Access control systems must be evaluated in part on how well they enable one to distribute the access rights needed for cooperation, while simultaneously limiting the propagation of rights which would create vulnerabilities. Analysis to date implicitly assumes access is controlled only by manipulating a system’s protection state – the arrangement of the access graph. Because of the limitations of this analysis, capability systems have been ”proven” unable to enforce some basic policies: revocation, confinement, and the *-properties (explained in the text).

In actual practice, programmers build access abstractions – programs that help control access, extending the kinds of access control that can be expressed. Working in Dennis and van Horn’s original capability model, we show how abstractions were used in actual capability systems to enforce the above policies. These simple, often tractable programs limited the rights of arbitrarily complex, untrusted programs. When analysis includes the possibility of access abstractions, as it must, the original capability model is shown to be stronger than is commonly supposed.


Access Control Capability System Access Control Model Incoming Message Security Officer 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. [Abelson86]
    Abelson, H., Sussman, G.: Structure and Interpretation of Computer Programs. MIT Press, Cambridge (1986)Google Scholar
  2. [Bell74]
    Bell, D.E., LaPadula, L.: Secure Computer Systems. ESD-TR-83-278, Mitre Corporation, vI and II (November 1973), vIII (April 1974)Google Scholar
  3. [Bishop79]
    Bishop, M., Snyder, L.: The Transfer of Information and Authority in a Protection System. In: SOSP 1979, pp. 45–54 (1979)Google Scholar
  4. [Boebert84]
    Boebert, W.E.: On the Inability of an Unmodified Capability Machine to Enforce the *-Property. In: Proceedings of 7th DoD/NBS Computer Security Conference, September 1984, pp. 291–293 (1984), Scholar
  5. [Boebert03]
    (Comments on [Miller03]) 001133.html Google Scholar
  6. [Cartwright91]
    Cartwright, R., Fagan, M.: Soft Typing. In: Proceedings of the SIGPLAN 1991 Conference on Programming Language Design and Implementation (1991)Google Scholar
  7. [Chander01]
    Chander, A., Dean, D., Mitchell, J.C.: A State-Transition Model of Trust Management and Access Control. In: Proceedings of the 14th Computer Security Foundations Workshop, June 2001, pp. 27–43 (2001)Google Scholar
  8. [Crockford97]
    Crockford, D.: Personal Communications (1997)Google Scholar
  9. [Dennis66]
    Dennis, J.B., Van Horn, E.C.: Programming Semantics for Multiprogrammed Computations. Communications of the ACM 9(3), 143–155 (1966)zbMATHCrossRefGoogle Scholar
  10. [Donnelley76]
    Donnelley, J.E.: A Distributed Capability Computing System. In: Third International Conference on Computer Communication, Toronto, Canada (1976)Google Scholar
  11. [Doorn96]
    van Doorn, L., Abadi, M., Burrows, M., Wobber, E.P.: Secure Network Objects. In: Proceedings of the 1996 IEEE Symposium on Security and Privacy, pp. 211–221 (1996)Google Scholar
  12. [Fabry74]
    Fabry, R.S.: Capability-based addressing. Communications of the ACM 17(7), 403–412 (1974)CrossRefGoogle Scholar
  13. [Goldberg76]
    Goldberg, A., Kay, A.: Smalltalk-72 instruction manual. Technical Report SSL 76-6, Learning Research Group, Xerox Palo, Alto Research Center (1976),
  14. [Gong89]
    Gong, L.: A Secure Identity-Based Capability System. In: Proceedings of the 1989 IEEE Symposium on Security and Privacy, pp. 56–65 (1989)Google Scholar
  15. [Hardy85]
    Hardy, N.: The KeyKOS Architecture. ACM Operating Systems Review, pp. 8–25 (September 1985),
  16. [Hardy86]
    Hardy, N.: U.S. Patent 4,584,639: Computer Security System,Google Scholar
  17. [Harrison76]
    Harrison, M.A., Ruzzo, M.L., Ullman, J.D.: Protection in operating systems. Communications of the ACM 19(8), 461–471 (1976)zbMATHCrossRefMathSciNetGoogle Scholar
  18. [Hewitt73]
    Hewitt, C., Bishop, P., Stieger, R.: A Universal Modular Actor Formalism for Artificial Intelligence. In: Proceedings of the 1973 International Joint Conference on Artificial Intelligence, pp. 235–246 (1973)Google Scholar
  19. [Jones76]
    Jones, A.K., Lipton, R.J., Snyder, L.: A Linear Time Algorithm for Deciding Security. FOCS, 33–41 (1976)Google Scholar
  20. [Kahn88]
    Kahn, K., Miller, M.S.: Language Design and Open Systems. In: Huberman, B. (ed.) Ecology of Computation. Elsevier Science Publishers, North-Holland (1988)Google Scholar
  21. [Kain87]
    Kain, R.Y., Landwehr, C.E.: On Access Checking in Capability-Based Systems. In: IEEE Symposium on Security and Privacy (1987)Google Scholar
  22. [Karger84]
    Karger, P.A., Herbert, A.J.: An Augmented Capability Architecture to Support Lattice Security and Traceability of Access. In: Proc. of the 1984 IEEE Symposium on Security and Privacy, pp. 2–12 (1984)Google Scholar
  23. [Kelsey98]
    Kelsey, R., Clinger, W., Rees, J. (eds.): Revised5̂ Report on the Algorithmic Language Scheme. ACM Sigplan Notices (1998)Google Scholar
  24. [Lampson73]
    Lampson, B.W.: A Note on the Confinement Problem. CACM on Operating Systems 16(10) (October 1973)Google Scholar
  25. [Miller87]
    Miller, M.S., Bobrow, D.G., Tribble, E.D., Levy, J.: Logical Secrets. In: Shapiro, E. (ed.) Concurrent Prolog: Collected Papers. MIT Press, Cambridge (1987)Google Scholar
  26. [Miller96]
    Miller, M.S., Krieger, D., Hardy, N., Hibbert, C., Tribble, E.D.: An Automatic Auction in ATM Network Bandwidth. In: Clearwater, S.H. (ed.) Market-based Control, A Paradigm for Distributed Resource Allocation. World Scientific, Palo Alto (1996)Google Scholar
  27. [Miller00]
    Miller, M.S., Morningstar, C., Frantz, B.: Capability-based Financial Instruments. In: Frankel, Y. (ed.) FC 2000. LNCS, vol. 1962, p. 349. Springer, Heidelberg (2001), CrossRefGoogle Scholar
  28. [Miller03]
    Miller, M.S., Yee, K. -P., Shapiro, J. S.: Capability Myths Demolished, HP Labs Technical Report (in preparation),
  29. [Morris73]
    Morris, J.H.: Protection in Programming Languages. CACM 16(1), 15–21 (1973), zbMATHGoogle Scholar
  30. [Motwani00]
    Motwani, R., Panigrahy, R., Saraswat, V., Venkatasubramanian, S.: On the Decidability of Accessibility Problems. AT&T Labs – Research,
  31. [Neumann80]
    Neumann, P.G., Boyer, R.S., Feiertag, R.J., Levitt, K.N., Robinson, L.: A Provably Secure Operating System: The System, Its Applications, and Proofs, CSL-116, Computer Science Laboratory, SRI International, Inc. (May 1980)Google Scholar
  32. [Parnas72]
    Parnas, D.: On the Criteria To Be Used in Decomposing Systems into Modules. CACM 15(12) (December 1972),
  33. [Rajunas89]
    Rajunas, S.A.: The KeyKOS/KeySAFE System Design. Key Logic, Inc., SEC009-01 (March 1989)Google Scholar
  34. [Redell74]
    Redell, D.D.: Naming and Protection in Extendible Operating Systems. Project MAC TR-140, MIT (Ph. D. thesis.) (November 1974)Google Scholar
  35. [Rees96]
    Rees, J.: A Security Kernel Based on the Lambda-Calculus. MIT AI Memo No. 1564. MIT, Cambridge (1996), Google Scholar
  36. [Safra86]
    Safra, M., Shapiro, E.Y.: Meta Interpreters for Real. In: Kugler, H.-J. (ed.) Information Processing 1986, pp. 271–278. North-Holland, Amsterdam (1986)Google Scholar
  37. [Saltzer75]
    Saltzer, J.H., Schroeder, M.D.: The Protection of Information in Computer Systems. Proceedings of the IEEE 63(9), 1278–1308 (1975)CrossRefGoogle Scholar
  38. [Sansom86]
    Sansom, R.D., Julian, D.P., Rashid, R.: Extending a Capability Based System Into a Network Environment. Research sponsored by DOD, pp. 265–274 (1986)Google Scholar
  39. [Saraswat03]
    Saraswat, V., Jagadeesan, R.: Static support for capability-based programming in Java,
  40. [Shapiro99]
    Shapiro, J.S., Smith, J.M., Farber, D.J.: EROS: A Fast Capability System. In: Proceedings of the 17th ACM Symposium on Operating Systems Principles, December 1999, pp. 170–185 (1999)Google Scholar
  41. [Shapiro00]
    Shapiro, J.S., Weber, S.: Verifying the EROS Confinement Mechanism. In: Proceedings of the 2000 IEEE Symposium on Security and Privacy, pp. 166–176 (2000)Google Scholar
  42. [Sitaker00]
    Sitaker, K.: Thoughts on Capability Security on the Web,
  43. [Stiegler02]
    Stiegler, M., Miller, M.: A Capability Based Client: The DarpaBrowser,
  44. [Tanenbaum86]
    Tanenbaum, A.S., Mullender, S.J., van Renesse, R.: Using Sparse Capabilities in a Distributed Operating System. In: Proceedings of 6th International Conference on Distributed Computing Systems, pp. 558–563 (1986)Google Scholar
  45. [Tribble95]
    Tribble, E.D., Miller, M.S., Hardy, N., Krieger, D.: Joule: Distributed Application Foundations (1995),
  46. [Roy02]
    Van Roy, P., Haridi, S.: Concepts, Techniques, and Models of Computer Programming. MIT Press, Cambridge (in preparation),
  47. [Wagner02]
    Wagner, D., Tribble, D.: A Security Analysis of the Combex DarpaBrowser Architecture,
  48. [Wallach97]
    Wallach, D.S., Balfanz, D., Dean, D., Felten, E.W.: Extensible Security Architectures for Java. In: Proceedings of the 16th Symposium on Operating Systems Principles, pp. 116–128 (1997),
  49. [Wilkes79]
    Wilkes, M.V., Needham, R.M.: The Cambridge CAP Computer and its Operating System. Elsevier North Holland, Amsterdam (1979)Google Scholar
  50. [Wulf74]
    Wulf, W.A., Cohen, E.S., Corwin, W.M., Jones, A.K., Levin, R., Pierson, C., Pollack, F.J.: HYDRA: The Kernel of a Multiprocessor Operating System. Communications of the ACM 17(6), 337–345 (1974)CrossRefGoogle Scholar
  51. [Wulf81]
    Wulf, W.A., Levin, R., Harbison, S.P.: HYDRA/C.mmp: An Experimental Computer System. McGraw Hill, New York (1981)Google Scholar
  52. [Yee03]
    Yee, K.-P., Miller, M.S.: Auditors: An Extensible, Dynamic Code Verification Mechanism,

Copyright information

© Springer-Verlag Berlin Heidelberg 2003

Authors and Affiliations

  • Mark S. Miller
    • 1
  • Jonathan S. Shapiro
    • 2
  1. 1.Hewlett Packard LaboratoriesJohns Hopkins University 
  2. 2.Johns Hopkins University 

Personalised recommendations