OSDev.org

The Place to Start for Operating System Developers
It is currently Thu Mar 28, 2024 1:13 pm

All times are UTC - 6 hours




Post new topic Reply to topic  [ 7 posts ] 
Author Message
 Post subject: How do capability systems work?
PostPosted: Sun Jun 05, 2022 4:27 pm 
Offline

Joined: Sun Jun 05, 2022 4:16 pm
Posts: 5
Hello,

I read about microkernels, and capabilitys were mentioned. I couldnt find out how they work/are implemented. I read that they kinda are like unix file handlers, but when i looked how seL4 does it, it seemed different.

I dont know much about OS development. I know C, Virtual Memory and Security Rings and Kernel-mode. Please keep that in mind.

TIA


Top
 Profile  
 
 Post subject: Re: How do capability systems work?
PostPosted: Mon Jun 06, 2022 2:37 am 
Offline
Member
Member

Joined: Mon Jul 05, 2021 6:57 pm
Posts: 118
Quote:
I read that they kinda are like unix file handlers

You mean file handles, I think. And yes, they are - in the sense that file handles are capabilities; they represent the capability to perform certain operations on a file. In a true capability-based system however you probably don't obtain most capabilities by something as simple as a call to open(...); the point is that capabilities are granted (from other processes for example).

Quote:
I couldnt find out how they work/are implemented.

There's no one way to do it.

Quote:
when i looked how seL4 does it, it seemed different.

Well then, you've seen one way to do it. So your question seems a bit vague. What exactly are you asking?


Top
 Profile  
 
 Post subject: Re: How do capability systems work?
PostPosted: Mon Jun 06, 2022 6:11 am 
Offline

Joined: Sun Jun 05, 2022 4:16 pm
Posts: 5
davmac314 wrote:
Quote:
I read that they kinda are like unix file handlers

You mean file handles, I think. And yes, they are - in the sense that file handles are capabilities; they represent the capability to perform certain operations on a file. In a true capability-based system however you probably don't obtain most capabilities by something as simple as a call to open(...); the point is that capabilities are granted (from other processes for example).

Quote:
I couldnt find out how they work/are implemented.

There's no one way to do it.

Quote:
when i looked how seL4 does it, it seemed different.

Well then, you've seen one way to do it. So your question seems a bit vague. What exactly are you asking?


Thanks for your reply. The problem with the way seL4 does it, is that i dont understand it. The only way, i could think of, to implement capabilitys, is that every process has an array of capabilitys. And each process identifies its capabilitys internally, by using a index to the capability. Is this a way capabilitys are implemented or is it bad?

And what must an capability be able to represent? I could think of a Pointer to local memory or a reference to an other capability, and that seems enough to me.


Top
 Profile  
 
 Post subject: Re: How do capability systems work?
PostPosted: Mon Jun 06, 2022 1:49 pm 
Offline
Member
Member

Joined: Wed Aug 30, 2017 8:24 am
Posts: 1593
Unless I severely misunderstood what a capability is, that is not it. A capability is an entitlement a privileged entity grants to a non-privileged entity, typically a kernel to a process. So the process asks the kernel for a capability, and the kernel grants or denies the request. If the capability is granted, then it can be used in further API calls to the privileged entity to do things. Consider file handles again: A normal process cannot write on disk. It lacks the access needed to perform raw I/O on the disk itself, and typically, an application doesn't want that, either (imagine having to add partition tables and file systems to Chromium). But file handles are a way for the kernel to allow a process to perform disk I/O in a way that is safe for the users of the system.

You should not mix up those capabilities with the Linux mechanism for partial root privilege. Those are also called capabilities, but are not capabilities in the sense of this discussion.

What a capability actually is in the kernel API is up to you. But they must somehow refer to kernelspace objects, clearly identifying what is being allowed and what isn't. That way, not only do you reduce the usable surface area for an attacker, you also make it possible to inherit capabilities to subprocess, which I contend is absolutely crucial.

_________________
Carpe diem!


Top
 Profile  
 
 Post subject: Re: How do capability systems work?
PostPosted: Mon Jun 06, 2022 4:11 pm 
Offline

Joined: Sun Jun 05, 2022 4:16 pm
Posts: 5
nullplan wrote:
Unless I severely misunderstood what a capability is, that is not it. A capability is an entitlement a privileged entity grants to a non-privileged entity, typically a kernel to a process. So the process asks the kernel for a capability, and the kernel grants or denies the request. If the capability is granted, then it can be used in further API calls to the privileged entity to do things. Consider file handles again: A normal process cannot write on disk. It lacks the access needed to perform raw I/O on the disk itself, and typically, an application doesn't want that, either (imagine having to add partition tables and file systems to Chromium). But file handles are a way for the kernel to allow a process to perform disk I/O in a way that is safe for the users of the system.

You should not mix up those capabilities with the Linux mechanism for partial root privilege. Those are also called capabilities, but are not capabilities in the sense of this discussion.

What a capability actually is in the kernel API is up to you. But they must somehow refer to kernelspace objects, clearly identifying what is being allowed and what isn't. That way, not only do you reduce the usable surface area for an attacker, you also make it possible to inherit capabilities to subprocess, which I contend is absolutely crucial.


Thanks for your reply.

Are file handles capabilitys or not? To my knowledge they only grant access to a single ressource, cant be forges, can have different privilages and can be copied (locally). Conceptually the only way they seem different to me, is that they cant be shared with other processes.

And can a process pass a capability, for one of its local ressources, to another process? Or is that not required?


Top
 Profile  
 
 Post subject: Re: How do capability systems work?
PostPosted: Mon Jun 06, 2022 4:40 pm 
Offline
Member
Member

Joined: Mon Jul 05, 2021 6:57 pm
Posts: 118
bmj wrote:
Are file handles capabilitys or not? To my knowledge they only grant access to a single ressource, cant be forges, can have different privilages and can be copied (locally).

Mostly, yes. But: technically in unix there are "file descriptors" and "file descriptions" and "file handle" is not a correct term. A file descriptor is a just a token (an integer) which identifies a file description. You can look at file descriptors being capabilities which provide access to a file description and to operations on the file it refers to.

But, compared with "traditional" capabilities, file descriptors/descriptions are not fine grained.

bmj wrote:
Conceptually the only way they seem different to me, is that they cant be shared with other processes.

File descriptions can be shared with other processes. Every time a process forks the child inherits its file descriptors and the file descriptions they refer to (this can be suppressed but it is the default). File descriptions can also be transferred to other processes via unix sockets.


Top
 Profile  
 
 Post subject: Re: How do capability systems work?
PostPosted: Mon Jun 06, 2022 4:55 pm 
Offline
Member
Member

Joined: Mon Jul 05, 2021 6:57 pm
Posts: 118
Quote:
And can a process pass a capability, for one of its local ressources, to another process? Or is that not required?

It's not part of the definition of capability, but it's a fundamental piece of how capability systems work.

Also, since you were asking about implementation, wikipedia has this to say:

Quote:
A capability is typically implemented as a privileged data structure that consists of a section that specifies access rights, and a section that uniquely identifies the object to be accessed. The user does not access the data structure or object directly, but instead via a handle. In practice, it is used much like a file descriptor in a traditional operating system (a traditional handle), but to access every object on the system. Capabilities are typically stored by the operating system in a list, with some mechanism in place to prevent the program from directly modifying the contents of the capability (so as to forge access rights or change the object it points to). Some systems have also been based on capability-based addressing (hardware support for capabilities), such as Plessey System 250.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 7 posts ] 

All times are UTC - 6 hours


Who is online

Users browsing this forum: No registered users and 31 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group