A Note on "Protection Imperfect"

Codie Wells
Key Logic
5200 Great America Parkway
Santa Clara, CA 95054-1108

This note originally appeared in Operating Systems Review, vol. 22 no. 4.


Carole Hogan, in a recent Operating Systems Review article [1], presented the requirements and characteristics of operating systems adhering to the principle of complete mediation. Her discussion does not apply to contemporary capability-based systems technology.

This note considers the principle of complete mediation from a capability point of view.. As Hogan states: "complete mediation advocates verifying that every access to every object is authorized," but this does not support her statement that "it implies that a foolproof method for identifying the source of every request must be devised." Such is not the case in capability-based technology.

Complete mediation in capability-based systems

In capability-based systems the possession of a capability is sufficient authority to invoke the object it designates; requests can only be made if one holds the appropriate capability. Therefore, every request for access to an object is legitimate. Possession of a capability is like pre-authorized access privilege. Security policies enforced by capability systems have nothing to do with invoking capabilities, and have everything to do with the control of their propagation.

KeyKOS is a capability-based system [2] in production since 1983, and currently in the Developmental Evaluation Program under the auspices of the National Computer Security Center. In this system, ``factories'' (U.S. patent No. 4,584,639) provide for the secure creation of sets of objects in compartments with discernible external communications capabilities. Since capabilities can only be communicated between such compartments by these external communications capabilities, one can control their propagation and enforce a range of security policies.

Security policies ranging from open systems (where any user may access any object), through high-level mandatory security policies [3], to policies which support mutually suspicious users, and defeat Trojan horse, virus, and similar security threats, are supported by KevKOS [4].


  1. Hogan, C.B., "Protection Imperfect: The Security of Some Computing Enviromnents.7',Operating Systems Review, Association for Computing Machinery, 22, 3. July 1988.
  2. Hardy, N., "KEYKOS Architecture," Operating Systems Review, Association for Computing Machinery, September, 1985. (Also available in an modified version as publication KLO68 from Key Logic.)
  3. Department of Defense Trusted Computer System Evaluation Criteria, U.S. Department of Defense, DOD 5200.28-STD, December, 1985.
  4. KeyKOS and Mutually Suspicious Users (KL108), Key Logic, 1987.