An implementation of capability-based security for the general-purpose microkernel

An implementation of capability-based security for the general-purpose microkernel

Baskov E.S. (ISP RAS, Moscow, Russia; MIPT, Dolgoprudny, Moscow Region, Russia)
Khoroshilov A.V. (ISP RAS, Moscow, Russia; MIPT, Dolgoprudny, Moscow Region, Russia; NRU HSE, Moscow, Russia; MSU, Moscow, Russia)
Petrenko A.K. (ISP RAS, Moscow, Russia; MIPT, Dolgoprudny, Moscow Region, Russia; NRU HSE, Moscow, Russia)

Abstract

Capability-based security is a flexible access control mechanism. It is widely adopted by both mainstream operating systems and research microkernels for operating system kernel object access control. Implementation details vary significantly because kernels prioritize different trade-offs. Considerable amount of implementation details is poorly documented, only being available as a part of a source code. Moreover different developers use non-standard divergent terminology. The paper describes implementation details of capability-based security in several kernels, highlights their specifics and discusses how they affect potential system security and performance. The paper also presents a capability-based security model implemented in an experimental general-purpose microkernel Sol. The implementation is designed to deliver high scalability on modern multicore microprocessors while preserving the security features found in other state-of-the-art implementations. The key element of the design is a capabilities storage built on top of a user-managed radix tree and reference counting, featuring fast and scalable lock-free operations. It supports partial capabilities, a policy-free capability list structure, access revocation for specific objects as well as multi-threaded operations, all while maintaining a low overhead of two machine words per object and three words per revocable reference. Allowing arbitrary structures within per-thread capability namespaces complicates resource management due to potential reference cycles. To address this issue, we propose two techniques: the first restricts the nesting of radix tree nodes to an acyclic graph, while the second introduces a mechanism to retrieve lost thread references – a feature that also proves useful for emulating the POSIX process ID namespace.

Keywords

access control mechanism; capability-based security; microkernel; general purpose operating systems.

Edition

Proceedings of the Institute for System Programming, vol. 38, issue 3, part 4, 2026, pp. 17-36

ISSN 2220-6426 (Online), ISSN 2079-8156 (Print).

DOI: 10.15514/ISPRAS-2026-38(3)-44

For citation

Baskov E.S., Khoroshilov A.V., Petrenko A.K. An implementation of capability-based security for the general-purpose microkernel. Proceedings of the Institute for System Programming, vol. 38, issue 3, part 4, 2026, pp. 17-36 DOI: 10.15514/ISPRAS-2026-38(3)-44.

Full text of the paper in pdf (in Russian) Back to the contents of the volume