Have you heard of capability-based security? While not as popular as role-based security, it offers iron-clad protection against many types of cyber threats. Many operating systems — particularly those used for research purposes — use capability-based security. You can find this alternative cybersecurity model embedded in Google Fuschia, Hydra, WebAssembly, Tahoe-LAFS, IBM AS/400 and other OSs. What is capability-based security exactly, and how does it work?

Capability-Based Security Defined

Capability-based security is a cybersecurity model that involves the use of an unforgeable token.

In network communications, tokens are used to identify users. Different users have different levels of privileges. Some users may have low levels of privileges. Other users, such as administrators, may have high levels of privileges. Tokens identify users on a network while simultaneously defining their privilege levels.

How Capability-Based Security Works

Capability-based security works by leveraging an unforgeable token. It designates resources, such as users, defining the privilege levels of those objects via an unforgeable token.

It’s not uncommon for tokens to be forged. A forged or “spoofed” token is a fake token. If a hacker wants to access a network with the same privilege levels of an administrator, he or she may forge a token. The system may perceive the hacker as being an administrator after reading the forged token. Capability-based security prevents threats such as this by leveraging an unforgeable token.

Capability-Based vs Role-Based Security: What’s the Difference?

In addition to capability-based security, there’s role-based security. Also known as role-based access control, role-based security is a cybersecurity model that involves defining permissions and privilege levels for users. Many software developers use it to improve the security of their products. With role-based security, not all users have the same permissions and privilege levels. Rather, they are assigned different levels of permissions and privilege levels.

Capability-based security goes one step further by leveraging unforgeable tokens. Tokens are still used to identify users, but capability-based security prevents those tokens from being forged. The tokens used in capability-based security are keys. Hackers can’t forge the keys; only the users to whom the keys are assigned will have them. This makes capability-based security a strong form of protection against network threats involving forged tokens.

In Conclusion

Capability-based security alone won’t protect against all cyber threats. It revolves around unforgeable tokens known as keys. The tokens can’t be forged, but hackers may conduct other types of attacks. Nonetheless, you may discover that some OSs are designed with capability-based security as a native feature.