Capability-based Security

What Is Capability-based Security?

Capability-based security is an approach to access control in which a process or thread demonstrates its right to perform an operation by presenting an unforgeable token, called a capability, that encapsulates both a reference to a specific resource and the set of permitted operations on that resource. Unlike access control list (ACL) models, where rights are recorded on the object side and checked against a subject's identity at each access, capabilities are held by the subject and presented at the point of use, making authorization self-contained in the token. The model originates in work by Dennis and Van Horn in 1966 and has been a recurring theme in operating systems research ever since.

Capability-based security is grounded in the principle of least privilege: a component should receive only the capabilities it genuinely needs to perform its function, and no more. Because capabilities can be selectively delegated without revealing the full identity of the original holder, the model supports fine-grained compartmentalization and controlled sharing in a way that identity-based access control makes structurally difficult.

Capability Model Fundamentals

A capability is an opaque value, typically an integer or pointer, that the operating system kernel guarantees is unforgeable by user-space code. The kernel stores capabilities in protected per-process capability lists (C-lists) or in tagged memory words that the hardware marks as capability-bearing. When a process issues a system call, it supplies a capability designating the target object; the kernel verifies that the capability was legitimately derived from an earlier grant rather than fabricated. Rights are reduced using masking operations before delegation, ensuring that a process cannot pass on permissions it was not given. An early, well-known implementation was the CAP computer at Cambridge in the 1970s; later capability-based systems include the KeyKOS and EROS kernels, both of which motivated the design of the formally verified seL4 microkernel, which uses capabilities as the sole mechanism for all inter-process authority.

Comparison with Access Control Lists

Access control lists attach a list of (subject, rights) pairs to each object, and a reference monitor consults the list whenever access is requested. This places the security policy on the object side, which is natural for file system administration but creates difficulties for least-privilege enforcement: granting a process file-handle access necessarily exposes the file's full ACL entry, and auditing which subjects hold what authority across a large system requires traversing all ACLs. Capabilities invert this relationship: auditing which resources a given process can reach requires only inspecting that process's C-list. The confused deputy problem, a classical vulnerability in which a program with elevated privilege is tricked into misusing that privilege on behalf of an attacker, is structural in ACL systems but does not arise when all authority is explicitly carried in capabilities. As described in CHERI Frequently Asked Questions from the University of Cambridge Computer Laboratory, hardware capability architectures extend these properties to the memory address level, tagging every pointer so that spatial and temporal memory safety violations are prevented at the instruction level.

Hardware Capability Architectures

Recent hardware implementations extend capability-based security below the operating system. CHERI (Capability Hardware Enhanced RISC Instructions), developed at the University of Cambridge and SRI International, adds capability registers and a hardware tag bit to conventional ISAs such as MIPS and RISC-V. Each memory pointer carries bounds and permission metadata that the CPU enforces on every load, store, and jump. This NIST guidance on access control models notes that capability-based approaches have regained prominence as microservice and embedded security architectures seek finer-grained compartmentalization than OS-level processes provide.

Applications

Capability-based security has applications in a range of fields, including:

  • Microkernel and high-assurance operating system design
  • Embedded systems and IoT firmware compartmentalization
  • Browser sandboxing and plugin isolation
  • Cloud infrastructure multi-tenancy and container security
  • Hardware-enforced memory safety in system-on-chip designs

Related Topics

Loading…