Capability-based addressing

From Wikipedia, the free encyclopedia

In computer science, capability-based addressing is a scheme used by some computers to control access to memory as an efficient implementation of capability-based security. Under a capability-based addressing scheme, pointers are replaced by protected objects (called capabilities) that can be created only through the use of privileged instructions which may be executed only by either the kernel or some other privileged process authorised to do so. Thus, a kernel can limit application code and other subsystems access to the minimum necessary portions of memory (and disable write access where appropriate), without the need to use separate address spaces and therefore require a context switch when an access occurs.

Practical implementations[edit]

Two techniques are available for implementation:

  • Require capabilities to be stored in a particular area of memory that cannot be written to by the process that will use them. For example, the Plessey System 250 required that all capabilities be stored in capability-list segments.
  • Extend memory with an additional bit, writable only in supervisor mode, that indicates that a particular location is a capability. This is a generalization of the use of tag bits to protect segment descriptors in the Burroughs large systems, and it was used to protect capabilities in the IBM System/38.

Capability addressing in the IBM System/38 and AS/400[edit]

The System/38 CPF operating system supported two types of object pointer – authorized pointers which implemented capability-based addressing, and unauthorized pointers which did not.[1] Both types of pointer could only be manipulated using privileged instructions, and differed only by whether or not object authorizations (i.e. access rights) were encoded in the contents of the pointer. Unauthorized pointers lacked object authorizations, and required the operating system to look up the authorization when the pointer was used. Authorized pointers encoded object authorizations and were irrevocable by design. Early versions of the OS/400 operating system for the AS/400 also supported authorized pointers, and by extension capability-based addressing. However, authorized pointers were removed in the V1R3 release of OS/400 as their irrevocable nature became seen as a security liability.[2] All versions of OS/400 (later IBM i) since rely solely on unauthorized pointers which do not support capability-based addressing.

Chronology of systems adopting capability-based addressing[edit]


  1. ^ Levy, Henry M. (2014-05-16). "The IBM System/38" (PDF). Capability-Based Computer Systems. Digital Press. ISBN 978-1-4831-0106-4.
  2. ^ Soltis, Frank (1997). Inside the AS/400 – Featuring the AS400e series (2nd ed.). Duke Press. ISBN 978-1-882419-66-1.

Further reading[edit]

External links[edit]