A capability is a statement of trust
•Every executable is tagged at build time with some capabilities, this applies for both EXEs and DLLs
•At run time, every process has a set of capabilities
•Capabilities of a process never change
•Capabilities are assigned based on which APIs a process needs and therefore is authorised to use
•Capabilities, and policing of, is transparent to API users
No comments:
Post a Comment