Capability operating systems have existed for six decades, yet we do not have a systematic way to compare them and their different design aspects. We even lack a consensus on the purpose of capabilities in these systems. Given the recent resurgence of interest in capability systems in different domains, we provide a definition of such systems and a set of characteristics to describe and distinguish them. Applying our characteristics to seminal capability systems, we then provide a taxonomy of fundamental design approaches that emerged over the last sixty years. Our results lead us to discuss further research in this field and highlight open challenges in creating pure object-capability systems.
Usenix Security Symposium (USENIX-Security)
2026-08-12
2026-06-23