Page 202 - DCAP403_Operating System
P. 202
Unit 10: System Protection
10.7 Capability-based System Notes
Capability-based systems differ significantly from conventional computer systems. Capabilities
provide (1) a single mechanism to address both primary and secondary memory, and (2) a single
mechanism to address both hardware and software resources. While solving many diffi cult
problems in complex system design, capability systems introduce new challenges of their own.
Conceptually, a capability is a token, ticket, or key that gives the possessor permission to access
an entity or object in a computer system. A capability is implemented as a data structure that
contains two items of information: a unique object identifier and access rights, as shown in
Figure 10.1.
Figure 10.1: A Capability
Access rights Unique object identifier
An object
The identifier addresses or names a single object in the computer system. An object, in this context,
can be any logical or physical entity, such as a segment of memory, an array, a file, a line printer,
or a message port. The access rights define the operations that can be performed on that object.
Example: The access rights can permit read-only access to a memory segment or send-and-
receive access to a message port.
Each user, program, or procedure in a capability system has access to a list of capabilities. These
capabilities identify all of the objects which that user, program, or procedure is permitted to
access. To specify an object, the user provides the index of a capability in the list.
Example: To output a record to a file, the user might call the file system as follows:
PUT( file-capability , “this is a record” );
The capability specifi ed in the call serves two purposes. First, it identifi es the fi le to be written.
Second, it indicates whether the operation to be performed (PUT in this case) is permitted.
A capability thus provides addressing and access rights to an object. Capabilities are the basis for
object protection; a program cannot access an object unless its capability list contains a suitably
privileged capability for the object. Therefore, the system must prohibit a program from directly
modifying the bits in a capability. If a program could modify the bits in a capability, it could forge
access to any object in the system by changing the identifier and access rights fi elds.
Capability system integrity is usually maintained by prohibiting direct program modifi cation of
the capability list. The capability list is modified only by the operating system or the hardware.
However, programs can obtain new capabilities by executing operating system or hardware
operations.
Example: When a program calls an operating system routine to create a new fi le, the
operating system stores a capability for that file in the program’s capability list. A capability
system also provides other capability operations. Examples include operations to:
1. Move capabilities to different locations in a capability list.
LOVELY PROFESSIONAL UNIVERSITY 195
