Split Capabilities: Making Capabilities Scale

Karp, Alan alan_karp@hp.com
Mon, 24 Jul 2000 14:46:20 -0700 

This topic seems to have gotten off the original track a bit.  I'd like to
end the original thread and retire the subject line of this note.  Here's my
summary of what I've learned.

		Conventional capabilities

A conventional capability (CC) contains a reference to an object and
information that can be interpreted as an access right or set of access
rights to that object.  

A separate CC is required for each uniquely controllable access right or set
of access rights for each object.  This fact presents a theoretical scaling
problem that does not appear in practice.

The internal state of a capability may be accessible to a user, in which
case this state must be protected cryptographically.  If the state of the
capability is kept in the platform, such protection is not needed.

A CC may be obtained independently from the process of obtaining the handle.
In some systems, the CC is used by the system as a handle to the object.  In
this case, the CC is obtained implicitly as part of obtaining a handle to
the object.

Access rights are requested by referencing or submitting the CC with a
request.  In some systems, the CC is used by the system as a handle to the
object.  In this case, the CC submittal is implicitly part of the request.  

The access rights can be represented as an interface representing a thinning
of the full interface of the object.  The rights can also be data
interpreted by the object in deciding whether a particular operation should
be allowed.

Revocation can be enforced by issuing a CC for a proxy object.  Destroying
the proxy revokes the capability.

		Split capabilities

A split capability (SC) is an object having state and behavior.  

An SC is always obtained independently of obtaining a handle for the object.
The fact that these two steps can be combined in one request does not change
the fact that the handle and SC are independent.

An arbitrary object can point to this SC and use the SC's state to determine
if a particular operation should be allowed.  The object itself can have the
reference to the SC, or the SC's state can be accessed through a repository
of some sort maintained by the TCB.  In the latter case, policies can be
specified without accessing the object.

Access rights are requested by referencing the SC with a request.

The SC does not point to a specific object.  Hence, a single SC can be
pointed to by many objects.  Futher, the access rights granted by the SC can
vary from one object to another.

Revocation can be enforced by destroying the SC.  However, the SC is not a
proxy as its behavior does not include invoking actions on other objects.

		Summary

The essential distinction appears to be that a conventional capability
points to an object, but that an object points to a split capability.  All
the other differences flow from this fact.

_________________________
Alan Karp
Decision Technology Department
Hewlett-Packard Laboratories MS 1U-2
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-6278