Evidence review · standard

What Is Capability-Based Security

#oip#kimi-import#self-explaining#voxel#concepts#what-is-capability-security
bundle · json · system map · manifest

Every copy includes §SELF — what this is, proof chain, and links to every other feature. No context required.

§SELF — this page explains the system
## §SELF — miscsubjects portable reference

**Principle:** Self-explaining payload — no external context required. This _self block describes what you are reading and where to look next.

**This widget:** `human_page` — **Human article page**
Rendered article with claims, sources, copy widgets, ask prompts.
- **article slug:** `what-is-capability-security`
- **contains:** rendered article, copy widgets, claims, sources, ask prompts
- **how to use:** Use Copy for LLM or Copy system map — both paste without context.
- **read:** https://miscsubjects.com/a/what-is-capability-security

### Logical proof (verify each step)
1. Articles are voxel graphs of tiered claims, not prose blobs. → https://miscsubjects.com/api/articles/constitution
2. Claims link to hash-chained sources via source_ids. → https://miscsubjects.com/api/articles/what-is-capability-security/sources
3. Ask reads topology; ingest/claim append to ledger. → https://miscsubjects.com/api/protocol
4. Models queue growth: populate → collaborate → repair → reflex. → https://miscsubjects.com/api/protocol/grow
5. Graph proves its own shape (reflex) and $/claim (yield). → https://miscsubjects.com/graph.html?layer=reflex
6. Full feature index + _explain on every API response. → https://miscsubjects.com/api/articles/system-map

### Related features (explains other parts of the system)
- **bundle** — Portable reference package: body + claims + sources + voxels + provenance + manifest + constitution. · https://miscsubjects.com/api/articles/what-is-capability-security/bundle?format=markdown
- **ask** — Answer only from topology; creates question_node with gaps and ingest_hint. · https://miscsubjects.com/api/articles/what-is-capability-security/prompts
- **topology** — Claims, sources, anecdotes, user reports, related embeds, question graph slice — for ask/ROUTER. · https://miscsubjects.com/api/articles/what-is-capability-security/topology

### Full index
- JSON: https://miscsubjects.com/api/articles/system-map
- Markdown: https://miscsubjects.com/api/articles/system-map?format=markdown

*Not medical advice. Tier-honest. Cite claim/source ids.*

<!-- hierarchy:nav -->

Path: OIPThinker ReferenceProtocol ConceptsWhat Is Capability-Based Security

Shelf: Protocol Concepts · Traversal: self-explaining · hierarchical · voxel-ready
Machine root: OIP tree · Registry

What Is Capability-Based Security

§SELF — what-is-capability-security

What this page is: A definition of capability-based security and its core principles. What it explains: How possession of a reference (capability) grants permission to use a resource, eliminating the need for separate access control mechanisms. Why read it: To understand why capability security removes entire categories of vulnerabilities that traditional permission-based systems cannot prevent.

What Capability-Based Security Is

Capability-based security is an access control model where possession of an unforgeable reference (called a capability) to a resource is both necessary and sufficient to use that resource. There is no separate permission check, no access control list, and no central authority that decides who can do what. If you hold the capability, you can use the resource. If you do not hold it, you cannot.

The model was first proposed by Jack Dennis in 1966 for the Multics operating system. A capability is a token (a number, a handle, a reference) that simultaneously identifies a resource and grants authority to access it. The two functions — identification and authorization — are merged into a single object.

Why It Matters

Traditional security systems separate identification from authorization. A user proves who they are (authentication), then a separate system checks whether that identity has permission to perform an action (authorization). This separation creates vulnerabilities. Programs can act with authority that was granted to them for one purpose but used for another. Attackers can escalate privileges by tricking the authorization system. Capability-based security eliminates these problems by embedding authority in the reference itself.

The Key Idea

Four principles define capability-based security:

  1. Possession conveys authority. Holding a capability is the only requirement to use the resource it points to. There is no additional check, no gatekeeper, no query to a permissions database.
  2. Capabilities are unforgeable. You cannot guess, manufacture, or discover a capability. It must be given to you by someone who already has it, or created by the system with proper authority. Unforgeability means capabilities are typically large random numbers or cryptographic tokens that cannot be predicted.
  3. Delegation is safe. Passing a capability to another party is the only way to grant access. When you delegate, you do not open a back door or create a new permission entry. You simply hand over the same reference. The recipient can use it exactly as you could (unless you attenuate it first).
  4. Attenuation is possible. A parent capability can be used to create a child capability with narrower scope: fewer operations, shorter time limit, or a maximum number of uses. The child cannot be expanded back to the parent's scope. This allows safe delegation of partial authority.

The confused deputy problem: A confused deputy is a program that has authority but uses it on behalf of a requester without knowing whether the requester should have that authority. Example: a compiler runs with system privileges. A user asks it to write output to a protected file. The compiler, acting as a deputy, uses its own authority to write the file. The user has escalated privilege through the confused compiler. Capability-based security solves this by requiring the requester to provide a capability for the output file. The compiler does not use its own authority. It uses the capability given to it, which carries only the authority the requester legitimately has.

What It Got Right

  • Eliminates ambient authority. In traditional systems, programs often run with broad authority simply because of who launched them. Capability systems have no ambient authority. Every action requires a specific capability.
  • Removes privilege escalation through guessing. Attackers cannot enumerate permissions or discover access paths. Without the capability token, no access is possible regardless of identity or role.
  • Solves the confused deputy problem. Authority travels with the capability, not with the program's identity. Programs use the caller's authority, not their own.
  • Delegation is explicit and auditable. Every transfer of authority is the transfer of a tangible token. There are no invisible permission grants.

What It Got Wrong or Left Unfinished

  • No mainstream operating system adopted it fully. Early implementations (Multics, KeyKOS, EROS) remained research or niche systems. Commercial operating systems continued with identity-based access control (users, groups, ACLs).
  • Revocation is difficult. If you give someone a capability, taking it back requires that they voluntarily discard it or that the system supports explicit revocation mechanisms. Simple capability systems do not handle revocation well.
  • Integration with existing systems is hard. Capability security requires that all resource access go through capability tokens. Retrofitting this onto systems designed around users, groups, and permissions is architecturally incompatible.

How It Connects to Other Ideas

  • Object-oriented programming (Alan Kay): Both models treat a reference as authority. Holding an object reference lets you send it messages. Holding a capability lets you use a resource. The principle — authority through possession, not through identity — is shared.
  • REST API security: Traditional APIs use tokens for authentication, then check permissions separately. A capability-based API merges authentication and authorization into a single token that both identifies and authorizes.

Sources

  • Dennis, Jack B., and Earl C. Van Horn. "Programming Semantics for Multiprogrammed Computations." Communications of the ACM, 1966.
  • Hardy, Norman. "The KeyKOS Architecture." Operating Systems Review, 1985.
  • Shapiro, Jonathan S., et al. "EROS: A Fast Capability System." Proceedings of the 17th ACM Symposium on Operating Systems Principles, 1999.
  • Miller, Mark S., et al. "Capability-based Financial Instruments." Proceedings of the 4th International Conference on Financial Cryptography, 2000.

---

Up the tree

Related on this shelf

Machine surfaces

  • Public page: https://miscsubjects.com/a/what-is-capability-security
  • JSON article: https://miscsubjects.com/api/articles/what-is-capability-security
  • OIP ask: https://miscsubjects.com/api/dispatch?ask=What%20Is%20Capability-Based%20Security

what-is-capability-security · condition map

Evidence map

Hover a node — its path lights up. Click to open the article.

Full map →
20
Protocol Concepts on shelf
Talk to this article
Tap a phone. Ask anything about What Is Capability-Based Security. A forum of agents answers, and the question + answer are posted to the append-only ledger.
Questions queue for the coding-agent forum (one answer per cron tick). Real phone instead: iMessage +14245134626 · WhatsApp. Thread + proof: JSON · ledger.
Ask this article · 2 suggested prompts

Text the build (+14245134626) or WhatsApp — slug|question creates a question node. Paste evidence with ingest slug|q:NODE_ID|your paste.

For my medical situation, what can you answer from your catalogue about What Is Capability-Based Security — and what would you need me to tell you first?
ask what-is-capability-security condition gaps · paste includes §SELF
What good and bad outcomes are documented for What Is Capability-Based Security (studies vs anecdotes)?
ask what-is-capability-security good bad experiences · paste includes §SELF
Add your experience or question
Think this article is wrong?
Call bullshit on CharlieOS →
Loading more articles…