Hydra - a capability based system

One of the most prominent capability-based system [[ACM representation#Capability lists (C-lists)|Capability]] is a unique, unforgeable and sharable handle to object $O$. It was defined as $Capability = 64 \space bit \space object \space id + 16 \space bits \space of \space generic \space rights + 8 \space bits \space of \space auxiliary \space rights$ Hydra kernel is based on this idea. Instead of checking at the program level, here the OS is guaranteeing the capability of an object. Each method call to an object is a *protected call*. - Procedures, local name space or LNS (actively executing procedure) and processes (stack of LNS) were all objects having associated capabilities - Each object has a C-list (not per user, single catalog of capabilities). - The object could hold the capability, but is not allowed to modify it. - While you are in the object, you have access to its C-list. - Each object has a type manager which is invoked to create an object of its type - Type manager restricts access rights when an object capability is returned - When a call is made, rights are amplified to provide access to representation of objects - What capabilities are available during this call? - Capabilities in called object C-list - Capabilities passed in arguments that could be amplified with an amplification template that resides in the object ### Sharing capabilities Sharing is propagating capabilities. We have two users that want to share a file. When we make a file we got a capability. So both C-lists must have the capability for the file. ![[attachments/Screenshot 2023-06-08 at 10.20.09 PM.png]] ### Revocation If we want to revoke permissions for users you can't directly remove permissions from the user's C-lists. We can create a common object that has access to the main file. We can simply revoke the access to this object (C-File), and users will not be able to access the file. ![[attachments/Screenshot 2023-06-08 at 10.20.52 PM.png]] We cannot take a capability from the common object and bring it into our own C-list. There are environment rights which say that a capability cannot escape the container it lives in. ### Mutual suspicion problem Sometimes two processes need to share only a subset of their capabilities because they don’t fully trust each other. This is possible with C-lists. Through a controlled invocation, we can pass the only the useful capability between the two processes. ![[attachments/Screenshot 2023-06-08 at 10.25.46 PM.png]]