Capability systems must prevent counterfeiting capabilities. Untrusted programs run that can produce arbitrary bit patterns including those used by the system to represent capabilities. There are several techniques to prevent counterfeiting and, I think, they all amount to enforcing rules to the effect that capabilities are kept in data storage to which untrusted programs have no write access. In short the data comprising capabilities are segregated from the normal program data even though such programs own both their data and capabilities. At the cap abstraction level we shall speak here of two sorts of program state: ‘data’ and ‘capabilities’ and henceforth forget that there are bits inside capabilities. Below the cap level we must still deal with the rôle of bits in capabilities.

The architecture must thus always know the difference between data and capabilities. In conventional two state machines different portions of system memory must be allocated to the data and capabilities of a program and capability memory is not accessible to the instructions of the untrusted programs (everything outside the kernel).

Some historic computers have included extra bits on each ‘word’ of memory to indicate whether the word held data or a capability. The memory is thus ‘segregated’ word by word but we refer to this pattern as integrated. The CPU may have program accessible registers to hold data and other registers to hold capabilities and the program must have an accurate theory about which memory words hold capabilities—such hardware must always enforce the distinction. Some computers had registers that could hold either but then the semantics of the instructions to operate on the register was sensitive to which the register held when the instruction was executed. The system designer must decide on the semantics of standard routines such as memcpy and whether such routines are to copy capabilities found in their operands. The implementation of this routine will be slow if each word must be test for the distinction between data and capability.

Other hardware capability systems segregated capabilities from data by the page rather than the word. The distinction was made by a bit in each page table entry of the memory map. I think that each register in such machines alway held data or always held capabilities. The kernel in such machines manipulated the bits of a capability by having in its address space both kinds of page table entry to the same physical page.

See two state stuff too.