title = {The {Cambridge} {CAP} {Computer} and {Its} {Operating} {System}}, 
  author = {Wilkes, Maurice Vincent and Needham, Roger Michael and Denning, Peter J.}, 
  number = {6}, 
  year = {1979}, 
  editor = {Peter J. Denning}, 
  publisher = {Elsevier North Holland}, 
  series = {Operating and {Programming} {Systems} {Series}}, 
  isbn = {0-444-00357-6}, 
  www_section = {Hardware / CAP, Operating Systems}, 
  www_tags = {selected}, 
  www_pdf_url = {},
  title = {The Confused Deputy (or why capabilities might have been invented)}, 
  author = {Norman Hardy}, 
  journal = {{ACM SIGOPS} Operating Systems Review}, 
  volume = {22}, 
  number = {4}, 
  year = {1988}, 
  month = {October}, 
  www_tags = {selected}, 
  www_section = {Theory}, 
  title = {Protection in {Programmed} {Systems}}, 
  author = {Jones, Anita Katherine}, 
  school = {Carnegie Mellon University}, 
  year = {1973}, 
  month = {June}, 
  type = {{PhD}}, 
  www_tags = {selected}, 
  language = {en}, 
  abstract = {This dissertation investigates the control of access to objects within
        programmed systems. The vehicle for this study is a model of protection that
        isolates a small set of mechanisms needed to provide access centre!, leaving the
        policy for invoking these mechanisms to vary naturally with applications.
        Emphasis is placed on access control required for parameters that accompany a
        process crossing between execution environments; and a new concept called
        amplification is defined. The model is shown to provide structure and terminology
        sufficient for describing and comparing diverse protection systems, for
        expressing and proving boundary conditions that characterize the manipulation of
        objects within environments independent of the code executed, and for partially
        ordering protection systems according to the services they provide. In addition,
        the dissertation introduces the concept of a centralized protection facility
        capable of providing access control for user defined objects and accesses}, 
  www_section = {Theory}, 
  title = {Capability-{Based} {Computer} {Systems}}, 
  author = {{Henry M. Levy}}, 
  year = {1984}, 
  publisher = {Digital Press}, 
  www_important = {1}, 
  www_section = {Surveys}, 
  www_website_url = {}, 
  www_tags = {selected}, 
  www_remarks = {Levy reviews systems up through the mid-1980s, including the Cambridge
        CAP, HYDRA, StarOS, IBM's System/38, and Intel's iAPX 432. The book is out of
        print but the website hosts PDF copies of each chapter.}, 
  title = {Capability {Myths} {Demolished}}, 
  author = {Miller, Mark S and Yee, Ka-Ping and Shapiro, Jonathan}, 
  institution = {Johns Hopkins University}, 
  year = {2003}, 
  www_tags = {selected}, 
  language = {en}, 
  abstract = {We address three common misconceptions about capability-based systems: the
        Equivalence Myth (access control list systems and capability systems are formally
        equivalent), the Confinement Myth (capability systems cannot enforce
        confinement), and the Irrevocability Myth (capability-based access cannot be
        revoked). The Equivalence Myth obscures the benefits of capabilities as compared
        to access control lists, while the Confinement Myth and the Irrevocability Myth
        lead people to see problems with capabilities that do not actually exist}, 
  www_section = {Theory}, 
  www_pdf_url = {}, 
  title = {Paradigm {Regained}: {Abstraction} {Mechanisms} for {Access} {Control}}, 
  author = {Miller, Mark S. and Shapiro, Jonathan S.}, 
  booktitle = {Proceedings of Advances in {Computing} {Science} -- {ASIAN} 2003}, 
  year = {2003}, 
  address = {Berlin, Heidelberg}, 
  pages = {224--242}, 
  editor = {Vijay A. Saraswat}, 
  publisher = {Springer Berlin Heidelberg}, 
  isbn = {978-3-540-40965-6}, 
  abstract = {Access control systems must be evaluated in part on how well they enable one
        to distribute the access rights needed for cooperation, while simultaneously
        limiting the propagation of rights which would create vulnerabilities. Analysis
        to date implicitly assumes access is controlled only by manipulating a system's
        protection state -- the arrangement of the access graph. Because of the
        limitations of this analysis, capability systems have been "proven" unable to
        enforce some basic policies: revocation, confinement, and the *-properties
        (explained in the text)}, 
  www_section = {Theory}, 
  www_website_url = {}, 
  www_tags = {selected}, 
  www_pdf_url = {}, 
  title = {The Foundations of a {Provably Secure Operating System} ({PSOS})}, 
  author = {R. J. Feiertag and P. G. Neumann}, 
  booktitle = {Proceedings of the National Computer Conference}, 
  year = {1979}, 
  pages = {329--334}, 
  key = {Feiertag}, 
  publisher = {AFIPS Press}, 
  www_tags = {selected}, 
  www_section = {Operating Systems / PSOS}, 
  www_pdf_url = {}, 
  title = {Naming and {Protection} in {Extendible} {Operating} {Systems}}, 
  author = {Redell, David D}, 
  school = {Massachusetts Institute of Technology}, 
  year = {1974}, 
  www_tags = {selected}, 
  language = {en}, 
  abstract = {The properties of capability-based extendible operating systems are
        described, and various aspects of such systems are discussed, with emphasis on
        the conflict between free distribution of access privileges and later revocation
        of those privileges. The discussion culminates in a set of goals for a new
        capability scheme. A new {\textless}Jc.sign is then proposed, which provides both
        type extension and revocation through the definition of generalized sealing of
        capabilities. The implementation of this design is discussed in sufficient detail
        to demonstrate that it would be workable and acceptably economical. The utility
        of the proposed capability mechanism is demonstrated by describing two facilities
        implementable in terms of it. These are: (a) revocable parameters for calls
        between mutually suspicious subsystems, and (b) directories providing a civilized
        medium for the storage and distribution of revocable capabilities}, 
  www_section = {Theory}, 
  title = {{Capability Hardware Enhanced RISC Instructions: CHERI Instruction-Set
        Architecture (Version 7)}}, 
  author = {Watson, Robert N. M. and Neumann, Peter G. and Woodruff, Jonathan and Roe,
        Michael and Almatary, Hesham and Anderson, Jonathan and Baldwin, John and
        Chisnall, David and Davis, Brooks and Filardo, Nathaniel Wesley and Joannou,
        Alexandre and Laurie, Ben and Moore, Simon W. and Murdoch, Steven J. and
        Nienhuis, Kyndylan and Norton, Robert and Richardson, Alex and Rugg, Peter and
        Sewell, Peter and Son, Stacey and Xia, Hongyan}, 
  institution = {University of Cambridge, Computer Laboratory}, 
  number = {UCAM-CL-TR-927}, 
  year = {2018}, 
  month = {October}, 
  www_tags = {selected}, 
  url = {}, 
  www_section = {Hardware / CHERI}, 
  www_pdf_url = {}, 
  title = {{HYDRA/C.mmp} An Experimental Computer System}, 
  author = {William A. Wulf and Roy Levin and Samuel P. Harbinson}, 
  year = {1981}, 
  publisher = {McGraw-Hill}, 
  isbn = {978-0070721203}, 
  www_section = {Operating Systems / HYDRA}, 
  www_tags = {selected},