Table of Contents for Programming Languages: a survey

Security constructs

Ambient authority



A 'capability' is a communicable, unforgeable token of authority [1]. That is to say, a capability can be 'possessed' by a program, and by virtue of possessing it, the program can acquire some access rights.

Capabilities are typically fine-grained; that is, a capability might grant write access to a particular file, rather than granting blanket superuser access, or rather than making the holder of the capability a member of some access group with a wide variety of associated privileges.

The fact that capabilities can be transferred between mutually untrusting processes is key to their usefulness. Sometimes there is a need for one program to delegate access privileges to some other program; without capabilities, either the delegate program must often be given access in a coarse-grained way (which is often more access than is needed; for example running a server process as root), or the delegate program must conduct its business by passing its requests through a more privileged program (which opens the potential for exploits if the more privileged program has a bug).

To prevent processes from 'forging' capabilities by manually creating them using ordinary operations, often one of two mechanisms is used: (a) tagged memory, where a tag indicates whether a given value in memory is a capability (and non-privileged processes can't modify the tag), and (b) special memory spaces/data structures that can hold capabilities (whereas other memory spaces/data structures cannot hold capabilities).

Sealed capabilities

A sealed capability is one which cannot be used in its present state. This allows the sealed capability to be passed from one party to another through a middleman, without granting the middleman the access rights bestowed by the (unsealed) capability; upon receipt, the final recipient can unseal the capability and put it to use.

In some systems (eg. CHERI) sealed capabilities can, under some circumstances be 'called into' while still sealed. In this case, the sealed capability is unsealed for the duration of the function call. The effect is that the callee function is called with the access rights of the capability under seal (but, in some implementations, without the access rights of the caller). The purpose of this is to allow an object-oriented programming (OOP) encapsulation to be secure; certain memory locations ('object instance data') can only be accessed by certain functions (object methods'); other programs can only indirectly access those locations by going through the functions via sealed calling, that is, other programs can't access the object instances data except by calling the object methods.

Object capability model

Capability links

Tagged memory

"Tagged memory associates metadata with each memory location and can be used to implement fine-grained memory access restrictions. Attacks which hijack control flow can be prevented by using this protection to restrict writes to memory locations containing return addresses, function pointers, and vtable pointers." -- [2]