77: CAP computer – University of Cambridge Computer Laboratory
- 1978: System/38 – IBM
- 1980: Flex machine – Royal Signals and Radar Establishment (RSRE) Malvern
- 1981: Intel iAPX 432 – Intel
- 2014: CHERI (adds capabilities to existing ISAs for safer programming, even in C and C++)
- 2020: [https://ieeexplore.ieee.org/document/9138994/ CHEx86]
- 2022: [https://www.arm.com/architecture/cpu/morello ARM Morello] (AArch64 with CHERI capabilities)
References
{{Reflist}}
Further reading
- {{cite journal |last=Fabry |first=R. S. |year=1974 |doi=10.1145/361011.361070 |title=Capability-based addressing |journal=Communications of the ACM |volume=17 |issue=7 |pages=403–412|s2cid=5702682 |doi-access=free }}
- {{cite journal |last1=Wulf |first1=W. |author1-link=William Wulf |last2=Cohen |first2=E. |last3=Corwin |first3=W. |last4=Jones |first4=A. |last5=Levin |first5=R. |last6=Pierson |first6=C. |last7=Pollack |first7=F. |date=June 1974 |title=HYDRA: the kernel of a multiprocessor operating system |journal=Communications of the ACM |volume=17 |issue=6 |pages=337–345 |doi=10.1145/355616.364017 |s2cid=8011765 |issn=0001-0782|doi-access=free }}
- {{cite journal |last=Denning |first=P. J. |author-link=Peter J. Denning |date=December 1976 |title=Fault tolerant operating systems |journal=ACM Computing Surveys |volume=8 |issue=4 |pages=359–389 |doi=10.1145/356678.356680 |s2cid=207736773 |issn=0360-0300}}
- {{cite book |last=Levy |first=Henry M. |year=1984 |title=Capability-based computer systems |publisher=Digital Press |location=Maynard, Mass |isbn=978-0-932376-22-0 |url=http://www.cs.washington.edu/homes/levy/capabook/index.html}}
- {{cite journal |last=Linden |first=Theodore A. |date=December 1976 |title=Operating System Structures to Support Security and Reliable Software |journal=ACM Computing Surveys |pages=409–445 |volume=8 |issue=4 |doi=10.1145/356678.356682 |issn=0360-0300 |hdl=2027/mdp.39015086560037 |s2cid=16720589 |hdl-access=free}} [http://csrc.nist.gov/publications/history/lind76.pdf same document as report for US NIST]
- {{cite conference |first=Viktors |last=Berstis |url=http://doi.acm.org/10.1145/800053.801932 |title=Security and protection of data in the IBM System/38 |book-title=Proceedings of the 7th annual symposium on Computer Architecture |pages=245–252 |date=May 6–8, 1980 |location=La Baule, United States |doi=10.1145/800053.801932|doi-access=free }}
- {{cite journal |first1=W. David |last1=Sincoskie |author1-link=W. David Sincoskie |first2=David J. |last2=Farber |author2-link=Dave Farber |title=SODS/OS: Distributed Operating System for the IBM Series/1 |journal=ACM SIGOPS Operating Systems Review |volume=14 |issue=3 |pages=46–54 |date=July 1980|doi=10.1145/850697.850704 |s2cid=14245116 }}
- {{cite journal |first1=G. J. |last1=Myers |author1-link=Glenford Myers |first2=B. R. S. |last2=Buckingham |url=https://dl.acm.org/doi/10.1145/641914.641916 |title=A hardware implementation of capability-based addressing |journal=ACM SIGOPS Operating Systems Review |volume=14 |issue=4 |pages=13–25 |date=October 1980 |doi=10.1145/641914.641916|s2cid=17390439 }}
- {{cite conference |last1=Houdek |first1=M. E. |last2=Soltis |first2=F. G. |author2-link=Frank Soltis |last3=Hoffman |first3=R. L. |date=May 1981 |url=https://dl.acm.org/doi/10.5555/800052.801885 |title=IBM System/38 support for capability-based addressing |book-title=Proceedings of the 8th ACM International Symposium on Computer Architecture |publisher=ACM/IEEE |pages=341–348}}
- {{cite report |first1=G. D. |last1=Buzzard |first2=T. N. |last2=Mudge |date=August 1983 |title=Object-based Computer Systems and the Ada Programming Language |url=https://deepblue.lib.umich.edu/handle/2027.42/3992 |publisher=The University of Michigan – Computer Research Laboratory and Robotics Research Laboratory Department of Electrical and Computer Engineering |hdl=2027.42/3992}}
External links
- {{cite mailing list |url=http://www.eros-os.org/pipermail/cap-talk/2006-August/005543.html |mailing-list=cap-talk |title=On the Spread of the Capability Approach |access-date=2007-07-16 |url-status=dead |archive-url=https://archive.today/20130414173515/http://www.eros-os.org/pipermail/cap-talk/2006-August/005543.html |archive-date=2013-04-14}}
{{Object-capability security}}