Capability Systems and RISC Systems

Up to the 1980s it was widely accepted that the securest computer system designs were based on capability systems, i.e. on systems which relied on the use of capabilities to ensure the integrity of a computer system. A capability consists primarily of a unique identifier for an object together with a set of access rights indicating how the object can be used by the holder of the capability. Most early capability systems used segmented memory schemes (without paging), which not only allowed the objects to reside in variable length segments, but the capabilities, which are normally quite small, could also be placed in separate segments, with separate protection. There were various ways of organising these (e.g. as capability lists), which could also be easily managed in a segmented memory. However, a purely segmented memory brings with it serious efficiency problems (e.g. fragmentation of the memory), and is therefore not supported in current conventional systems.

In the early 1980s an idea called RISC (Reduced Instruction Set Computers) became popular. For efficiency reasons these had paged memories and an instruction set design which together resulted in the faster execution of application programs. Nowadays almost all widely used computers have RISC designs, and are therefore fast but not particularly secure. (This is a key reason why we read regularly of hackers breaking into computer systems.)

The ideal would be to combine the speed of RISC computers with the protection facilities of capability systems, but despite considerable research no-one until now has come up with a solution that does not require either the implementation of hidden pointers at the hardware level (which implies that normal discs cannot be used) or extremely complicated and expensive extensions to conventional architectures (e.g. the CHERI Project at Cambridge University (see https://www.cl.cam.amanc.uk/research/security/ctsrd/cheri/).

However, Prof. James Leslie (Les) Keedy (https://www.jlkeedy.net/) has recently described a solution which not only eliminates the need for tagged discs, but which, with a very simple hardware adjustment to RISC systems, could also support capability systems. This could possibly become a new standard for RISC systems. Furthermore, existing RISC (non-capability based) application programs could continue to be used without requiring adjustments, except a recompilation with modified compilers.

This is important in the present context, because it would then mean that SPEEDOS (and other capability systems) could be built on any computer which conforms to a new RISC standard, and thus allow systems in future to become much more secure. How this works is described in a paper entitled "S-RISC – Adding Security to RISC Systems", which can be downloaded from this website (see Downloads).