Capability-Based Addressing

R. S. Fabry @ UC-Berkeley

Communications of the ACM, July 1974, pages 403-412


Capability: absolute address of and access permission for an object
Absolute address should be never changed nor reused even after the object gets deleted from the system
Capability as a protection mechanism has been discussed before, e.g., HYDRA
In this paper capability as an addressing scheme is discussed
Objects are addressed by capabilities
User program can read, store, and restore capabilities
to/from memory and register
to/from disk
Segmenting is a good mechanism to address and share objects among processes
Segments, however, are referenced by a virtual address, which is process-specific:
Each process has its own segment table which maps segments to process-specific segment number

The Problem of Shared Segment References
If segments are referenced by a process-dependent way, such as
segment number of process segment table,
sharing segments is impossible. See Fig 2.

Context-Independent Addresses

We need a scheme in which objects are addressed in a process-independent way and still relocatable

Solution 1: Uniform Address

Make shared segments referenced by the same way (such as the same seg #) by all processes sharing them
Segment numbers of shared segments should be assigned centrally
Ruled out the possibility of a process executing several independently constructed segments
Burrough System takes this approach
User should builds all her program at once -> Compiler assigns segment number and embeds the number within call statement

Solution 2: Indirect Evaluation - Multics approach

Introduce one more level of indirection: See Fig 4
Each independently written function has its own linkage segment per process
Addresses in the shared function are indexes into the linkage segment for the process
Entries of the linkage segment indexes back into the process's segment table
Linkage segment is dynamically created when the process executes the shared function first time
Extra space for linkage segments, extra overhead, extra memory reference
Different kind of segments: process segment & linkage segment
No provision for inter-related but independently prepared data segments

Solution 3: Multiple Segment Table

Segment table per the pair of (process, function)
Segment numbers appearing in a function index into the segment table of (the process, the function)
Process-wide information is lost
If a parameter being passed is an address (segment number + offset), the segment number is the index into the caller's segment table, but NOT the callee's segment table.

Solution 4: Capability Addressing

Use capabilities (= absolute address) to address anything
Process dependent object (data objects in Fig 6) can be correctly addressed by loading the absolute address into the predefined register--actually hard-coded in the program: register 0 in Fig 6
The array of registers can be used instead of segment table
Register (including PC) should be able to hold capability
Process independent object (= shared object) can be addressed by simply hard code the address

Comparison of Relative and Absolute Address

Multics's full path name is a kind of absolute address, but cumbersome because it is variable size
Lack of absolute address is one source of inefficiency in terms of linking cost and programming efforts

Hardware Implementation

Integrated solution is required
OS which supports capability mechanism for protection but runs on conventional machines is not sufficient
Machines which are potential to support capability addressing but lacks of supporting OS are not sufficient either

Integrity of Capabilities

Because capabilities contains access control, they should be protected from user program creation and modification
No modification or arithmetic operation on capabilities should be allowed
Two approaches: Tagged & Partition
Tagged Approach
Tag each word as being data or capability
No arithmetic operation on capability
No copy from capability to data, vice versa
Memory waste to store tag
Capability tends to be longer than data
Partition Approach
Partition segments into capability segments and data segments - determined at creation of a segment
Partition registers into capability registers and data registers
No cross partition operation is allowed
Most object needs data and capability at the same time -> two segments per object
Computations get complicated
May require extra disk access for capability segments

Address Translation

To users, capability is just an address
Address = capability of segment + offset
User program can manipulate capabilities as it does conventional address
The capability, however, given by user program should be translated into physical address!
Hardware suggested
Hardware assigns a unique key for each segment upon its creation
Hash Table in disk:
Hashed by the segment key
Each entry has the address of the segment in disk, its size, and access permissions
Hash Table in main memory - a cache of disk hash table for active segments:
Hashed by the segment key
Each entry has:
presence bit
the address of the segment in memory
the address of the segment in disk
segment size
access permissions
Given the capability of an object, which is (unique key of the segment + offset), address translation is obvious


When segments are allocated in terms of "natural" units for the problem, segments become fine-grained enough and mostly smaller than page size
Page is not always the best choice
Even inverse paging--having multiple segments in a page--should be considered

Instruction Sets

Instruction set should be extended so that capability manipulation may be allowed as that of ordinary addresses does
enter instruction suggested
Move the control to the first address of a subroutine
Change the process's capability to that of subroutine
enter access permission also suggested
weaker than read or execute
only allowed to enter the segment through entry points


Because the capability is embedded into each subroutine, using a single stack for a process is not adequate
Solution: each segment for stack frame (activation record) and discard the segment after returning to the caller -> great overhead
Somehow the stack frame of caller should be protected from callee and vice versa


Pros: Recognize the limits of the segment system--sharing segments in relocation system, which is still true
What is absolute address is being challenged:
System-wide unique key is possible, but what if the segment should be shared or copied across systems
World-wide unique key can't be expected!