5

From https://en.wikipedia.org/wiki/Capability-based_security

Capability-based security is to be contrasted with an approach that uses hierarchical protection domains.

From https://en.wikipedia.org/wiki/Protection_ring

hierarchical protection domains, often called protection rings, are mechanisms to protect data and functionality from faults (by improving fault tolerance) and malicious behaviour (by providing computer security). This approach is diametrically opposite to that of capability-based security.

Are capability-based security and hierarchical protection domains for different purposes? Or are they different methods for the same purpose?

In what sense are the two approaches are completely opposite to each other?

Benoit Esnard
  • 13,942
  • 7
  • 65
  • 65
Tim
  • 617
  • 2
  • 7
  • 16

1 Answers1

2

In capability-based security, programs follow the principle of least privilege as stated on Wikipedia. This means that each program has almost no permissions to begin with and permissions are then granted for only the parts that the program needs. This is generally done on a much higher level than hierarchical protection domains.

In hierarchical protection domains, there are essentially layers that each contain certain permissions. Programs in more privileged levels have more permissions. In this way, programs do not start off with no permissions and may be granted lots of permissions they don't actually need. This is often enforced by the CPU architecture instead of in pure software and is much less granular than capability-based security. This approach contradicts the principle of least privilege.

In the sense that both approaches are used for the provisioning of permissions to programs, they are different methods for the same purpose, but the tend to apply to different domains. The Android OS implements a kernel similar to Linux and uses hierarchical protection domains there, but then on top of that it adds the Android stack and then uses capability-based security for Apps.

Gilles 'SO- stop being evil'
  • 50,912
  • 13
  • 120
  • 179
neelsg
  • 121
  • 2
  • 2
    Thanks. do running a process with `sudo` or `su` belong one of the two? – Tim Sep 02 '14 at 13:04
  • 1
    capability-based security is not used for accessing kernel services, is it? – Tim Sep 02 '14 at 14:31
  • 2
    This doesn't sound like "diametrically opposite." It sounds like "different," or maybe "is a subset of". I flagged the wikipedia page as requiring citation. –  Sep 02 '14 at 18:00
  • @Tim I'm not sure about `sudo` or `su`. The classification may not be as clear cut. I'm pretty sure there is nothing that uses capability-based security around the Linux kernel, but it would certainly be possible to use that basis in a kernel for some new OS. –  Sep 03 '14 at 07:23
  • 1
    @WanderingLogic. I do not agree that one "is a subset of" the other, they are pretty much mutually exclusive. I do agree that "diametrically opposite" is misleading –  Sep 03 '14 at 07:26
  • Check my answer on this for more clarity of `sudo` or `su`---https://operatingsystems.stackexchange.com/questions/220/do-sudo-and-su-belong-to-capability-based-security –  Sep 06 '14 at 07:29