In this section, we survey two capability-based protection systems.
These systems vary in their complexity and in the types of policies that can be implemented on them.
Neither system is widely used, but they are interesting proving grounds for protection theories.
capability-based protection system of 'Hydra':
Hydra is a capability-based protection system that provides considerable flexibility.
These rights include such basic forms of access as the right to read, write, or execute a memory segment. In addition, a user (of the protection system) can declare other rights.
The interpretation of user-defined rights is performed solely by the user's program, but the system provides access protection for the use of these rights, as well as for the use of system-defined rights.
This scheme allows a procedure to be certified as trustworthy to act on a formal parameter of a specified type on behalf of any process that holds a right to execute the procedure.
The rights held by a trustworthy procedure are independent of, and may exceed, the rights held by the calling process.
However, if amplification may occur, the right to modify may be reinstated. Thus, the user-protection requirement can be circumvented.
In general, of course, a user may trust that a procedure performs its task correctly.
This assumption is not always correct, however, because of hardware or software errors.
Hydra solves this problem by restricting amplifications.
The procedure-call mechanism of Hydra was designed as a direct solution to the problem of mutually suspicious subsystems.
This problem is defined as follows. Suppose that a program is provided that can be invoked as a service by a number of different users.
A Hydra subsystem is built on top of its protection kernel and may require protection of its own components.
The subsystem designer can define policies for use of these resources by user processes, but the policies are enforceable by use of the standard access protection afforded by the capability system.
Hydra provides a large library of system-defined procedures that can be called by user programs.
A user of the Hydra system would explicitly incorporate calls on these system procedures into the code of her programs or would use a program translator that had been interfaced to Hydra.