Page 203 - DCAP403_Operating System
P. 203
Operating System
Notes 2. Delete a capability.
3. Restrict the rights in a capability, producing a less-privileged version,
4. Pass a capability as a parameter to a procedure.
5. Transmit a capability to another user in the system.
Thus, a program can execute direct control over the movement of capabilities and can share
capabilities, and therefore, objects, with other programs and users.
It is possible for a user to have several capability lists. One list will generally be the master
capability list containing capabilities for secondary lists, and so on. This structure is similar to a
multi-level directory system, but, while directories address only files, capabilities address objects
of many types.
Manage the access control matrix is to store it by rows. These are called capabilities. In the
example in Table 10.3, Bob’s capabilities would be as shown in Table 10.4.
Table 10.3: Naive Access Control Matrix
Operating System Accounts Program Accounting Data Audit Trail
Sam rwx rwx rw r
Alice x x rw –
Bob rx r r r
The strengths and weaknesses of capabilities are more or less the opposite of ACLs. Runtime
security checking is more efficient, and you can do delegation without much difficulty: Bob could
create a certificate saying “Here is my capability, and I hereby delegate to David the right to read
file 4 from 9 A.M. to 1 P.M.; signed Bob.” On the other hand, changing a file’s status can suddenly
become more tricky, as it can be diffi cult to find out which users have access. This can be tiresome
when investigating an incident or preparing evidence of a crime.
Table 10.4: A Capability
User Operating System Accounts Program Accounting Data Audit Trail
Bob rx r r r
There were a number of experimental implementations in the 1970s, which were rather like
file passwords; users would get hard-to-guess bit strings for the various read, write, and other
capabilities to which they were entitled. It was found that such an arrangement could give very
comprehensive protection. It was not untypical to find that almost all of an operating system
could run in user mode, rather than as supervisor, so operating system bugs were not security
critical. (In fact, many operating system bugs caused security violations, which made debugging
the operating system much easier.)
The IBM AS/400 series systems employed capability-based protection, and enjoyed some
commercial success. Now capabilities are making a comeback in the form of public key certifi cates.
For now, think of a public key certificate as a credential signed by some authority, which declares
that the holder of a certain cryptographic key is a certain person, a member of some group, or the
holder of some privilege.
As an example of where certificate-based capabilities can be useful, consider a hospital. If you
implemented a rule stating “a nurse will have access to all the patients who are on her ward, or
who have been there in the last 90 days,” naively, each access control decision in the patient record
system would require several references to administrative systems, to find out which nurses
and which patients were on which ward, when. This means that a failure of the administrative
systems can now affect patient safety much more directly than was previously the case, which is
196 LOVELY PROFESSIONAL UNIVERSITY
