Basic concepts

The following concepts are used within the scope of the ocap policy family.

Resource

A resource is a security domain, an internal abstraction within the scope of a resource driver. For example, a resource can be a file, port, or entity. The resource driver determines the type of resource and how operations are performed with this resource.

For a security system and external entities, a resource is perceived as a whole.

Resource driver

A resource driver is an entity that manages resources and access to them.

For example, a file system is a resource driver, and files are the resources that the file system can allow other entities to access.

In the ocap family, the driver is the capability owner for these resources.

Client

A client is an application that uses resources. A client can obtain access to a resource only if it is a capability holder for that resource.

Access right

An access right is the name of an operation or set of operations that can be performed on a resource.

Capability

A capability is a special form of a link that identifies a resource and determines the allowed operations that can be performed on that resource.

A capability, as an internal object of an ocap family instance, combines the following:

• SID, which indicates a certain resource (Handle).
• List of capability holders and their access rights to that resource.

The access rights of the holder are stored within the ocap family instance.

Access rights to the resource are checked by the check and checkR security policies. For example, the check may be performed directly when the client calls the resource driver or may be initiated by the driver using the security interface (security statement).

Capability holder

A capability holder is an entity that has been granted access rights to the resource corresponding to the capability.

From the client entity, there is no access to information about whether the resource SID is a capability and which access rights it has to the resource.

A resource driver becomes the holder and owner of a capability during initialization (the init and initR policies). The remaining entities become holders of the capability during the capability transfer process (the transfer, transferR, derive and deriveR policies).

An entity ceases to be a holder after its capability is revoked (the revoke policy).

Capability Derivation Tree (CDT)

The capability derivation tree (CDT) is a hierarchical structure of capability holders. Nodes of the tree contain the capability holders, and the branches correspond to the possibility of revoking a capability from capability holders. The root of the tree contains the resource driver, which is the entity that initialized the capability.

Example

The resource driver Dave initialized the capability for a resource and transferred it to the entity Bob (derive). In turn, the entity Bob transferred this capability to the entity Carol (transfer).

The CDT will look as follows:

     Dave // driver

       |

    +--+--+

    |     |

   Bob  Carol

Page top