Capability Algebra
Complete
The Capability Algebra is the mathematical foundation of Nexus OS security. Every operation in the system — spawning a process, sending a message, mapping memory — requires an explicit capability. There are exactly 7 primitive verbs.
The Seven Verbs
| Verb | Purpose | Example |
|---|---|---|
| SPAWN | Create a new fiber | Starting an NPL driver |
| SEND | Write to an ION Ring | Sending a network packet |
| RECV | Read from an ION Ring | Receiving console input |
| MAP | Map memory into address space | DMA buffer allocation |
| MASK | Restrict own capabilities | Pledge to reduced privilege set |
| TICK | Access the timer/scheduler | Registering a timeout |
| GRANT | Delegate a capability to another fiber | Giving a child fiber network access |
These 7 verbs are irreducible. Every operation in the system can be expressed as a composition of these primitives.
CSpace — Capability Space
Each fiber has a CSpace — a fixed-size array of 64 capability slots. Each slot contains:
- Channel ID: Which ION Ring or resource this capability refers to
- Permission mask: Which operations (READ, WRITE, EXECUTE) are allowed
- Epoch: When this capability was granted (for revocation)
Well-Known Capability Slots
| Channel ID | Permission | Resource |
|---|---|---|
0x1000 | READ | Console input |
0x1001 | WRITE | Console output |
0x2000 | READ/WRITE | VFS (filesystem) |
0x0500 | READ | Network receive |
0x0501 | WRITE | Network transmit |
0x0600 | READ | LWF receive |
0x0601 | WRITE | LWF transmit |
The Law of Decay
Capabilities degrade over two dimensions:
Time: A capability granted at epoch N has less authority than one granted at epoch N-1. This prevents ancient, forgotten capabilities from accumulating unbounded privilege.
Delegation depth: Each time a capability is delegated (GRANT verb), it loses potency. A capability granted by the kernel has full authority. One delegated through 3 intermediaries has reduced authority.
The Law of Decay prevents privilege accumulation — a common attack vector in traditional access control systems where long-lived tokens gradually become over-privileged.
Epoch-Based Revocation
Capabilities are revoked by advancing the epoch counter:
- The system maintains a global epoch counter
- When a capability needs to be revoked (e.g., a compromised fiber is detected), the epoch is advanced
- All capabilities with an epoch older than the current epoch - threshold are invalidated
- Fibers holding revoked capabilities must re-request them
This is O(1) revocation — no need to walk capability trees or track every outstanding capability.
Capability Verification
Every syscall checks capabilities:
fiber_A calls SEND on channel 0x0501 (NET_TX)
→ Kernel checks fiber_A's CSpace slot for channel 0x0501
→ Checks WRITE permission is set
→ Checks epoch is valid
→ Checks pledge mask allows INET
→ If all pass: deliver to ION Ring
→ If any fail: capability fault, fiber killedThere is no "root" user. There is no "sudo". There is no way to bypass capability checks. Even the kernel itself operates within capability constraints defined by the SysTable.