Introduction
Traditional protection systems often associate permissions directly with objects. For example, a file stores a list of users and their permissions through mechanisms such as Access Control Lists (ACLs). While this approach works well in many situations, it has limitations in flexibility, delegation, and scalable permission management.
Capability-based systems take a fundamentally different approach. Instead of storing permissions with objects, permissions are attached to subjects in the form of capabilities.
A capability acts like an unforgeable token or key that grants specific access rights to a resource. Possession of the capability itself becomes proof of authorization.
Capability systems are extremely important because they provide:
Fine-grained protection
Secure delegation
Controlled resource sharing
Strong isolation
Efficient permission checking
Modern operating systems, secure kernels, distributed systems, and containerized environments use capability-based ideas extensively.
What is a Capability?
A capability is a protected token or reference that grants a subject specific access rights to an object.
The capability specifies:
Which object can be accessed
What operations are allowed
Core Idea
Possession of capability = permission to access resource
Example
A process may hold:
Capability:
File A → Read, Write
This capability itself authorizes access.
Important Insight
Capabilities combine object reference and access rights into a secure token
Capability-Based Protection Model
In capability systems:
Subjects possess capabilities
Capabilities define allowed operations
Access granted based on capability possession
Unlike ACL systems:
Objects do not primarily control permissions
Subjects carry authorization tokens
Capability Structure
A capability typically contains:
Object identifier
Access rights
Security protection mechanisms
Example Structure
Capability:
Object → Printer
Rights → Print
Why Capability Systems Are Necessary
Traditional ACL systems face several challenges:
Difficult delegation
Expensive permission checking
Complex distributed access control
Capability systems solve these problems by:
Allowing direct authorization
Supporting controlled delegation
Simplifying access checks
Important Insight
Capabilities enable flexible and decentralized authorization
Capability Access Process
Suppose a process wants to access a file.
Step 1: Process Requests Operation
Example:
Read File A
Step 2: OS Checks Capability
OS verifies:
Does process possess capability?
Does capability include requested right?
Step 3: Access Granted or Denied
If capability valid:
Operation proceeds
Otherwise:
Access denied
Capability Lists
Each subject maintains a list of capabilities.
This is essentially:
Row-wise implementation of Access Matrix
Example
Process P:
File1 → Read
File2 → Write
Printer → Use
This list defines process protection domain.
Capability vs Access Control List (ACL)
This comparison is extremely important.
| Feature | ACL | Capability |
|---|---|---|
| Permissions attached to | Object | Subject |
| Structure | Column-wise | Row-wise |
| Access verification | Check object list | Check subject token |
| Delegation | Harder | Easier |
| Revocation | Easier | Harder |
Important Insight
ACLs answer “Who can access this object?” while capabilities answer “What can this subject access?”
Unforgeability of Capabilities
Capabilities must be protected against forgery.
Otherwise:
Processes could create fake permissions
Operating systems ensure capabilities are:
Protected
Unmodifiable
Verifiable
Methods for Protection
1. Tagged Architecture
Hardware marks capability memory specially.
2. Kernel-Managed Capabilities
Capabilities stored only inside kernel space.
Processes cannot directly modify them.
3. Cryptographic Protection
Used in distributed systems.
Capabilities digitally signed or encrypted.
Delegation in Capability Systems
One of the biggest strengths of capabilities is delegation.
A process may transfer limited rights to another process.
Example
Process A grants Read-only capability to Process B
This enables controlled sharing.
Important Insight
Capabilities naturally support secure delegation
Capability Revocation Problem
Revoking capabilities is challenging.
Why?
Because capabilities may already be distributed among many subjects.
Example
A process shares capability with:
Multiple users
Child processes
Remote systems
Now revocation becomes difficult.
Revocation Techniques
1. Expiration
Capabilities valid only temporarily.
2. Indirection
Capabilities reference revocable entries.
3. Revocation Lists
OS tracks invalid capabilities.
Capability-Based Addressing
Some systems use capabilities not only for files but also for memory access.
Capabilities may control:
Memory segments
Objects
Inter-process communication
This enables highly secure architectures.
Capability Systems and Least Privilege
Capability systems strongly support:
Principle of least privilege
Processes receive only required capabilities.
Advantages:
Better isolation
Reduced attack surface
Improved security
Capability Systems in Distributed Environments
Capabilities are highly useful in distributed systems.
Example:
Remote object access
Cloud systems
Microservices
A capability can act like:
Secure access token
Modern Examples of Capability-Based Ideas
1. UNIX File Descriptors
A file descriptor behaves similarly to capability:
Possession grants access
2. Capsicum (FreeBSD)
Implements capability security framework.
3. seL4 Microkernel
Strong capability-based architecture.
4. Web Tokens
Modern APIs use token-based authorization similar to capabilities.
Capability Systems vs Traditional Permissions
Traditional systems:
Centralized permission checking
Capability systems:
Decentralized authorization through possession
This often improves:
Scalability
Flexibility
Delegation
Security Advantages of Capability Systems
Fine-Grained Access
Very precise permissions possible.
Reduced Global Authority
Processes only access possessed capabilities.
Better Isolation
Processes isolated naturally.
Easier Delegation
Controlled sharing becomes simple.
Limitations of Capability Systems
1. Revocation Complexity
Harder than ACLs.
2. Capability Leakage
If token leaked:
Unauthorized access possible
3. Management Overhead
Large-scale capability tracking may become complex.