Capability-based addressing

Last updated December 27, 2023

In computer science, capability-based addressing is a scheme used by some computers to control access to memory as an efficient implementation of capability-based security. Under a capability-based addressing scheme, pointers are replaced by protected objects (named capabilities) which specify both a location in memory, along with access rights which define the set of operations which can be carried out on the memory location.^[1] Capabilities can only be created or modified through the use of privileged instructions which may be executed only by either the kernel or some other privileged process authorised to do so. Thus, a kernel can limit application code and other subsystems access to the minimum necessary portions of memory (and disable write access where appropriate), without the need to use separate address spaces and therefore require a context switch when an access occurs.

Practical implementations

Two techniques are available for implementation:

Require capabilities to be stored in a particular area of memory that cannot be written to by the process that will use them. For example, the Plessey System 250 required that all capabilities be stored in capability-list segments.
Extend memory with an additional bit, writable only in supervisor mode, that indicates that a particular location is a capability. This is a generalization of the use of tag bits to protect segment descriptors in the Burroughs large systems, and it was used to protect capabilities in the IBM System/38.

Capability addressing in the IBM System/38 and AS/400

The System/38 CPF operating system supported two types of object pointer – authorized pointers, and unauthorized pointers, the former was the platform's implementation of capability-based addressing.^[2] Both types of pointer could only be manipulated using privileged instructions, and differed only by whether or not object authorizations (i.e. access rights) were encoded in the contents of the pointer. Unauthorized pointers did not encode object authorizations, and required the operating system to check the object's authorization separately to determine if access to the object was allowed. Authorized pointers encoded object authorizations, meaning that possession of the pointer implied access, and the operating system was not required to verify authorization separately. Authorized pointers were irrevocable by design - if the object's authorizations were altered, it would not alter the encoded authorizations in any authorized pointers which already existed.

Early versions of the OS/400 operating system for the AS/400 also supported authorized pointers, and by extension capability-based addressing. However, authorized pointers were removed in the V1R3 release of OS/400 as their irrevocable nature became seen as a security liability.^[3] All versions of OS/400 (later IBM i) since rely solely on unauthorized pointers which do not support capability-based addressing.

Chronology of systems adopting capability-based addressing

1969: System 250 – Plessey Company
1970–77: CAP computer – University of Cambridge Computer Laboratory
1978: System/38 – IBM
1980: Flex machine – Royal Signals and Radar Establishment (RSRE) Malvern
1981: Intel iAPX 432 – Intel
2014: CHERI (adds capabilities to existing ISAs for safer programming, even in C and C++)
2020: CHEx86
2022: ARM Morello (AArch64 with CHERI capabilities)

Related Research Articles

<span class="mw-page-title-main">Microkernel</span> Kernel that provides fewer services than a traditional kernel

In computer science, a microkernel is the near-minimum amount of software that can provide the mechanisms needed to implement an operating system (OS). These mechanisms include low-level address space management, thread management, and inter-process communication (IPC).

In computing, a virtual machine (VM) is the virtualization or emulation of a computer system. Virtual machines are based on computer architectures and provide the functionality of a physical computer. Their implementations may involve specialized hardware, software, or a combination of the two. Virtual machines differ and are organized by their function, shown here:

In computing, virtual memory, or virtual storage, is a memory management technique that provides an "idealized abstraction of the storage resources that are actually available on a given machine" which "creates the illusion to users of a very large (main) memory".

Memory management is a form of resource management applied to computer memory. The essential requirement of memory management is to provide ways to dynamically allocate portions of memory to programs at their request, and free it for reuse when no longer needed. This is critical to any advanced computer system where more than a single process might be underway at any time.

Exokernel is an operating system kernel developed by the MIT Parallel and Distributed Operating Systems group, and also a class of similar operating systems.

In computer architecture, 64-bit integers, memory addresses, or other data units are those that are 64 bits wide. Also, 64-bit central processing units (CPU) and arithmetic logic units (ALU) are those that are based on processor registers, address buses, or data buses of that size. A computer that uses such a processor is a 64-bit computer.

<span class="mw-page-title-main">IBM i</span> Operating system

IBM i is an operating system developed by IBM for IBM Power Systems. It was originally released in 1988 as OS/400, as the sole operating system of the IBM AS/400 line of systems. It was renamed to i5/OS in 2004, before being renamed a second time to IBM i in 2008. It is an evolution of the System/38 CPF operating system, with compatibility layers for System/36 SSP and AIX applications. It inherits a number of distinctive features from the System/38 platform, including the Machine Interface, the implementation of object-based addressing on top of a single-level store, and the tight integration of a relational database into the operating system.

In computer science, read-copy-update (RCU) is a synchronization mechanism that avoids the use of lock primitives while multiple threads concurrently read and update elements that are linked through pointers and that belong to shared data structures.

The System/38 is a discontinued minicomputer and midrange computer manufactured and sold by IBM. The system was announced in 1978. The System/38 has 48-bit addressing, which was unique for the time, and a novel integrated database system. It was oriented toward a multi-user system environment. At the time, the typical system handled from a dozen to several dozen terminals. Although the System/38 failed to displace the systems it was intended to replace, its architecture served as the basis of the much more successful IBM AS/400.

Memory protection is a way to control memory access rights on a computer, and is a part of most modern instruction set architectures and operating systems. The main purpose of memory protection is to prevent a process from accessing memory that has not been allocated to it. This prevents a bug or malware within a process from affecting other processes, or the operating system itself. Protection may encompass all accesses to a specified area of memory, write accesses, or attempts to execute the contents of the area. An attempt to access unauthorized memory results in a hardware fault, e.g., a segmentation fault, storage violation exception, generally causing abnormal termination of the offending process. Memory protection for computer security includes additional techniques such as address space layout randomization and executable space protection.

Capability-based security is a concept in the design of secure computing systems, one of the existing security models. A capability is a communicable, unforgeable token of authority. It refers to a value that references an object along with an associated set of access rights. A user program on a capability-based operating system must use a capability to access an object. Capability-based security refers to the principle of designing user programs such that they directly share capabilities with each other according to the principle of least privilege, and to the operating system infrastructure necessary to make such transactions efficient and secure. Capability-based security is to be contrasted with an approach that uses traditional UNIX permissions and Access Control Lists.

Peter James Denning is an American computer scientist and writer. He is best known for pioneering work in virtual memory, especially for inventing the working-set model for program behavior, which addressed thrashing in operating systems and became the reference standard for all memory management policies. He is also known for his works on principles of operating systems, operational analysis of queueing network systems, design and implementation of CSNET, the ACM digital library, and codifying the great principles of computing. He has written numerous influential articles and books, including an overview of fundamental computer science principles, computational thinking, and his thoughts on innovation as a set of learnable practices.

K42 is a discontinued open-source research operating system (OS) for cache-coherent 64-bit multiprocessor systems. It was developed primarily at IBM Thomas J. Watson Research Center in collaboration with the University of Toronto and University of New Mexico. The main focus of this OS is to address performance and scalability issues of system software on large-scale, shared memory, non-uniform memory access (NUMA) multiprocessing computers.

A hypervisor is a type of computer software, firmware or hardware that creates and runs virtual machines. A computer on which a hypervisor runs one or more virtual machines is called a host machine, and each virtual machine is called a guest machine. The hypervisor presents the guest operating systems with a virtual operating platform and manages the execution of the guest operating systems. Unlike an emulator, the guest executes most instructions on the native hardware. Multiple instances of a variety of operating systems may share the virtualized hardware resources: for example, Linux, Windows, and macOS instances can all run on a single physical x86 machine. This contrasts with operating-system–level virtualization, where all instances must share a single kernel, though the guest operating systems can differ in user space, such as different Linux distributions with the same kernel.

Jochen Liedtke was a German computer scientist, noted for his work on microkernel operating systems, especially in creating the L4 microkernel family.

In computer science, a single address space operating system is an operating system that provides only one globally shared address space for all processes. In a single address space operating system, numerically identical logical addresses in different processes all refer to exactly the same byte of data.

Gernot Heiser is a Scientia Professor and the John Lions Chair for operating systems at UNSW Sydney, where he leads the Trustworthy Systems group (TS).

In computer sciences, the separation of protection and security is a design choice. Wulf et al. identified protection as a mechanism and security as a policy, therefore making the protection-security distinction a particular case of the separation of mechanism and policy principle. Many frameworks consider both as security controls of varying types. For example, protection mechanisms would be considered technical controls, while a policy would be considered an administrative control.

The kernel is a computer program at the core of a computer's operating system and generally has complete control over everything in the system. The kernel is also responsible for preventing and mitigating conflicts between different processes. It is the portion of the operating system code that is always resident in memory and facilitates interactions between hardware and software components. A full kernel controls all hardware resources via device drivers, arbitrates conflicts between processes concerning such resources, and optimizes the utilization of common resources e.g. CPU & cache usage, file systems, and network sockets. On most systems, the kernel is one of the first programs loaded on startup. It handles the rest of startup as well as memory, peripherals, and input/output (I/O) requests from software, translating them into data-processing instructions for the central processing unit.

iMAX 432 was an operating system developed by Intel for digital electronic computers based on the 1980s Intel iAPX 432 32-bit microprocessor. The term micromainframe was an Intel marketing designation describing the iAPX 432 processor's capabilities as being comparable to a mainframe. The iAPX 432 processor and the iMAX 432 operating system were incompatible with the x86 architecture commonly found in personal computers. iMAX 432 was implemented in a subset of the original (1980) version of the Ada, extended with runtime type checking and dynamic package creation.

References

↑ Levy, Henry M. (2014-05-16). "Capability and Object-Based System Concepts" (PDF). Capability-Based Computer Systems. Digital Press. p. 3-4. ISBN 978-1-4831-0106-4.
↑ Levy, Henry M. (2014-05-16). "The IBM System/38" (PDF). Capability-Based Computer Systems. Digital Press. ISBN 978-1-4831-0106-4.
↑ Soltis, Frank (1997). Inside the AS/400 – Featuring the AS400e series (2nd ed.). Duke Press. ISBN 978-1-882419-66-1.

External links

"On the Spread of the Capability Approach". cap-talk (Mailing list). Archived from the original on 2013-04-14. Retrieved 2007-07-16.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] Levy, Henry M. (2014-05-16). "Capability and Object-Based System Concepts" (PDF). Capability-Based Computer Systems. Digital Press. p. 3-4. ISBN 978-1-4831-0106-4.

[2] Levy, Henry M. (2014-05-16). "The IBM System/38" (PDF). Capability-Based Computer Systems. Digital Press. ISBN 978-1-4831-0106-4.

[3] Soltis, Frank (1997). Inside the AS/400 – Featuring the AS400e series (2nd ed.). Duke Press. ISBN 978-1-882419-66-1.

[1]

[2]

[3]

v t e Object-capability security
Concepts	Principle of least privilege (PoLP) Confused deputy problem Ambient authority File descriptor C-list Object-capability model Capability-based security Capability-based addressing Zooko's triangle Petnames
Operating systems, kernels	Capsicum Fuchsia Genode GNOSIS → KeyKOS → EROS → CapROS Hydra iMAX 432 Midori NLTSS seL4 HarmonyOS NEXT
Programming languages	Cajita E Joe-E Joule
File systems	Tahoe-LAFS
Specialised hardware	BiiN Cambridge CAP Flex IBM System/38 Intel iAPX 432 Plessey System 250