Commercial Software means Software developed or regularly used that: [i] has been sold, leased, or licensed to the general public; [ii] has been offered for sale, lease, or license to the general public; [iii] has not been offered, sold, leased, or licensed to the public but will be available for commercial sale, lease, or license in time to satisfy the delivery requirements of this Contract; or [iv] satisfies a criterion expressed in [i], [ii], or [iii] above and would require only minor modifications to meet the requirements of this Contract.
Cabinet x-ray system means an x-ray system with the x-ray tube installed in an enclosure independent of existing architectural structures except the floor on which it may be placed. The cabinet x-ray system is intended to contain at least that portion of a material being irradiated, provide radiation attenuation, and exclude personnel from its interior during generation of radiation. Included are all x-ray systems designed primarily for the inspection of carry-on baggage at airline, railroad, and bus terminals, and in similar facilities. An x-ray tube used within a shielded part of a building, or x-ray equipment that may temporarily or occasionally incorporate portable shielding, is not considered a cabinet x-ray system.
Technology Compatibility Kit or "TCK" means the documentation, testing tools and test suites associated with the Specification as may be revised by BEA from time to time, that is provided so that an implementer of the Specification may determine if its implementation is compliant with the Specification.
Web Site means any point of presence maintained on the Internet or on any other public data network. With respect to any Website maintained on the World Wide Web, such Website includes all HTML pages [or similar unit of information presented in any relevant data protocol] that either [a] are identified by the same second-level domain [such as infospace.com] or by the same equivalent level identifier in any relevant address scheme, or [b] contain branding, graphics, navigation or other characteristics such that a user reasonably would conclude that the pages are part of an integrated information or service offering.
Interface means the mixture occurring in pipeline operations between adjoining batches having similar or dissimilar physical characteristics.
Central Contractor Registration [CCR] database means the primary Government repository for Contractor information required for the conduct of business with the Government.
Web means the World Wide Web.
Software Program means the software program used by a Fund for providing Fund and account balance information including net asset value per share. Such Program may include the Lion System. In situations where the Lion System or any other Software Program used by a Fund is not available, such information may be provided by telephone. The Lion System shall be provided to Insurance Company at no charge.
Information system means a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information [44 U.S.C. 3502].
Online Services means any of the Microsoft-hosted online services subscribed to by Customer under this agreement, including Microsoft Dynamics Online Services, Office 365 Services, Microsoft Azure Services, or Microsoft Intune Online Services.
Leader means the President of the Senate, the Speaker of the House of Representatives, the majority leader and the minority leader of each house, and any person designated by a political caucus of members of either house to succeed to any such position.
Basic Comprehensive User Guide means the Ministry document titled Basic Comprehensive Certificates of Approval [Air] User Guide” dated April 2004 as amended.
CDDP means "Community Developmental Disabilities Program".
Contact therapy system means a therapeutic radiation machine with a short target to skin distance [TSD], usually less than five centimeters.
Database Management System [“DBMS”] is a computer process used to store, sort, manipulate and update the data required to provide Selective Routing and ALI.
Information processing system means an electronic system for creating, generating, sending, receiving, storing, displaying, or processing information.
Contractor information system means an information system belonging to, or operated by or for, the Contractor.
Information Systems means all computer hardware, databases and data storage systems, computer, data, database and communications networks [other than the Internet], architecture interfaces and firewalls [whether for data, voice, video or other media access, transmission or reception] and other apparatus used to create, store, transmit, exchange or receive information in any form.
Passenger compartment means the space for occupant accommodation, bounded by the roof, floor, side walls, doors, outside glazing, front bulkhead and rear bulkhead, or rear gate, as well as by the electrical protection barriers and enclosures provided for protecting the occupants from direct contact with high voltage live parts.
Program Manager refers to the professional management firm selected by the Owner as the Owner’s representative for the Project, and its employees and consultants.
Project Management Report means each report prepared in accordance with Section 4.02 of this Agreement;
Regulatory Flood Protection Elevation means the “Base Flood Elevation” plus the “Freeboard”. In “Special Flood Hazard Areas” where Base Flood Elevations [BFEs] have been determined, this elevation shall be the BFE plus two [2] feet of freeboard. In “Special Flood Hazard Areas” where no BFE has been established, this elevation shall be at least two [2] feet above the highest adjacent grade.
Campaigning – means any activity by or on behalf of a candidate, registered third party advertiser, political party or question on a ballot meant to elicit support during the election period. Campaigning does not include the appearance of elected officials, other candidates or registered third party advertisers at an event in their personal capacity without the display of any signage or graphic which identifies the individual as a candidate or registered third party advertiser[s] and without the solicitation of votes.
Telemedicine Services means: a health care service delivered by a physician licensed in this state, or a health professional acting under the delegation and supervision of a physician licensed in this state, and acting within the scope of the physician's or health professional's license to a patient at a different physical location than the physician or health professional using telecommunications or information technology.
Area network means a location on the distribution system served by multiple transformers interconnected in an electrical network circuit.
Capability-based security is a concept in the design of secure computing systems, one of the existing security models. A capability [known in some systems as a key] is a communicable, unforgeable token of authority. It refers to a value that references an object along with an associated set of access rights. A user program on a capability-based operating system must use a capability to access an object. Capability-based security refers to the principle of designing user programs such that they directly share capabilities with each other according to the principle of least privilege, and to the operating system infrastructure necessary to make such transactions efficient and secure. Capability-based security is to be contrasted with an approach that uses traditional UNIX permissions and Access Control Lists.
Although most operating systems implement a facility which resembles capabilities, they typically do not provide enough support to allow for the exchange of capabilities among possibly mutually untrusting entities to be the primary means of granting and distributing access rights throughout the system. A capability-based system, in contrast, is designed with that goal in mind.
Capabilities as discussed in this article should not be confused with Portable Operating System Interface [POSIX] 1e/2c "Capabilities". The latter are coarse-grained privileges that cannot be transferred between processes.
Capabilities achieve their objective of improving system security by being used in place of forgeable references. A forgeable reference [for example, a path name] identifies an object, but does not specify which access rights are appropriate for that object and the user program which holds that reference. Consequently, any attempt to access the referenced object must be validated by the operating system, based on the ambient authority of the requesting program, typically via the use of an access control list [ACL]. Instead, in a system with capabilities, the mere fact that a user program possesses that capability entitles it to use the referenced object in accordance with the rights that are specified by that capability. In theory, a system with capabilities removes the need for any access control list or similar mechanism by giving all entities all and only the capabilities they will actually need.
A capability is typically implemented as a privileged data structure that consists of a section that specifies access rights, and a section that uniquely identifies the object to be accessed. The user does not access the data structure or object directly, but instead via a handle. In practice, it is used much like a file descriptor in a traditional operating system [a traditional handle], but to access every object on the system. Capabilities are typically stored by the operating system in a list, with some mechanism in place to prevent the program from directly modifying the contents of the capability [so as to forge access rights or change the object it points to]. Some systems have also been based on capability-based addressing [hardware support for capabilities], such as Plessey System 250.
Programs possessing capabilities can perform functions on them, such as passing them on to other programs, converting them to a less-privileged version, or deleting them. The operating system must ensure that only specific operations can occur to the capabilities in the system, in order to maintain the integrity of the security policy.
A capability is defined to be a protected object reference which, by virtue of its possession by a user process, grants that process the capability [hence the name] to interact with an object in certain ways. Those ways might include reading data associated with an object, modifying the object, executing the data in the object as a process, and other conceivable access rights. The capability logically consists of a reference that uniquely identifies a particular object and a set of one or more of these rights.
Suppose that, in a user process's memory space, there exists the following string:
Although this identifies a unique object on the system, it does not specify access rights and hence is not a capability. Suppose there is instead the following pair of values:
This pair identifies an object along with a set of access rights. The pair, however, is still not a capability because the user process's possession of these values says nothing about whether that access would actually be legitimate.
Now suppose that the user program successfully executes the following statement:
int fd = open["/etc/passwd", O_RDWR];
The variable fd now contains the index of a file descriptor in the process's file descriptor table. This file descriptor is a capability. Its existence in the process's file descriptor table is sufficient to show that the process does indeed have legitimate access to the object. A key feature of this arrangement is that the file descriptor table is in kernel memory and cannot be directly manipulated by the user program.
In traditional operating systems, programs often communicate with each other and with storage using references like those in the first two examples. Path names are often passed as command-line parameters, sent via sockets, and stored on disk. These references are not capabilities, and must be validated before they can be used. In these systems, a central question is "on whose authority is a given reference to be evaluated?" This becomes a critical issue especially for processes which must act on behalf of two different authority-bearing entities. They become susceptible to a programming error known as the confused deputy problem, very frequently resulting in a security hole.
In a capability-based system, the capabilities themselves are passed between processes and storage using a mechanism that is known by the operating system to maintain the integrity of those capabilities.
One novel approach to solving this problem involves the use of an orthogonally persistent operating system. In such a system, there is no need for entities to be discarded and their capabilities be invalidated, and hence require an ACL-like mechanism to restore those capabilities at a later time. The operating system maintains the integrity and security of the capabilities contained within all storage, both volatile and nonvolatile, at all times; in part by performing all serialization tasks by itself, rather than requiring user programs to do so, as is the case in most operating systems. Because user programs are relieved of this responsibility, there is no need to trust them to reproduce only legal capabilities, nor to validate requests for access using an access control mechanism. An example implementation is the Flex machine from the early 1980s.
Portable Operating System Interface [POSIX] draft 1003.1e specifies a concept of permissions called "capabilities". However, POSIX capabilities differ from capabilities in this article. A POSIX capability is not associated with any object; a process having CAP_NET_BIND_SERVICE capability can listen on any TCP port under 1024. This system is found in Linux.[1]
In contrast, Capsicum Unix hybridizes a true capability-system model with a Unix design and POSIX API. Capsicum capabilities are a refined form of file descriptor, a delegable right between processes and additional object types beyond classic POSIX, such as processes, can be referenced via capabilities. In Capsicum capability mode, processes are unable to utilize global namespaces [such as the filesystem namespace] to look up objects, and must instead inherit or be delegated them. This system is found natively in FreeBSD, but patches are available to other systems.[2]
Notable research and commercial systems employing capability-based security include the following:
- Tahoe-LAFS, an open-source capability-based filesystem
- GNOSIS, an operating system developed at Tymshare
- KeyKOS, successor to GNOSIS
- EROS, The Extremely Reliable Operating System, successor to KeyKOS
- CapROS, a project to further develop the EROS code base for commercial use
- EROS, The Extremely Reliable Operating System, successor to KeyKOS
- KeyKOS, successor to GNOSIS
- Cambridge CAP computer
- Hydra [operating system], part of the C.mmp project at Carnegie Mellon University
- StarOS, part of the CM* project at Carnegie Mellon University
- IBM System/38 and AS/400
- Intel iAPX 432
- Plessey System 250
- Flex
- L4 microkernel family:
- OKL4 from Open Kernel Labs
- seL4 from NICTA
- Fiasco.OC and NOVA from TU Dresden
- Amoeba distributed operating system
- FreeBSD Capsicum[3][4]
- Genode[5]
- Google Fuchsia[6]
- WebAssembly System Interface [WASI]
- ^ – Linux Programmer's Manual – Overview, Conventions and Miscellanea
- ^ – FreeBSD Kernel Interfaces Manual
- ^ "Capsicum[4]".
- ^ //www.cl.cam.ac.uk/research/security/capsicum/papers/2010usenix-security-capsicum-website.pdf[bare URL PDF]
- ^ "Genode OS: a breath of fresh air in operating system and software security".
- ^ "Google's Fuchsia operating system runs on virtually anything".
- Levy, Henry M., *Capability-Based Computer Systems, Digital Equipment Corporation 1984. ISBN 0-932376-22-3. An electronic version is available here.
- The EROS Project
- E, a programming language based around capability security [ERights.org]
- Mark S. Miller, Ka-Ping Yee, Jonathan Shapiro. Capability Myths Demolished, Technical Report SRL2003-02, Systems Research Laboratory, Johns Hopkins University. Available online.
- The Cambridge CAP Computer, Levy, 1988
- Capability-based addressing: Theodore A. Linden [December 1976]. "Operating System Structures to Support Security and Reliable Software". ACM Computing Surveys. 8 [4]: 409–445. doi:10.1145/356678.356682. hdl:2027/mdp.39015086560037. ISSN 0360-0300. S2CID 16720589.
- Li Gong, A Secure Identity-Based Capability System, sp, p. 56, 1989 IEEE Symposium on Security and Privacy, 1989
- Capability-based addressing
- A hardware implementation of capability-based addressing
- An implementation of capabilities on the PDP-11/45
- IBM System/38 support for capability-based addressing
- EROS: a fast capability system
POSIX "capabilities" in Linux:
- POSIX Capabilities & Files
- POSIX file capabilities: Parceling the power of root
- Making Root Unprivileged
- Security issues and new risks linked to POSIX file capabilities
- Linux manual page for "capabilities[7]"
- Working with Linux capabilities
- "What is a Capability?"
- Reviews of 'Capability Myths Demolished'
- Capability Theory by Sound Bytes
Retrieved from "//en.wikipedia.org/w/index.php?title=Capability-based_security&oldid=1077023875"