Capability Myths Demolished

We address three common misconceptions about capability-based systems: the Equivalence Myth (access control list systems and capability systems are formally equivalent), the Confinement Myth (capability systems cannot enforce confinement), and the Irrevocability Myth (capability-based access cannot be revoked). The Equivalence Myth obscures the benefits of capabilities as compared to access control lists, while the Confinement Myth and the Irrevocability Myth lead people to see problems with capabilities that do not actually exist. The prevalence of these myths is due to differing interpretations of the capability security model. To clear up the confusion, we examine three different models that have been used to describe capabilities, and define a set of seven security properties that capture the distinctions among them. Our analysis in terms of these properties shows that pure capability systems have significant advantages over access control list systems: capabilities provide much better support for least-privilege operation and for avoiding confused deputy problems.

[1]  G. G. Stokes "J." , 1890, The New Yale Book of Quotations.

[2]  Mark S. Granovetter The Strength of Weak Ties , 1973, American Journal of Sociology.

[3]  David D. Redell,et al.  NAMING AND PROTECTION IN EXTENDABLE OPERATING SYSTEMS , 1974 .

[4]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[5]  A. J. Herbert A microprogrammed operating system kernel , 1979 .

[6]  Edward F. Gehringer Capability architectures and small objects , 1982 .

[7]  Henry M. Levy,et al.  Capability-Based Computer Systems , 1984 .

[8]  Norman Hardy,et al.  KeyKOS architecture , 1985, OPSR.

[9]  Robbert van Renesse,et al.  Using Sparse Capabilities in a Distributed Operating System , 1986, ICDCS.

[10]  C. S. Wallace,et al.  A Password-Capability System , 1986, Comput. J..

[11]  Norman Hardy,et al.  The Confused Deputy: (or why capabilities might have been invented) , 1988, OPSR.

[12]  Paul A. Karger,et al.  Improving security and performance for capability systems , 1988 .

[13]  Li Gong,et al.  A secure identity-based capability system , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.

[14]  Gernot Heiser,et al.  Mungi: A distributed single-address-space operating system , 1994 .

[15]  Jonathan Rees,et al.  A security kernel based on the lambda-calculus , 1995 .

[16]  Dan S. Wallach,et al.  Extensible security architectures for Java , 1997, SOSP.

[17]  Benedict G. E. Wiedemann Protection? , 1998, Science.

[18]  Jonathan M. Smith,et al.  EROS: a fast capability system , 1999, SOSP.

[19]  Butler W. Lampson,et al.  SPKI Certificate Theory , 1999, RFC.

[20]  Sam Weber,et al.  Verifying the EROS confinement mechanism , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[21]  David A. Wagner,et al.  A Security Analysis of the Combex DarpaBrowser Architecture , 2002 .

[22]  Alan H. Karp,et al.  Using Split Capabilities for Access Control , 2003, IEEE Softw..