Browse Prior Art Database

Method of Revoking a Capability Containing a Pointer Type Identifier Without Accessing the Capability

IP.com Disclosure Number: IPCOM000048429D
Original Publication Date: 1982-Jan-01
Included in the Prior Art Database: 2005-Feb-08
Document File: 2 page(s) / 14K

Publishing Venue

IBM

Related People

Plambeck, KE: AUTHOR

Abstract

A capability is an unforgeable, though possibly copyable, data elementt that is given to a process to enable the process to access an object that the capability identifies.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 52% of the total text.

Page 1 of 2

Method of Revoking a Capability Containing a Pointer Type Identifier Without Accessing the Capability

A capability is an unforgeable, though possibly copyable, data elementt that is given to a process to enable the process to access an object that the capability identifies.

The identifier in a capability is normally either pointer type or a unique code. A pointer-type identifier is either the direct address or some kind of simple indirect address of the identified object. Thus, it maps efficiently to the address of the identified object. A unique code maps less efficiently to the address of the identified object through the use of a hashing table.

It is sometimes necessary to revoke a capability either because the relationship between the owning process and the identified object has changed or because the object is to be destroyed. A capability containing a pointer-type identifier normally is revoked by accessing the capability and setting it invalid. (If the identifier is indirect, an alternative is to set invalid the entry in the intermediate mapping table. This is undesired because the entry becomes permanently unusable). This may be difficult to do because it may be difficult to locate the capability and any copies of it that may have been made. A capability containing a unique code normally is revoked simply by unassigning the unique code, that is, by removing its translation from the hashing table. A unique code that has been unassigned is never reassigned.

Thus, a pointer-type identifier has the advantage of mapping efficiently to the address of the identified object but the disadvantage of making its containing capability difficult to revoke. unique code has the disadvantage of mapping less efficiently to the address of the identified object but the advantage of making its containing capability easy to revoke.

The method described here involves the use of a capability containing both a pointer-type identifier and a unique code. The pointer-type identifier is used in the normal way to determine the address of the identified object. The unique code is used as a validation number VN) to determine whether or not the capability is valid (has not been revoked). If the pointer-type identifier is a direct address, the VN is placed also in the identified object. If the pointer-type identifier is an indirect address, the VN is placed also in the entry in the intermediate mapping table. When the capability is used to access the object, the VN in the capability is compared to the VN in either the object or the intermediate table. The access is permitted only if the two compared VNs are equal; otherwise, an exception is recognized, and the access is prevented. The capability is revoked simply by changing (normally, incrementing by one) the VN in the object or the intermediate table. This revocation is done without accessing the capability.

The VNs used at different times with a particular poin...