Sharing of Capabilities Between Processes
In traditional operating systems, programs often communicate with each other and with storage using references like those in the first two examples. Path names are often passed as command-line parameters, sent via sockets, and stored on disk. These references are not capabilities, and must be validated before they can be used. In these systems, a central question is "on whose authority is a given reference to be evaluated?" This becomes a critical issue especially for processes which must act on behalf of two different authority-bearing entities. They become susceptible to a programming error known as the confused deputy problem, very frequently resulting in a security hole.
In a capability-based system, the capabilities themselves are passed between processes and storage using a mechanism that is known by the operating system to maintain the integrity of those capabilities.
Although many operating systems implement facilities very similar to capabilities through the use of file descriptors or file handles — for example, in UNIX, file descriptors can be discarded (closed), inherited by child processes, and even sent to other processes via sockets — there are several obstacles that prevent all of the benefits of a capability-based addressing system from being realized in a traditional operating system environment. Chief among these obstacles is the fact that entities which might hold capabilities (such as processes and files) cannot be made persistent in such a way that maintains the integrity of the secure information that a capability represents. The operating system cannot trust a user program to read back a capability and not tamper with the object reference or the access rights, and has no built-in facilities to control such tampering. Consequently, when a program wishes to regain access to an object that is referenced on disk, the operating system must have some way of validating that access request, and an access control list or similar mechanism is mandated.
One novel approach to solving this problem involves the use of an orthogonally persistent operating system. (This was realised in the Flex machine. See Ten15). In such a system, there is no need for entities to be discarded and their capabilities be invalidated, and hence require an ACL-like mechanism to restore those capabilities at a later time. The operating system maintains the integrity and security of the capabilities contained within all storage, both volatile and nonvolatile, at all times; in part by performing all serialization tasks by itself, rather than requiring user programs to do so, as is the case in most operating systems. Because user programs are relieved of this responsibility, there is no need to trust them to reproduce only legal capabilities, nor to validate requests for access using an access control mechanism.
Read more about this topic: Capability-based Security
Famous quotes containing the words sharing, capabilities and/or processes:
“However intense my experience, I am conscious of the presence and criticism of a part of me, which, as it were, is not a part of me, but a spectator, sharing no experience, but taking note of it, and that is no more I than it is you. When the play, it may be the tragedy, of life is over, the spectator goes his way. It was a kind of fiction, a work of the imagination only, so far as he was concerned.”
—Henry David Thoreau (1817–1862)
“I maintain that I have been a Negro three times—a Negro baby, a Negro girl and a Negro woman. Still, if you have received no clear cut impression of what the Negro in America is like, then you are in the same place with me. There is no The Negro here. Our lives are so diversified, internal attitudes so varied, appearances and capabilities so different, that there is no possible classification so catholic that it will cover us all, except My people! My people!”
—Zora Neale Hurston (1891–1960)
“Our bodies are shaped to bear children, and our lives are a working out of the processes of creation. All our ambitions and intelligence are beside that great elemental point.”
—Phyllis McGinley (1905–1978)