Capability-based security (original) (raw)
Capability-based security は、セキュリティの高い(セキュアな)コンピュータを設計するためのコンセプトの一つである。
| Property | Value |
|---|---|
| dbo:abstract | Zabezpečení založené na způsobilosti je koncept v návrhu zabezpečených výpočetních systémů, jeden ze stávajících modelů zabezpečení. Způsobilost (známé v některých systémech jako klíč) je přenosným a nepadělatelným projev autority. Odkazuje na hodnotu, která jedinečně odkazuje na objekt spolu s přidruženou sadou přístupových práv. Na základě svého držení procesem, který používá odkazovaný objekt, token způsobilosti uděluje tomuto procesu způsobilost komunikovat s objektem určitými způsoby. V systému založeném na způsobilostech je to uživatel, který musí předložit svou autorizační způsobilost (a prokázat, že je jejím vlastníkem) poskytovateli služeb, zatímco v tradičním systému ACL je to poskytovatel služeb, který musí kontrolovat, zda je uživatel přímo nebo nepřímo (například prostřednictvím role vlastněné uživatelem) oprávněn provádět požadovanou operaci na požadovaném prostředku. (cs) Capability-based security (deutsch Berechtigungsbasierte Sicherheit[-srichtlinien]) ist ein Sicherheitskonzept aus dem Bereich der Computeradministration. Eine Fähigkeit / eine Berechtigung (englisch capability), die auch in manchen Systemen als Schlüssel bekannt ist, ist ein kommunizierbarer und unveränderbarer Authentifizierungstoken. Dieser bezieht sich auf einen Wert, der ein Objekt und ein dazu passendes Set von Zugriffsrechten darstellt. Ein Computerprogramm des Benutzers, das auf einem Fähigkeiten-basierenden Betriebssystem läuft, muss dementsprechende Fähigkeiten/Rechte haben, um auf Objekte zugreifen zu können. Berechtigungsbasierte Sicherheit bezieht sich auf das Prinzip, dass Computerprogramme nach dem Prinzip der „minimalen Rechte“ (engl. principle of least privilege) untereinander kommunizieren und sich dementsprechend Fähigkeiten bzw. Berechtigungen zuweisen und dass das Betriebssystem die passende Infrastruktur hat, um effektiv und sicher arbeiten zu können. Fähigkeitsbasierte Sicherheit steht im Gegensatz zu der Ring- bzw. Domain-Methode (engl. hierarchical protection domains). Die meisten Betriebssysteme implementieren Hilfsmittel, die diesen Fähigkeiten ähneln. Diese bieten oft nicht genügend Support an, um Fähigkeiten bzw. Berechtigungen zwischen dem Betriebssystem und unbekannten Instanzen auszutauschen, um damit die primäre Stelle für Zugriffsrechte zu sein. Im Gegensatz dazu ist ein fähigkeitsbasiertes System darauf ausgerichtet. Die Fähigkeiten bzw. Berechtigungen, um die es in diesem Artikel geht, sollten nicht mit POSIX verwechselt werden. (de) Capability-based security is a concept in the design of secure computing systems, one of the existing security models. A capability (known in some systems as a key) is a communicable, unforgeable token of authority. It refers to a value that references an object along with an associated set of access rights. A user program on a capability-based operating system must use a capability to access an object. Capability-based security refers to the principle of designing user programs such that they directly share capabilities with each other according to the principle of least privilege, and to the operating system infrastructure necessary to make such transactions efficient and secure. Capability-based security is to be contrasted with an approach that uses traditional UNIX permissions and Access Control Lists. Although most operating systems implement a facility which resembles capabilities, they typically do not provide enough support to allow for the exchange of capabilities among possibly mutually untrusting entities to be the primary means of granting and distributing access rights throughout the system. A capability-based system, in contrast, is designed with that goal in mind. (en) Il termine capability è un concetto utilizzato nella sicurezza informatica ed è uno dei modelli di sicurezza esistenti. Una capability (conosciuta anche come chiave) è un token di autorità comunicabile e non falsificabile. Essa consiste in un valore che fa riferimento ad un oggetto insieme a una collezione di diritti di accesso. Un programma utente che viene eseguito su un sistema operativo basato su capability deve utilizzare una capability per accedere ad un oggetto. Un sistema di sicurezza basato su capability è il principio di design che permette ai programmi utente lo scambio diretto delle capabilities seguendo il principio del privilegio minimo, e all'infrastruttura del sistema operativo di rendere questi passaggi efficienti e sicuri. Anche se molti sistemi operativi implementano meccanismi che assomigliano alle capabilities, solitamente non offrono il supporto per lo scambio delle capabilities tra entità come metodo principale di autorizzazione e distribuzione dei diritti di accesso. Al contrario quest'ultimo è proprio lo scopo di un sistema basato su capability. Questo sistema di sicurezza utilizza un approccio contrastante rispetto a quello introdotto dai domini gerarchici di protezione. Il termine capability, come viene utilizzato in questo articolo, non va confuso con l'omonima parola associata a POSIX 1e/2c. Quest'ultimo è un sistema che prevede privilegi meno raffinati e non trasferibili tra processi. (it) Capability-based security は、セキュリティの高い(セキュアな)コンピュータを設計するためのコンセプトの一つである。 (ja) |
| dbo:wikiPageExternalLink | http://www.cs.washington.edu/homes/levy/capabook/Chapter5.pdf http://man7.org/linux/man-pages/man7/capabilities.7.html http://srl.cs.jhu.edu/pubs/SRL2003-02.pdf http://www.cap-lore.com/CapTheory/index.html http://www.erights.org/ http://www.friedhoff.org/posixfilecaps.html http://www.sevagas.com/%3FPOSIX-file-capabilities-the-dark https://www.vultr.com/docs/working-with-linux-capabilities http://doi.ieeecomputersociety.org/10.1109/SECPRI.1989.36277 https://archive.today/20130112225523/http:/www.eros-os.org/essays/capintro.html https://archive.today/20130414162939/http:/www.eros-os.org/pipermail/cap-talk/2003-March/001133.html https://web.archive.org/web/20031029002231/http:/www.eros-os.org/ http://portal.acm.org/citation.cfm%3Fid=319163&dl=ACM&coll=&CFID=15151515&CFTOKEN=6184618 http://portal.acm.org/citation.cfm%3Fid=361070&dl=ACM&coll=&CFID=15151515&CFTOKEN=6184618 http://portal.acm.org/citation.cfm%3Fid=538134&dl=ACM&coll=&CFID=15151515&CFTOKEN=6184618 http://portal.acm.org/citation.cfm%3Fid=801885&dl=ACM&coll=&CFID=15151515&CFTOKEN=6184618 http://portal.acm.org/citation.cfm%3Fid=850701&coll=&dl=ACM&CFID=15151515&CFTOKEN=6184618 http://portal.acm.org/citation.cfm%3Fid=850709&dl=ACM&coll=&CFID=15151515&CFTOKEN=6184618 http://www.ibm.com/developerworks/library/l-posixcap/ http://www.linuxjournal.com/magazine/making-root-unprivileged http://www.cs.washington.edu/homes/levy/capabook/ |
| dbo:wikiPageID | 539717 (xsd:integer) |
| dbo:wikiPageLength | 13569 (xsd:nonNegativeInteger) |
| dbo:wikiPageRevisionID | 1113013984 (xsd:integer) |
| dbo:wikiPageWikiLink | dbr:CapROS dbr:Carnegie_Mellon_University dbr:Principle_of_least_privilege dbr:Kernel_(computer_science) dbr:Hydra_(operating_system) dbr:Intel_iAPX_432 dbr:Tymshare dbr:Computer_security dbr:Object_(computer_science) dbr:FreeBSD dbr:GNOSIS dbr:Genode dbr:Google_Fuchsia dbr:Confused_deputy_problem dbr:Li_Gong_(computer_scientist) dbr:Computer_program dbr:Computer_security_model dbr:Path_(computing) dbr:Plessey_System_250 dbr:Data_structure dbr:WebAssembly dbr:E_programming_language dbr:AS/400 dbr:Access_Control_Lists dbr:Access_control dbr:Access_control_list dbr:Amoeba_(operating_system) dbr:Ambient_authority dbr:POSIX dbr:Capsicum_(Unix) dbr:Handle_(computing) dbr:Extremely_Reliable_Operating_System dbr:Reference_(computer_science) dbr:ACM_Computing_Surveys dbr:Access_token dbc:Access_control dbc:Computer_security_models dbr:KeyKOS dbr:L4_microkernel_family dbr:TU_Dresden dbr:Tahoe-LAFS dbr:C.mmp dbc:Capability_systems dbr:File_descriptor dbr:Capability-based_addressing dbr:Capability-based_operating_system dbr:Serialization dbr:User_(computing) dbr:Flex_machine dbr:Orthogonal_persistence dbr:Unix_permissions dbr:System/38 dbr:Cambridge_CAP_computer dbr:Plessey_250 dbr:Privilege_(computer_science) dbr:Security_hole |
| dbp:wikiPageUsesTemplate | dbt:Cite_journal dbt:ISBN dbt:Reflist dbt:Short_description dbt:Object-capability_security |
| dcterms:subject | dbc:Access_control dbc:Computer_security_models dbc:Capability_systems |
| gold:hypernym | dbr:Concept |
| rdf:type | yago:WikicatComputerSecurityModels yago:Assistant109815790 yago:CausalAgent100007347 yago:LivingThing100004258 yago:Model110324560 yago:Object100002684 yago:Organism100004475 yago:Person100007846 yago:PhysicalEntity100001930 yago:Worker109632518 yago:YagoLegalActor yago:YagoLegalActorGeo yago:Whole100003553 |
| rdfs:comment | Capability-based security は、セキュリティの高い(セキュアな)コンピュータを設計するためのコンセプトの一つである。 (ja) Zabezpečení založené na způsobilosti je koncept v návrhu zabezpečených výpočetních systémů, jeden ze stávajících modelů zabezpečení. Způsobilost (známé v některých systémech jako klíč) je přenosným a nepadělatelným projev autority. Odkazuje na hodnotu, která jedinečně odkazuje na objekt spolu s přidruženou sadou přístupových práv. Na základě svého držení procesem, který používá odkazovaný objekt, token způsobilosti uděluje tomuto procesu způsobilost komunikovat s objektem určitými způsoby. V systému založeném na způsobilostech je to uživatel, který musí předložit svou autorizační způsobilost (a prokázat, že je jejím vlastníkem) poskytovateli služeb, zatímco v tradičním systému ACL je to poskytovatel služeb, který musí kontrolovat, zda je uživatel přímo nebo nepřímo (například prostřednictv (cs) Capability-based security is a concept in the design of secure computing systems, one of the existing security models. A capability (known in some systems as a key) is a communicable, unforgeable token of authority. It refers to a value that references an object along with an associated set of access rights. A user program on a capability-based operating system must use a capability to access an object. Capability-based security refers to the principle of designing user programs such that they directly share capabilities with each other according to the principle of least privilege, and to the operating system infrastructure necessary to make such transactions efficient and secure. Capability-based security is to be contrasted with an approach that uses traditional UNIX permissions and Acc (en) Capability-based security (deutsch Berechtigungsbasierte Sicherheit[-srichtlinien]) ist ein Sicherheitskonzept aus dem Bereich der Computeradministration. Eine Fähigkeit / eine Berechtigung (englisch capability), die auch in manchen Systemen als Schlüssel bekannt ist, ist ein kommunizierbarer und unveränderbarer Authentifizierungstoken. Dieser bezieht sich auf einen Wert, der ein Objekt und ein dazu passendes Set von Zugriffsrechten darstellt. Ein Computerprogramm des Benutzers, das auf einem Fähigkeiten-basierenden Betriebssystem läuft, muss dementsprechende Fähigkeiten/Rechte haben, um auf Objekte zugreifen zu können. (de) Il termine capability è un concetto utilizzato nella sicurezza informatica ed è uno dei modelli di sicurezza esistenti. Una capability (conosciuta anche come chiave) è un token di autorità comunicabile e non falsificabile. Essa consiste in un valore che fa riferimento ad un oggetto insieme a una collezione di diritti di accesso. Un programma utente che viene eseguito su un sistema operativo basato su capability deve utilizzare una capability per accedere ad un oggetto. (it) |
| rdfs:label | Zabezpečení založené na způsobilosti (cs) Capability-based security (de) Capability-based security (en) Capability (it) Capability-based security (ja) |
| owl:sameAs | freebase:Capability-based security yago-res:Capability-based security wikidata:Capability-based security dbpedia-cs:Capability-based security dbpedia-de:Capability-based security dbpedia-it:Capability-based security dbpedia-ja:Capability-based security dbpedia-lmo:Capability-based security dbpedia-vi:Capability-based security https://global.dbpedia.org/id/AdUq |
| prov:wasDerivedFrom | wikipedia-en:Capability-based_security?oldid=1113013984&ns=0 |
| foaf:isPrimaryTopicOf | wikipedia-en:Capability-based_security |
| is dbo:knownFor of | dbr:Mark_S._Miller |
| is dbo:wikiPageDisambiguates of | dbr:Capability |
| is dbo:wikiPageRedirects of | dbr:Capability-Based_Computer_Systems dbr:Capability_based_security dbr:Capability_security dbr:Capsicum_Capabilties |
| is dbo:wikiPageWikiLink of | dbr:CapROS dbr:Encapsulation_(computer_programming) dbr:Principle_of_least_privilege dbr:Privilege_separation dbr:Department_of_Computer_Science_and_Technology,_University_of_Cambridge dbr:Hydra_(operating_system) dbr:Capability dbr:E_(programming_language) dbr:Information_security dbr:Intel_iAPX_432 dbr:Comparison_of_operating_systems dbr:Computer_security dbr:Maurice_Wilkes dbr:Rust_(programming_language) dbr:RSBAC dbr:Clustered_file_system dbr:FreeBSD dbr:Fuchsia_(operating_system) dbr:GNOSIS dbr:Genode dbr:NLTSS dbr:Confused_deputy_problem dbr:Context-based_access_control dbr:Comparison_of_operating_system_kernels dbr:Computer_access_control dbr:Computer_security_model dbr:Plessey dbr:Plessey_System_250 dbr:Pointer_(computer_programming) dbr:Mark_S._Miller dbr:Microkernel dbr:CRIU dbr:WebAssembly dbr:William_Wulf dbr:Distributed_object dbr:Lattice-based_access_control dbr:ALGOL_68C dbr:Access_control dbr:Actor_model dbr:EROS_(microkernel) dbr:Ambient_authority dbr:Capsicum_(Unix) dbr:Discretionary_access_control dbr:Graph-based_access_control dbr:Handle_(computing) dbr:Attribute-based_access_control dbr:Accent_kernel dbr:Access-control_list dbr:Access_control_expression dbr:Access_control_matrix dbr:KeyKOS dbr:L4_microkernel_family dbr:Symbian dbr:Transparency_(human–computer_interaction) dbr:Secure_cryptoprocessor dbr:Authorization dbr:Authorization_certificate dbr:Marc_Stiegler dbr:Mark_Granovetter dbr:C.mmp dbr:CAP_computer dbr:File_descriptor dbr:File_system dbr:Microprocessor dbr:Midori_(operating_system) dbr:OCaml dbr:Object-capability_model dbr:Organisation-based_access_control dbr:Capability-based_addressing dbr:Capability-based_operating_system dbr:Capability_management dbr:RPyC dbr:Secure_Scuttlebutt dbr:Mandatory_access_control dbr:Sandbox_(computer_security) dbr:Shatter_attack dbr:Unix_domain_socket dbr:Risk-based_authentication dbr:Security-focused_operating_system dbr:Exokernel dbr:Ptrace dbr:Role-based_access_control dbr:Security_Identifier dbr:Capability-Based_Computer_Systems dbr:Capability_based_security dbr:Capability_security dbr:Capsicum_Capabilties |
| is dbp:family of | dbr:CapROS dbr:Hydra_(operating_system) dbr:GNOSIS dbr:NLTSS dbr:EROS_(microkernel) dbr:KeyKOS dbr:Midori_(operating_system) |
| is dbp:knownFor of | dbr:Mark_S._Miller |
| is foaf:primaryTopic of | wikipedia-en:Capability-based_security |