Using split capabilities for access control

The fundamental problem of access control is to limit what a process can do to an object and when that process can do if. For example, any access control mechanism must know whether to honor a request to read or write a particular file. Unfortunately, the access control mechanisms we use when sharing resources over the Internet were designed in the days when networking computers was a rarity. Many security breakdowns currently occurring come from the resulting mismatch between today\´s realities and the assumptions made in designing those mechanisms. We developed split capabilities to make the system scalable. If we used conventional capabilities, we would need a capability for every combination of access rights. That\´s not a problem in some systems where a capability is a single word. However, our design required over 100 bytes per resource. This fact presented us with a problem because of two of our design principles, "every thing is a resource" and "no special cases." Split capabilities allow us to define a single resource that can represent an arbitrary set of access rights to a large set of resources.