DVH as the seminal paper in capability-based security (Was: [cap-talk] Re: OS security discussion, restricted access processes, etc. - historical)

Tue May 11 00:34:41 EDT 2004

At 11:57 AM 5/8/2004, Tyler Close wrote:
>Jed Donnelley wrote:
>>While I do see that paper referenced by Dennis and Van Horn as containing 
>>the concept of a "segment", I don't see anything in that paper that looks 
>>like capabilities to me.  This would seem to mostly be of academic 
>>interest, but I'm curious how far others think the capability concept goes.
>
>Section VII "Protected Entry Points" is the key section. It is in this 
>section that capability-based design was born.

Hmmm.  Are we referring to the same paper, "A dynamic storage allocation 
scheme" by JK Iliffe and JG Jodeit as:

http://www3.oup.co.uk/computer_journal/hdb/Volume_05/Issue_03/050200.sgm.abs.html

?  When I look at that paper I see only sections:

1.  Introduction, pg. 200
2.  The codeword representation, pg. 200
3.  Memory organization, pg. 202
4.  Operations on arrays, pg. 204
5.  The use of the backing store, pg. 205
6.  Programming Techniques, pg. 207, and
7.  Acknowledgements, pg. 209

The only copy that I have is as above in Tiff format.  I haven't tried to 
OCR it so I don't have a text version.  Do you?
If so might you be able to point me to a copy on the Web?

>Section VII introduces encapsulation and the changes in access that must 
>occur when control passes across an encapsulation boundary from caller to 
>callee and back again. This definition of encapsulation is key to enabling 
>capability-based security.
>
>Section VII introduces the concept of unified designation and 
>authorization, as well as explicit wielding of authority. A caller invokes 
>a protected entry point by explicitly specifying the held capability that 
>both designates and authorizes access. Such a capability is only granted 
>to another holder through explicit parameter passing of the capability. 
>These are the key insights underlying capability-based security.
>
>Section VII also starts down the road of discovering capability-based 
>design principles. For example:
>
>"If A and B are two computations using the routine S, it must not be 
>possible for a malfunction of A's processes to cause incorrect execution 
>of B's procedures."
>
>Section VII also describes a message dispatch mechanism identical to a 
>vtable. The vtable is a key control structure in object-oriented 
>capability-based systems that supports the creation of abstract 
>interfaces. This feature enables object-oriented design patterns for 
>refining access-control structures in user-level code.
>
>Perhaps most amazing is that this paper was written in 1965.

The paper I have came from the October 1962 (not 1965 I believe) issue of 
"The Computer Journal":

http://www3.oup.co.uk/computer_journal/hdb/Volume_05/Issue_03/

I'd like to understand where I'm going wrong.  Thanks for responding Tyler!

--Jed http://www.nersc.gov/~jed/ 