denning:cap@book{denning:cap,
title = {The {Cambridge} {CAP} {Computer} and {Its} {Operating} {System}},
author = {Wilkes, Maurice Vincent and Needham, Roger Michael and Denning, Peter J.},
number = {6},
year = {1979},
editor = {Peter J. Denning},
publisher = {Elsevier North Holland},
series = {Operating and {Programming} {Systems} {Series}},
isbn = {0-444-00357-6},
www_section = {Hardware / CAP, Operating Systems},
www_tags = {selected},
www_pdf_url = {https://www.microsoft.com/en-us/research/wp-content/uploads/2016/02/cap.pdf},
}
|
hardy1988@article{hardy1988,
title = {The Confused Deputy (or why capabilities might have been invented)},
author = {Norman Hardy},
journal = {{ACM SIGOPS} Operating Systems Review},
volume = {22},
number = {4},
year = {1988},
month = {October},
www_tags = {selected},
www_section = {Theory},
}
|
jones:protection@phdthesis{jones:protection,
title = {Protection in {Programmed} {Systems}},
author = {Jones, Anita Katherine},
school = {Carnegie Mellon University},
year = {1973},
month = {June},
type = {{PhD}},
www_tags = {selected},
language = {en},
abstract = {This dissertation investigates the control of access to objects within
programmed systems. The vehicle for this study is a model of protection that
isolates a small set of mechanisms needed to provide access centre!, leaving the
policy for invoking these mechanisms to vary naturally with applications.
Emphasis is placed on access control required for parameters that accompany a
process crossing between execution environments; and a new concept called
amplification is defined. The model is shown to provide structure and terminology
sufficient for describing and comparing diverse protection systems, for
expressing and proving boundary conditions that characterize the manipulation of
objects within environments independent of the code executed, and for partially
ordering protection systems according to the services they provide. In addition,
the dissertation introduces the concept of a centralized protection facility
capable of providing access control for user defined objects and accesses},
www_section = {Theory},
}
|
levy:capsystems@book{levy:capsystems,
title = {Capability-{Based} {Computer} {Systems}},
author = {{Henry M. Levy}},
year = {1984},
publisher = {Digital Press},
www_important = {1},
www_section = {Surveys},
www_website_url = {https://homes.cs.washington.edu/~levy/capabook/},
www_tags = {selected},
www_remarks = {Levy reviews systems up through the mid-1980s, including the Cambridge
CAP, HYDRA, StarOS, IBM's System/38, and Intel's iAPX 432. The book is out of
print but the website hosts PDF copies of each chapter.},
}
|
miller:capmyths@techreport{miller:capmyths,
title = {Capability {Myths} {Demolished}},
author = {Miller, Mark S and Yee, Ka-Ping and Shapiro, Jonathan},
institution = {Johns Hopkins University},
year = {2003},
www_tags = {selected},
language = {en},
abstract = {We address three common misconceptions about capability-based systems: the
Equivalence Myth (access control list systems and capability systems are formally
equivalent), the Confinement Myth (capability systems cannot enforce
confinement), and the Irrevocability Myth (capability-based access cannot be
revoked). The Equivalence Myth obscures the benefits of capabilities as compared
to access control lists, while the Confinement Myth and the Irrevocability Myth
lead people to see problems with capabilities that do not actually exist},
www_section = {Theory},
www_pdf_url = {http://srl.cs.jhu.edu/pubs/SRL2003-02.pdf},
}
|
miller:paradigmregained@inproceedings{miller:paradigmregained,
title = {Paradigm {Regained}: {Abstraction} {Mechanisms} for {Access} {Control}},
author = {Miller, Mark S. and Shapiro, Jonathan S.},
booktitle = {Proceedings of Advances in {Computing} {Science} -- {ASIAN} 2003},
year = {2003},
address = {Berlin, Heidelberg},
pages = {224--242},
editor = {Vijay A. Saraswat},
publisher = {Springer Berlin Heidelberg},
isbn = {978-3-540-40965-6},
abstract = {Access control systems must be evaluated in part on how well they enable one
to distribute the access rights needed for cooperation, while simultaneously
limiting the propagation of rights which would create vulnerabilities. Analysis
to date implicitly assumes access is controlled only by manipulating a system's
protection state -- the arrangement of the access graph. Because of the
limitations of this analysis, capability systems have been "proven" unable to
enforce some basic policies: revocation, confinement, and the *-properties
(explained in the text)},
www_section = {Theory},
www_website_url = {http://www.erights.org/talks/asian03/},
www_tags = {selected},
www_pdf_url = {http://www.erights.org/talks/asian03/paradigm-revised.pdf},
}
|
neumann:psos79@inproceedings{neumann:psos79,
title = {The Foundations of a {Provably Secure Operating System} ({PSOS})},
author = {R. J. Feiertag and P. G. Neumann},
booktitle = {Proceedings of the National Computer Conference},
year = {1979},
pages = {329--334},
key = {Feiertag},
publisher = {AFIPS Press},
www_tags = {selected},
www_section = {Operating Systems / PSOS},
www_pdf_url = {http://www.csl.sri.com/neumann/psos.pdf},
}
|
redell:naming@phdthesis{redell:naming,
title = {Naming and {Protection} in {Extendible} {Operating} {Systems}},
author = {Redell, David D},
school = {Massachusetts Institute of Technology},
year = {1974},
www_tags = {selected},
language = {en},
abstract = {The properties of capability-based extendible operating systems are
described, and various aspects of such systems are discussed, with emphasis on
the conflict between free distribution of access privileges and later revocation
of those privileges. The discussion culminates in a set of goals for a new
capability scheme. A new {\textless}Jc.sign is then proposed, which provides both
type extension and revocation through the definition of generalized sealing of
capabilities. The implementation of this design is discussed in sufficient detail
to demonstrate that it would be workable and acceptably economical. The utility
of the proposed capability mechanism is demonstrated by describing two facilities
implementable in terms of it. These are: (a) revocable parameters for calls
between mutually suspicious subsystems, and (b) directories providing a civilized
medium for the storage and distribution of revocable capabilities},
www_section = {Theory},
}
|
watson:cheriisav7@techreport{watson:cheriisav7,
title = {{Capability Hardware Enhanced RISC Instructions: CHERI Instruction-Set
Architecture (Version 7)}},
author = {Watson, Robert N. M. and Neumann, Peter G. and Woodruff, Jonathan and Roe,
Michael and Almatary, Hesham and Anderson, Jonathan and Baldwin, John and
Chisnall, David and Davis, Brooks and Filardo, Nathaniel Wesley and Joannou,
Alexandre and Laurie, Ben and Moore, Simon W. and Murdoch, Steven J. and
Nienhuis, Kyndylan and Norton, Robert and Richardson, Alex and Rugg, Peter and
Sewell, Peter and Son, Stacey and Xia, Hongyan},
institution = {University of Cambridge, Computer Laboratory},
number = {UCAM-CL-TR-927},
year = {2018},
month = {October},
www_tags = {selected},
url = {https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-927.pdf},
www_section = {Hardware / CHERI},
www_pdf_url = {http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-907.pdf},
}
|
wulf:hydrabook@book{wulf:hydrabook,
title = {{HYDRA/C.mmp} An Experimental Computer System},
author = {William A. Wulf and Roy Levin and Samuel P. Harbinson},
year = {1981},
publisher = {McGraw-Hill},
isbn = {978-0070721203},
www_section = {Operating Systems / HYDRA},
www_tags = {selected},
}
|