Main Idea:

Requirements:

Naming Objects:

Approach 1:
The object's name is the object's address in memory combined with the object's size.

(The size is needed to resolve ambiguity between an array and the its first element.)
Advantage:
If the system has segmented virtual memory, then the naming convention can

be supported by the addressing hardware (very efficient.)

Disadvantages:
The object's name changes whenever it is moved.
A copy of an object does not have the same name as the original object.
Approach 2:
A table is maintained that maps each object to a unique identifier.
Running out of unique names is not a practical concern

(ex. if each name has 50 bits and an object is named every microsecond,

then the namespace is exhausted in 35 years.)

Advantages:
Relocating an object does not change its name
The mapping table is supported by segmentation hardware (very efficient.)

Preventing Forgery:

Approach 1: Hardware Tags
Modify the hardware such that every word in memory has a tag bit.

When the bit is on, the corresponding word cannot be changed or copied.

A capability that is stored in tagged memory (memory with the tag bit set)

cannot be forged.
Disadvantages:
Adding hardware is expensive
Capabilities cannot be shared

Approach 2: Protected Address Space
Each process is associated with a capability list that is stored in the kernel.

The kernel provides supervisor calls to manipulate both the capabilities and the lists.

The kernel can prevent forgery, because the capabilities must be accessed through it.
Advantage:
Processes can share capabilities
Disadvantages:
Kernel is involved in rights propagation (poor performance.)
Kernel must store all capability information

Approach 3: Scope

Only allow local variables (capabilities) to be accessed in local functions.

Programming languages can provide this protection.
Approach 4 : Cryptography
Option 1:

A copy of each capability is stored with a random bit sequence in the kernel.

Processes maintain copies of capability/bit sequence pairs.

A capability/bit sequence is valid if and only if it matches a capability/bit sequence

in the kernel.

Advantage:
Capabilities can be shared without invoking the kernel

Disadvantages:

The kernel must store the capability information
The kernel is needed to verify that a capability is not forged
Option 2 (Secret Key Cryptography):

The kernel stores a private key that is used to encrypt capabilities.

Processes maintain copies of the capabilities which the kernel verifies using its private key.

Advantages:

Capabilities can be shared without invoking the kernel
Kernel only needs to store its private key

Disadvantage:

The kernel is needed to verify that a capability is not forged.
Option 3 (Public Key Cryptography):

The kernel keeps a private key that is used to sign capabilities.

Processes use the kernel's public key to check that capabilities are valid without
invoking the kernel.