answersLogoWhite

0


Best Answer

1. Access Control Lists

An ACL system has at least five namespaces whose relationships need to be considered:

  1. The namespace of file names: /tmp/foo

  2. The namespace of unique object identifiers: (dev 22, inode 36, type file)

  3. The namespace of user identities (uid 52476)

  4. For each object type (file, disk, terminal, ...), the namespace of operations that object can perform.

  5. The namespace of process identifiers (process 719)

In an access list system, it is assumed that there are two global mappings:

principal: process identity -> user identity
fs_lookup: file name -> object identity

That is, every process has an assigned user identity and every file name can be translated into a unique object identifier. Hanging off of every unique object is a further mapping:

acl: (object identity, user identity) -> operation(s)

Given a process proc that wishes to perform an operation op on an object object, the protection mechanism in an access list system is to test the following predicate:

op in acl(object, principal(p))

In the special case of the "open" call, this test is modified to be:

op in acl(fs_lookup(filename), principal(p))

2. Capability Systems

A capability system has at least four namespaces whose relationships need to be considered:

  1. The namespace of unique object identifiers: (dev 22, inode 36, type file)

  2. For each object type (file, disk, terminal, ...), the namespace of operations that object can perform.

  3. The namespace of process identifiers (process 719)

  4. The namespace of capabilities (object 10, operation set S)

In a capability system, it is assumed that there is one local mapping for each process

cap: (process identity, index) -> capability

That is, every process has a list of capabilities. Each capability names an object and also names a set of legal operations on that object.

There are also two "accessor" functions:

obj: capability -> object identity
ops: capability -> operations

Given a process proc that wishes to perform an operation op on an object object, the process must first possess a capability naming that object. That is, it must possess a capability at some index i such that

object == obj(caps(p,i))

To perform an operation, the process names the "index" iof that capability to be invoked from the per-process list. The protection mechanism in a capability system is to test the following predicate:

op in ops(caps(p,i))

Capability systems typically do not have a distinguished "open" call.

3. Some Differences

This section is incomplete.

Simply comparing the predicates shows that there is a significant difference between the two systems:

ACL: op in acl(object, principal(p)) Capability: op in ops(caps(p,i))

An obvious difference is that the capability model makes no reference to any notion of "principal".

Another obvious difference is that the capability model has a parameter "i". This allows the process to specify whichauthority it wants to exercise, which is why only the capability model can solve the confused deputy problem.

User Avatar

Wiki User

βˆ™ 15y ago
This answer is:
User Avatar

Add your answer:

Earn +20 pts
Q: What is difference between capabilities list and access list?
Write your answer...
Submit
Still have questions?
magnify glass
imp
Continue Learning about Communications

What are the differences between the different kinds of online instant messengers?

In fact, there is no much difference. All of them serve one purpose: to communicate. They all have the same features like address list, invite capabilities, contact search, file transfer, history keeping and so on. One usually chooses the messenger that has the largest number of person's friends and relatives accounts.


Where can one find a list of web hosting providers that offer SSH shell access?

Page Rank Checker is a webpage that has a list of web hosting providers who offer SSH access. The list includes names like "HostMonster" and "BlueHost".


How can you get bsnl prepaid mobile call list?

You can get bsnl prepaid mobile call lists only if you are an officially registered member of the bsnl phone list. You can access the call list from your account.


What is the difference between a pop server and a listserv?

POP and Listserv serve two different functions. POP is an acronym for Post Office Protocol. It is the language used between an email program, a POP client, and the ISP's POP server. Listserv is a commercial mailing list management system that allows you to subscribe to or create, manage, and control an electronic mailing list.


What is the difference between send reply and forward?

The difference is that "forward" means that you would like to send that e-mail to someone who wasn't on the send list. "Reply" is when you specifically want to answer the person who just e-mailed you, i.e. I am responding to your question specifically therefore I am replying to it. And finally "send" is when you are finished writing your message and you want to now send it off. So the general order is you either forward or reply, type your message, and then send.

Related questions

What is the difference between access control list and access control entry?

Access Control list is the audit settings and security settings of objects. whereas Access Control Entry is the entry within the ACL. mightymax


What is the difference between a Discretionary Access Control List DACL and a System Access Control List on Microsoft Windows systems. What access permissions can be assigned to a file in Windows 7.?

cool nice cool


What is the difference between list and an outline?

What is the difference between a list and an outlin?


What is difference between a list and an outline?

What is the difference between a list and an outlin?


What is the difference between cost and list price?

whats the difference between cost and list?


In a statute what is the difference between the words 'means' and 'includes' when heading a list?

In a statute, what is the difference between the words 'means' and 'includes' when heading a list?


What is the difference between a numbered list and an outlined list?

The outlined number list has a hiearchy.


What is the difference between a numbered list and an outlined numbered list?

The outlined number list has a hiearchy.


Difference between Microsoft access 2003 and 2007?

differenciate the Microsoft access 2003 with 2007and 2010?


Main difference between Array List and Vector in Java?

List is not sync'd as a vector is.


What is Access matrix in detecting DDoS attacks?

The access matrix model is the policy for user authentication, and has several implementations such as access control lists (ACLs) and capabilities. It is used to describe which users have access to what objects. The access matrix model consists of four major parts a list of objects, a list of subjects, a function T which returns an object's type and the matrix itself, with the objects making the columns and the subjects making the rows


Difference between linear linked list and circular linked list?

LINEAR STRAIGHT CIRCULAR CURVED