Capability-based security

Capability-based security is a concept in the design of secure computing systems. It refers to the principle of designing user programs such that they directly share capabilities with each other according to the principle of least privilege, and the operating system infrastructure necessary to make such transactions efficient and secure.

Related Topics:
Secure computing - User - Programs - Capabilities - Principle of least privilege - Operating system

~ ~ ~ ~ ~ ~ ~ ~ ~ ~

An alternative to capability-based security that is used in most commercial operating systems is that of access control list-based security, in which a process gains access to objects by presenting an unprivileged reference to the operating system, to which the system responds by determining which access rights are appropriate for that object based on the requesting process's user identity. In a capability-based system, user programs deal not with unprivileged references but privileged capabilities. Because the capabilities are already known to be legitimate ways to access the object, there is no need for an access validation step based on user identity or other factors.

Related Topics:
Access control list - Process - Access rights - Identity

~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Although most operating systems implement a facility which resembles capabilities, they typically do not provide enough support to allow for the exchange of capabilities among possibly mutually untrusting entities to be the primary means of granting and distributing access rights throughout the system. A capability-based system, in contrast, is designed with that goal in mind.

~ ~ ~ ~ ~ ~ ~ ~ ~ ~