Capabilities vs. ACLs
Within computer systems, there are two fundamental means of enforcing
privilege separation:
- ACLs or access control lists. The semantics of ACLs have been proven
to be not so secure in many situations. It has also been shown that
ACLs promise of giving access to an object to only one person can
never be guaranteed in practice. This does not mean practical flaws
exist in all ACL-based systems — only that the designers of
certain utilities must take responsibility to ensure that they do
not introduce flaws.
- Capabilities. The problems of ACLs are resolved by capabilities.
Unfortunately, for various historical reasons, capabilities have been
mostly restricted to research operating systems and commercial OSes
still use ACLs. Capabilities can, however, also be implemented at
the language level, leading to a style of programming that is essentially
a refinement of standard object-oriented design. An open source project
in the area is the E language [3].
Back to Top |
