5.0 Conclusions

The intent of this document has been: (1) to provide a comprehensive overview of the important properties of traditional capability-based systems, (2) to point out the advantages and deficiencies of such systems with regard to the NCSC [TCSEC83] requirements, (3) to outline some possible approaches for the elimination of such deficiencies, and (4) to compare the properties of such systems to those of descriptor-based systems (with which the security community has been somewhat more familiar). Thus, this document can be used as a background document by both evaluators and designers of capability-based systems. 'In both cases, the reader should make use of the references provided in this document in order to help him understand some of its more subtle conclusions. [For the readers with special research and/or development interests in this area, an extensive bibliography is also provided as an appendix to this paper.] The research work necessary for this paper has led to the following findings. First, the notion of a "traditional" capability-based system can be defined based on a set of properties which are common to many capability-based systems. These properties are found in the areas of capability-based addressing and protection, and they support a number of general security and integrity policies. The discussion of the set of common properties has been essential to the investigation of the TCSEC impact on traditional capability systems. Without such a defmition, the impact and corresponding analysis would be questionable at best, because no general conclusions could be drawn from individual case studies.

Second, traditional capability-based systems prevent the implementation of security policy and accountability as required by the TCSEC, and make some aspects of trusted facility management and recovery more difficult than those of other systems. However, tl}ereare extensions (to what is defmed as traditional capability-based systems) that have been proposed for, and implemented in, experimental systems which allow the support of security policies and accountability mechanisms similar to those of TCSEC. All such extensions are well within the limits of present-day technology. This suggests that one cannot rule out a priori a system based on capabilities from environments where the requirements of the TCSEC are important. Careful analysis of such systems must be performed to determine that the problems presented above have indeed been solved. Third, there are advantages and disadvantages of capability-based systems in comparison with descriptor-based systems. Such a comparison is important to the understanding of the fundamental and technological advantages and disadvantages of traditional capability-based systems. The results of such a comparison are easily derived from the discussion of the previous sections. Descriptor-based systems are superior to traditional capability-based systems in support of DoD policies and accountability. Traditional capability-based systems appear superior to descriptor-based systems from the point of view of support for architecture and stnicturing because of their support for protection domains. However, one must note that the additional mechanisms for the support of protection domains in descriptor-based systems are well within the present-day technology. Similarly, extensions to traditional capability systems are possible to alleviate some of their fundamental problems with discretionary and mandatory policy, and with audit.

71 References

Almes78 Almes, G. and G. Robertson, "An Extensible for ", Proceedings of the 3rd International Conference on Software Engineering, Atlanta, Georgia, (May 1978),288-294.

Be1l76 . Bell, D. . and L. J. LaPadu1a,"Secure Computer Systems: Unified Exposition andMULTICS Interpretation", Mitre Corporation, No. MTR-2997, Revision 1, (March 1976).

Benze184 Benze1-Vickers, T., "Overview of the SCOl\1PArchitecture and Security Mechanisms", Technical Report (Draft), MITRE-9071, (September 1984).

Birre180 BiITe1,A. D. and R. M. Needham, "A Universal File Server", IEEE Transactions on Software Engineering, (September 1980),450-453.

Bishop77 Bishop, P. B., "Computer Systems With a Very Large Address Space and Garbage Collection", Ph.D. Thesis, Massachusetts Institute ofTechno1ogy (available as MIT LCS TR-178), (May 1977).

Boebert82 Boebert, E., "Random Notes", Proceedings of the Workshop on Implementing DoD Multilevel Security Policy on Capability-Based Operating Systems, Mitre TR., M 83-17 (restricted distribution), (October 1982).

Buckingham81 Buckingham, B. R. S., "The SWARD Command Language (CLISWARD)", IBM Systems Research Institute, TR-73-011, New York, NY, (February 1981).

Burroughs78 Burroughs Corp., "B6800 System Reference Manual", Order Form No. 5001290, Detroit, Mich., (1978).

Burroughs82 Burroughs Corp., "B6700 Information Processing Systems - Reference Manual", Order Form No. 1058633, Detroit, Mich., (1982).

73 Carnall78 Carnall, J. J., "Detail Specification Part I of n for the Security Protection Module I' (SPM)", Honeywell Inc., Aerospace Division, (May 1978). ~

Carnall79 Carnall, J. J., "Detail Specification Part n of n for the Security Protection Module (SPM)", Honeywell Inc., Aerospace Division, (March 1979). ~I I Chaum78 Chaum, D. L. and R. S. Fabry, "Implementing Capability-Based Protection Using Encryption", Univ. of California, Berkeley, Memo. UCB/ERLM78/46, (July 1978).

CohenE74 Cohen, E., et. al., "HYDRA User's Manual", Internal Paper, Carnegie-Mellon University, (November 1974).

CohenE75

. Cohen, E. and D. Jefferson, "Protection in the HYDRA Operating System", Proceedings of the Fifth Symposium on Operating Systems Principles, The University of Texas at Austin, (November 1975), 141-160.

CohenF84 Cohen, F., "Computer Viruses", Proceedings of the Seventh DoDINBS Computer Security Conference, Gaithersburg, MD, (September 1984),240-263.

Cook78a '" Cook, D. J., "The Evaluation of a Protection System", Ph.D. Thesis, Cambridge University Computer Laboratory, (April 1978).

Cook78b Cook, D. J., "Measuring ", Proceedings of the 3rdInternationai Conference on Software Engineering, Atlanta, Georgia, (May 1978),281-287.

Cook78c Cook, D. J., "Measuring Memory Protection in the CAP Computer", Proceedings of the 2nd International Symposium on Operating Systems, IRIA, France, (October 1978).

Cook79 Cook, D. J., "In Support of Domain Structure for Operating Systems", Proceedings of the 7th Symposium on Operating System Principles, Asilomar, California, (1979).

74 ~F

Cosserat72 Cosserat, D. c., "A Capability Oriented Multi-Processor System for Real-Time Applications",Proceedings of theInternational Conference on Computer Communications, Washington, D.C., (October 1972), 282-289.

Cosserat74 Cosserat, D. c., "A Data Model Based on the Capability Protection Mechanism", Proceedings of the International Workshop on "Protection in Operating Systems", INRIA, Rocquencourt, France, (August 1974).

Cox82 . Cox, G., "Extensions to Support Policy", Proceedings of the Workshop on Implementing DoD Multilevel SecurityPolicy on Capability-BasedOperating Systems, Mitre TR., M 83-17 (restricted distribution), (October 1982).

Dahlby82 Dahlby, S., "Security Features of System/38", Proceedings of the Workshop on Implementing DoD Multilevel SecurityPolicy on Capability-BasedOperating Systems, Mitre TR., M 83-17 (restricted distribution), (October 1982).

DenningP76 Denning, P. J., "Fault-Tolerant Operating Systems", Computing Surveys, 8:4, . (December1976),359-389.

Deutsch76 Deutsch, L. P. and D. G. Bobrow, "An Efficient Incremental, Automatic Garbage

Collector", Communications of the ACM, 19, (September 1976), 522-526. . t. Donne1i'80 bonnelley, J. E. and J.E. Fletcher, "Resource Access Control in a Network Operating System", Proceedings of ACM Pacific '80, Moon-Lith Press, Mountain

View, CA, (1980), 115-125. .

England72a England, D. M., "Operating System of System 250", Proceedings of the International Switching Symposium, Boston, Massachusetts, (June 1972); 525- 529.

England72b England, D. M., "Architectural Features of System 250", INFOTECH State of the Art Report on Operating Systems, (1972).

75 England74 England, D. M., "Capability Concept Mechanisms and Structure in System 250", Proceedings of the International Workshop on Protection in Operating Systems, IRIA, Paris, France, (August 1974), 63-82.

-f- Fabry74 Fabry, R. S., "Capability-Based Addressing", Communications of the ACM, 17:7, (July 1974), 403-412.

Feiertag77 Feiertag, R. J., K. N. Levitt and L. Robinson, "Proving Multilevel Security of a System Design", ACM SIGOPS Review, (November 1977),57-65.

Feiertag79 Feierta~, R. J. and P. G. Neumann, "The Foundations of a Provably Secure Operating System", Proceedings of AFIPS NCC79, (1979), 329.

Fenie74 . Ferrie, J., et al., "An Extensible Structure for Protected Systems Design", Proceedings of the International Workshop on Protection in Operating Systems, IRIA, Paris, France, (August 1974), 83-105.

Galie75 Galie, L., R. Linder, and K. Wilson, "Security Analysis of the TI~ASC", Systems Development Corporation, Technical Memo, TM-WD-6505/000/00, (June 1975).

Gligor76 Gli~or, y. D., "A Study of Extensible Architectures", Ph.D. Thesis, University of CalifornIa, Berkeley, California, (1976).

Gligor77 Gligor, V. D., "Architectural Aspects of Type Extendability",Proceedings of Trends and Applications 1977: Computer Security and Integrity, NBS, Gaithersburg, Maryland, (May 1977).

Gligor79a . if Gligor, V. D., "ArchitecturalImplications of Abstract Data Type Implementation", I University of Maryland, Technical Report 659, (April 1979), 20-30. ,i;f< ~ .- Gligor79b A'" Gligor, V. D. and B. G. Lindsay, "Object Migration and Authentication", IEEE Transactions on Software Engineering, 6, SE-5, (November 1979).

76 Gligor79c Gligor, V. D., "Review and Revocation of Access Privileges Distributed Through Capabilities", IEEE Transactions on Software Engineering, 6, SE-5, (November 1979).

Gligor83 Gligor, V. D., "The Verification of the Protection Mechanisms of High-Level Language Machines",International Journal of Computer and Information Sciences, 2:4, (October 1983).

Graham72 Graham, G. S. and P. 1. Denning, "Protection - PrInciples and Practice", Proceedings of the Spring Joint Computer Conference, 40, (1972), 417-429.

Grampp84 Grampp, F. T. and R. H. Morris, "UNIX Operating System Security", AT&T Bell Laboratories Technical Journal, 63:8, (October 1984), 1649-1672.

Gray72 Gray, J., B. W. Lampson, B. G. Lindsay andcR. E. Sturgis, "The Control Structure of an Operating System", IBM Research Report RC-3949, (July 1972).

Halton72 Halton, D., "Hardware of the System 250 for Communication Control", Proceedings of the International Switching Symposium, Boston, Massachusetts, (June 1972).

Hamer- Hodges72 Hamer-Hodges, K. 1., "Fault Resistance and Recovery Within System 250", Proceedings of the International Conference on Computer Communication, Washington, D.C., (October 1972),290-296.

Hardy82 Hardy, N., "Mechanisms in Gnosis to Support Policy", Proceedings of the Workshop on ImplementingDoD Multilevel Security Policy on Capability-Based Operating Systems, Mitre TR., M 83-17 (restricted distribution), (October 1982).

Hardy85 Hardy, N., "KeyKOS Architecture", SIGOPS Operating Systems Review, 19:4, (October 1985).

Harrison76 Harrison, M. A., W. L. Ruzzo and J. D. Ullman, "Protection in Operating System", Communications of the ACM, 19:B, (August 1976),461-471.

77 Haugeland Haugeland, W. S., B. G. Lindsay and D. Redell, "An Integrated Access Control Facility", unpublished.

Herbert79 Herbert, A. J., "A Hardware Supported Protection Architecture", Operating Systems Theory and Practice, D. Lanciaux, editor, North Holland Publishing Co., Amsterdam (Reprinted in Wilkes and Needham's book), (1979), 293-306.

Ho1t73a Holt, R. C. and M. S. Gruschowl, "A Short Discussion of Interprocess Communication in SUE/360/370 Operating System", Proceedings of the ACM SIGPLAN/SIGOPS Interface Meeting, (April 1973), 73-78.

Holt73b Holt, R. C. and M. S. Grushcowl, "A Short discussion o~Interprocess Communication in the SOO/360/370 Operating System", SIGPLAN Notices, 8:9, from the Proceedings of the ACM SIGPLAN-SIGOPS Interface Meeting on Programming Languages - Operating Systems, (September 1973), 74-78.

Houdek78 . Houdek, M. E. and G. R. Mitchell, "Translating a Large Virtual Address", IBM System/38 Technical Development, IBM General Systems Division, Order Form 0- 933186-00-2, (1978), 22-24. .

Huskamp78 Huskamp, J. C. , "Covert Communication Channels in Timesharing Systems", Ph.D. Thesis, No. UCB-CS-78-02, University of California, Berkeley, Calif., (May 1978).

IBM82 IBM Corp., IBM System/38 Functional Concepts Manual, No. GA21-9330-I, Rochester, MN, (June 1982).

Intel81 Corp., iAPX 432 GeneralData Processor Architecture Reference Manual, Preliminary Edition, Order No. 171860-001, Aloha, OR, (1981).

Intel83a Intel Corp., "iAPX286 Operating System Writer's Guide", Order Form 121960, Santa Clara, Calif., (1983).

78 v

Inte183b Intel Corp., "iAPX286 Programmer's ReferenceManual", Order Form 210498, Santa Clara, Calif., (1983).

Jones73 Jones, A. K., "Protection-in Programming Systems",Ph.D. Thesis, Carnegie- Mellon University, (June 1973).

Jones75a Jones, A. K. and R. J. Lipton, "The Enforcementof Security Policies for Computation", Proceedings of the Fifth Symposiumon OperatingSystems Principles, The University of Texas at Austin,(November 1975), 197-206.

Jones75b Jones, A. K. and W. A. Wulf, "Towards the Design of Secure Systems", Software Practice and Experience, 5, (1975), 321-336.

Jones78 Jones, A. K., "The Object Model: A ConceptualTool for Structuring Software", Operating Systems -An Advanced Course, Bayer, Graham, and Segmuller, Eds., New York: Spring-Verlag, (1978), 7-16.

Jones79 Jones, A. K., R. J. Chansler, Jr., I. Durham, J. Mohan, K. Schwans and S. Vegdahl, "StarOS, a MultiprocessorOperatingSystem",Proceedings ofthelth Symposiwn on Operating Systems Principles,ACMISIGOPS, Pacific Grove, California, (December 10-12, 1979).

Kahn81 Kahn, K. C., W. M. Corwin, T. D. Dennis, H. D'Hooge, D. E. Hubka, L. A. Hutchins, J. T. Monteague, F. 1.Pollack and M. R. Gifkins, "iMAX: A Multiprocessor Operating System for an Object-BasedComputer",Proceedings of the 8th Symposiwn on Operating SystemPrinciples, Asilomar, California, (1981).

Kain87 Kain, R. Y and C. E. Landwehr, "AccessChecking in Capability-Based Systems", IEEE Transactions on Software Engineering,SE-13:2, (February 1987),202-207.

Karger84 Karger, P. A. and A. J. Herbert, "An Augmented Capability Architecture to Support Lattice Security and Traceabilityof Access...", Proceedings of the 1984 IEEE Symposium on Security and Privacy,Oakland, California, (1984).

79 Lampson69a Lampson, B. W., "On Reliable and Extendable Operaring Systems", Techniques in Software Engineering, n, NATO Science Committee Workshop Material, (same as - An Overview of the CAL Timesharing System), (September 1969).

Lampson71 Lampson, B. W., "Protection", Proceedings of the Fifth Annual Princeton Conference on Information Sciences and Systems, Princeton University, Princeton, New Jersey, (March 1971),437-443.

Lampson72 Lampson, B. W., "Protection and Access Control in Operating Systems", INFOTECH State of the Art Report on Operating Systems, C. Boon, Editor, Maidenhead, England, INFOTECHInformation Ltd., (1972), 309-326.

Lampson73 Lampson, B. W., "A Note o~ the Confinement Problem", Communications of the ACM, 16:10, (October 1973), 613-615.

Lampson76 Lampson, B. W. and H. E. Sturgis, "Reflections on an Operaring System Design", Communications of the ACM, 19:5, (May 1976),251-265.

Leaman72 Leaman,R. J., "System250- Security Philosophy", Proceedings of the Conference on -Systems and Technology, The Institute of Electronic and Radio Engineers, London, England, (October 1972), 189-200.

Levin75 Levin, R., et al.; "PolicylMechanism Separation in HYDRA", Proceedings of the Fifth Symposium on Operating Systems Principles, The University of Texas at Austin, (November 1975), 132-140.

Levin77 . . Levin, R., "Protection Structures for Exceptional Condition Handling", Ph.D. Thesis, Carnegie-Mellon University, Pittsburgh, PA, (June 1977).

Linden74 Linden, T. A., "Capability-Based Addressing to Support Software Engineering and System Security", Proceedings of the Third Texas Conference on Computing Systems, University of Texas at Austin, (November 1974),8-5-1 - 8-5-6.

80 Linden76 Linden, T. A., "Operating System Structures to Support Security and Reliable Software", Computing Surveys, 8:4, (December 1976),409-445.

Lindsay73 Lindsay, B. G., "Suggestions for an Extensible Capability-Based Machine Architecture", International Workshop on ComputerArchitecture, Grenoble, France, (June 1973).

Montgomery77 Montgomery, W., "Measurements of Sharing in Multics", Proceedings of the 6th Symposium on Operating Systems Principles, Lafayett, IN, (1977).

Murphy72 Murphy, D. L., "Storage Organization and Management in TENEX", Proceedings of the AFIPS 1972 FJCC, 41, AFIPS Press, Montvale, New Jersey, (1972),231- 232.

Myers77 Myers, G. J., "The Design of Computer Architectures to Enhance Software Reliability", Ph.D. Thesis, Polytechnic Institute of New York, (December 1977).

Myers78 Myers, G. J., "Storage Concepts in a Software-Reliability-Directed Computer Architecture", Proceedings of the 5th Annual Symposium on Computer Architecture, New York, (1978).

Myers80 Myers, G. J. and B. R. S. Buckingham, "A Hardware Implementation of Capability-Based Addressing", Operating Systems Review, XN:4, (October 1980), 13-25.

Myers82 Myers, G. J., "Advances in Computer Architectures", Joh Wiley and Sons (2nd ed.), (1982).

Needham72 Needham, R. M., "Protection Systems and Protection Implementations", Proceedings of the AFIPS 1972 Fall Joint Computer Conference, 41, (1972),571- 578.

Needham74a Needham, R. M. and M. V. Wilkes, "Domains of Protection and the Management of Processes", The Computer Journal, 17:2, (May 1974), 117-120.

81 "'1'-

;:;

Needham74b Needham, R. M. and R. D. H. Walker, "Protection and Process Management in the 'CAP' Computer", Proceedings of the International Workshop on Protection in Operating Systems, IRIA, Paris, France, (August 1974), 155-160.

Needham74c Needham, R. M., "Protection - A Current Research Area in Operating Systems", International Computing Symposium, A. Gunther and B. Levrat and H. Lipps, Editors, American Elsevier Publishing, New York, (1974), 123-126.

Needham77a Needham, R. M. and A. D. Birrell, "The CAP Filing System", Proceedings of the 6th Symposium on Operating System Principles, West Lafayette, Indiana, (1977).

Needham77b Needham, R. M. and R. D. H. Walker, "The Cambridge CAP Computer and Its Protection System", Proceedings of the 6th Symposium on Operating System Principles, West Lafayette, Indiana, (1977).

Needham77c Needham, R. M., "The CAP Project - An Interim Evaluation", Proceedings of the 6th Symposium on Operating System Principles, West Lafayette, Indiana, (1977).

Needham82 Needham, R. M. and A. J. Herbert, "The Cambridge Distributed Computing System", International Computer Science Series, Addison-Wesley, (1982).

Nessett82 Nessett, D. M., "Identifier Protection in a Distributed Operating System", Operating System Review, (January 1982).

Neumann74 Neumann, P. G., et. ai., "On the Design on a Provably Secure Operating System", Proceedings of the International Workshop on Protection in Operating Systems, IRIA, Paris, France, (August 1974), 161-175.

Neumann75 Neumann, P. G., et. al., "A Provably Secure Operating System", SRI Technical Report Project 2581, (June 1975).

Neumann77 Neumann, P. G., et. at, "The Provably Secure Operating System", SRI Report (also RFP Maryland Procurement Office 1979), (1977). .

82 . Organick72 Organick, E. 1, The MULTICS System: An Examination of Its Structure, MIT Press, Cambridge, Massachusetts, (1972).

Philips73 Philips, E. C., "-Central Processor - General Purpose Reference Manual", Report No. 97173/37ffR, Doc. No. CDS 7305001 (Issue 3), Plessey Telecommunications Research LTD, (May 1973).

Pollack81 Pollack, F., K. Kahn and R. Wilkinson, "The IMAX-432 Object Filing System", Proceedings of the 8th Symposium on Operating System Principles, Asilomar, California, (1981).

Prime79 Prime Computer, Inc., The System Architecture Reference Guide PDR3060, Farmingham, Mass., (Apri11979).

Rede1l74a Redell, D. D. and R. S. Fabry, "Selective Revocation of Capabilities", Proceedings of the International Workshop on Protection in Operating Systems, IRIA, Paris, France, (August 1974), 197-209.

Redell74b Redell, D. D., "Naming and Protection in Extensible Operating Systems", Ph.D. Thesis, University of California, Berkeley, MAC-TR-140, MIT, Cambridge, Massachusetts, (November 1974).

Repton72 Repton,C. S., "ReliabilityAssurancefor System250-A Reliable Real-Time Control System",Proceedings of the International Conferenceon Computer Communications, Washington, D. C., (October 1972), 297-305.

Saltzer74 Saltzer, J. R., "The Protection and Control of Information Sharing in MULTICS", Communications of the ACM, 17:7, (July 1974),388-402.

Saltzer75 Saltzer, 1.R. and M. D. Schroeder, "The Protection of Information in Computer Systems", Proceedings of the IEEE, 63:9, (September 1975), 1278-1308.

Schroeder72a . Schroeder, M. D. and J. H. Saltzer, "A Hardware Architecture for Implementing Protection Rings", Communications of the ACM, 15:3, (March 1972), 157-170.

83 Schroeder72b Schroeder, M. D., "Cooperation of Mutually Suspicious Subsystems in a Computer Utility", Ph.D. Thesis, Project MAC TR-I04, MIT, Cambridge, Massachusetts, (September 1972).

Sevcik72 . Sevcik, K. C., et. al., "Project SUE as a Learning Experience", Proceedings of the Fall Joint Computer Conference, 41, (1972), 331-339.

Sevcik74 . Sevcik, K. C. and D. C. Tsichritzis, "Authorization and Access Control Within Overall SystemDesign", Proceedings of the International Workshop on Protection in Operating Systems, IRIA, Paris, France, (August 1974),211-224.

Shields79 Shields, R., "Prime - The Assembly Language Programmer's Guide", Prime Computers, Inc., Farmingham, Mass., (March 1979).

Slinn76a Slinn, C. J., CAP System Programmers Manual, Version 1.8, ed., University of Cambridge Computer Laboratory, Cambridge, England, (June 1976). .

Slinn76b Slinn, C. J., CHAOS Manual, Version 1.1, ed., University of Cambridge Computer Laboratory, Cambridge, England, (July 1976).

Slinn76c Slinn, C. 1., CAP Hardware Manual, Version 1.3, ed., University of Cambridge Computer Laboratory, Cambridge, England, (July 1976).

Slinn77 . Slinn, C. J., "Aspects of Capability-Based Operating System", Ph.D. Thesis, University of Cambridge, (February 1977).

Sturgis74 Sturgis, H. E., "A Postmortem for a Timesharing System", Ph.D. Thesis, Xerox PARC Technical Report 74-1, (January 1974).

TCSEC83 Department of Defense -Computer Security Center, "Trusted Computer Systems Evaluation Criteria", Final Draft, (August 1983).

81~ r

Tsichritzis Tsichritzis, D., "A Capability Based File System", Source Publication Unknown.

Walker73 Walker, R. D. H., "The Structure of a Well-Protected Computer", Ph.D. Thesis, University of Cambridge, (1973).

Wilkes79 Wilkes,M. V. andR. M.Needham,TheCambridgeCAPComputerandIts OperatingSystem,ElsevierNorthHolland,New York,(1979).

Wilkes84 Wilkes, M. V., "Security Management and Protection -A Personal Approach", The Computer Journal, 27:1, (1984).

Wu1f74 Wulf, W. A., et. al., "HYDRA: The Kernel of a Multiprocessing Operating System", Communications of the ACM, 17:6, (June 1974),337-345.

Wulf75 Wulf, W. A., R. Levin and C. Pierson, "Overview of the HYDRA Operating System Development", Proceedings of the Fifth Symposium on Operating Systems Principles, The University of Texas at Austin, (November 1975), 122-131.

Wu1f81 . Wulf, W. A., R. Levin and S. P. Harbison, HYDRAIC.mmp: An Experimental Computer System, McGraw-Hill, New York, (1981).

85