Capability-based addressing

In computer science, capability-based addressing is a scheme used by some computers to control access to memory as an efficient implementation of capability-based security. Under a capability-based addressing scheme, pointers are replaced by protected objects (called capabilities) that can be created only through the use of privileged instructions which may be executed only by either the kernel or some other privileged process authorised to do so. Thus, a kernel can limit application code and other subsystems access to the minimum necessary portions of memory (and disable write access where appropriate), without the need to use separate address spaces and therefore require a context switch when an access occurs.

Practical implementations

Two techniques are available for implementation:

Require capabilities to be stored in a particular area of memory that cannot be written to by the process that will use them. For example, the Plessey System 250 required that all capabilities be stored in capability-list segments.
Extend memory with an additional bit, writable only in supervisor mode, that indicates that a particular location is a capability. This is a generalization of the use of tag bits to protect segment descriptors in the Burroughs large systems, and it was used to protect capabilities in the IBM System/38.

The designers of the System/38's descendent systems, including AS/400 and IBM i, removed capability-based addressing. The reason given for this decision is that they could find no way to revoke capabilities[1] (although patterns for implementing revocation in capability systems had been published as early as 1974,[2] even before the introduction of System/38).

Chronology of systems adopting capability-based addressing

1969: System 250 – Plessey Company
1970–77: CAP computer – University of Cambridge Computer Laboratory
1978: System/38 – IBM
1980: Flex machine – Royal Signals and Radar Establishment (RSRE) Malvern
1981: Intel iAPX 432 – Intel
2014: CHERI (adds capabilities to existing ISAs for safer programming, even in C and C++)
2020: CHEx86
2022: ARM Morello (AArch64 with CHERI capabilities)

Notes

Frank G. Soltis Fortress Rochester: The Inside Story of the IBM ISeries pp. 119, 283
Redell, David D. (November 1974). "Naming and Protection in Extendable Operating Systems". PhD. Thesis, also published as Project MAC TR-140. Massachusetts Institute of Technology (MIT) – via Association for Computing Machinery. {{cite journal}}: Cite journal requires |journal= (help)

References

Fabry, R. S. (1974). "Capability-based addressing". Communications of the ACM. 17 (7): 403–412. doi:10.1145/361011.361070. S2CID 5702682.
Wulf, W.; Cohen, E.; Corwin, W.; Jones, A.; Levin, R.; Pierson, C.; Pollack, F. (June 1974). "HYDRA: the kernel of a multiprocessor operating system". Communications of the ACM. 17 (6): 337–345. doi:10.1145/355616.364017. ISSN 0001-0782. S2CID 8011765.
Denning, P. J. (December 1976). "Fault tolerant operating systems". ACM Computing Surveys. 8 (4): 359–389. doi:10.1145/356678.356680. ISSN 0360-0300. S2CID 207736773.
Levy, Henry M. (1984). Capability-based computer systems. Maynard, Mass: Digital Press. ISBN 978-0-932376-22-0.
Linden, Theodore A. (December 1976). "Operating System Structures to Support Security and Reliable Software". ACM Computing Surveys. 8 (4): 409–445. doi:10.1145/356678.356682. hdl:2027/mdp.39015086560037. ISSN 0360-0300. S2CID 16720589. same document as report for US NIST
Berstis, Viktors (May 6–8, 1980). "Security and protection of data in the IBM System/38". Proceedings of the 7th annual symposium on Computer Architecture. La Baule, United States. pp. 245–252. doi:10.1145/800053.801932.
Sincoskie, W. David; Farber, David J. (July 1980). "SODS/OS: Distributed Operating System for the IBM Series/1". ACM SIGOPS Operating Systems Review. 14 (3): 46–54. doi:10.1145/850697.850704. S2CID 14245116.
Myers, G. J.; Buckingham, B. R. S. (October 1980). "A hardware implementation of capability-based addressing". ACM SIGOPS Operating Systems Review. 14 (4): 13–25. doi:10.1145/641914.641916. S2CID 17390439.
Houdek, M. E.; Soltis, F. G.; Hoffman, R. L. (May 1981). "IBM System/38 support for capability-based addressing". Proceedings of the 8th ACM International Symposium on Computer Architecture. ACM/IEEE. pp. 341–348.
The Cambridge CAP Computer, Levy, 1988
Plessey System 250, a commercial Capability solution, Hank Levy, 1988
Buzzard, G. D.; Mudge, T. N. (August 1983). Object-based Computer Systems and the Ada Programming Language (Report). The University of Michigan – Computer Research Laboratory and Robotics Research Laboratory Department of Electrical and Computer Engineering. hdl:2027.42/3992.

External links

"On the Spread of the Capability Approach". cap-talk (Mailing list). Archived from the original on 2013-04-14. Retrieved 2007-07-16.

This article is issued from Wikipedia. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.

[Soltis2001-1] Frank G. Soltis Fortress Rochester: The Inside Story of the IBM ISeries pp. 119, 283

[Redell1974-2] Redell, David D. (November 1974). "Naming and Protection in Extendable Operating Systems". PhD. Thesis, also published as Project MAC TR-140. Massachusetts Institute of Technology (MIT) – via Association for Computing Machinery. {{cite journal}}: Cite journal requires |journal= (help)

Object-capability security
Concepts	Principle of least privilege (PoLP) Confused deputy problem Ambient authority File descriptor C-list Object-capability model Capability-based security Capability-based addressing Zooko's triangle Petnames
Operating systems, kernels	Capsicum Fuchsia Genode GNOSIS → KeyKOS → EROS → CapROS Hydra iMAX 432 Midori NLTSS seL4
Programming languages	Cajita E Joe-E Joule
File systems	Tahoe-LAFS
Specialised hardware	BiiN Cambridge CAP Flex IBM System/38 Intel iAPX 432 Plessey System 250