Fault Resolution is a Policy Decision: A Theorem of Capability-Based Systems

We prove that fault resolution—the response to page faults, capability violations, and domain termination events—contains no component that is intrinsically privileged. Fault detection requires hardware privilege, but fault resolution does not. Using a formal model of capability-enforced systems, we separate fault handling into detection, which must occur at hardware privilege level 0, and resolution, which can be performed entirely by unprivileged domains holding appropriate authority tokens. We show that all resolution actions reduce to capability-checked memory operations or IPC, and thus do not require ring 0 execution. This yields a fault delegation theorem: the kernel’s role in fault handling can be reduced to O(1), policy-free detection and notification, with all resolution policy migrating to untrusted components without loss of correctness or security. We discuss a prototype implementation on x86-64 hardware and show how this result composes with the NullKernel architecture, in which the kernel is stripped of all policy decisions. This is an exploratory preprint; the model and proofs are under active refinement and feedback is welcome.