Capability is a term used in computer security, and specifically with regards to capability systems. I'm going to go ahead and assume the reader is familiar with the Unix security model, or something like it, and explain why a capability system is strikingly different from the systems most of us are used to.

Basically, a capability is simply some bits which state, for example, that a particular process is allowed to access and/or modify some resource (like a file, or a TCP socket, or the screen). Typically, one process can transfer (in a controlled way) some of it's capabilities to another process. In one sense, you could think about Unix uids and gids as being capabilities, though a capability usually is much finer grained.

Consider, for example, an SMTP server running on a capability system. It would be given the ability to write to the user's mailbox files, the ability to read (but not write) it's configuration file, to listen on TCP port 25, and that's about it. No matter how many bugs you could find in the implementation, all that you would be able to do would be to write junk into someone's mailbox, or stop listening to mail requests. Unlike, say, a bug in sendmail, you wouldn't be able to execute another program, or modify other files, because the process itself would be completely unable to do it no matter what. But, what if you want procmail? No problem - the server will, instead of being given the ability to write to user's mail files, be given the ability to pass information to each user's procmail process. In turn, these processes will each have the ability to write to it's 'owners' mailbox file. There are other, much cooler, things you can do with this, which you can read about at the referenced sites.

There has been some work on grafting a capability-like system onto Unix machines, primarily with the POSIX.1e draft, which was never finalized. Nonetheless, several systems (including Linux and Solaris) implement parts of the API described in the draft standard. These capabilities, while much broader than the ones typical of real capability systems, could provide a substantial benefit to systems security in the coming years. They provide for things like listening to reserved TCP and UDP ports, doing common administrative tasks (like changing the time and configuring networks), and so on. At this time, the support is a bit iffy, however - it is hoped that sometime in the fairly near future, ext3 will support associating particular capabilities with a program, meaning the end of most suid root programs.

So does this stuff really work? Well, KeyKOS, an early capability system, was used by Visa for many years for processing most of their transaction workload, and was by all reports rock solid (consider how much money Visa loses if they are unable to process transactions for even an hour).

Probably the best known capability system right now is EROS, which is being developed at JHUISI, led by Jonathan Shapiro. Another very interesting project is E-lang, which is a scripting language that uses capabilities. There are, however, many other systems, most of which are in the fairly early development stages. Ther military, and other security-sensitive organizations, are very interested in the abilities these systems provide for users, and are at this time the primary funding for new research.

References

  • http://www.eros-os.org/
  • http://www.erights.org/elang/
  • http://wt.xpilot.org/publications/posix.1e/
  • http://www.capsecure.org/
  • "Verifying Operating System Security", J. S. Shapiro and S. Weber, University of Pennsylvania Technical Report.

Ca`pa*bil"i*ty (?), n.; pl. Capabilities (#).

1. The quality of being capable; capacity; capableness; esp. intellectual power or ability.

A capability to take a thousand views of a subject. H. Taylor.

2.

Capacity of being used or improved.

 

© Webster 1913.

Log in or register to write something here or to contact authors.