Menu
Home
People
Places
Arts
History
Plants & Animals
Science
Life & Culture
Technology
Reference.org
Object-capability model
open-in-new
<h2 id="loopholes-in-object-oriented-programming-languages">Loopholes in object-oriented programming languages</h2> <p>Some object-based programming languages (e.g. <a href="/facts/Criticism_of_JavaScript/XhhIIEsl">JavaScript</a>, <a href="/facts/Java_(programming_language)/9ScgFyAL">Java</a>, and <a href="/facts/C_Sharp_(programming_language)/UC2gxeyb">C#</a>) provide ways to access resources in other ways than according to the rules above including the following: </p> <ul><li>Direct <a href="/facts/Assignment_(computer_science)/kLevAoyJ">assignment</a> to the <a href="/facts/Instance_variable/UQXdtMBp">instance variables</a> of an object in Java and C#.</li> <li>Direct <a href="/facts/Reflection_(computer_science)/Nj8stFfp">reflective</a> inspection of the meta-data of an object in Java and C#.</li> <li>The pervasive ability to import primitive modules, e.g. java.io.File that enable external effects.</li></ul> <p>Such use of undeniable authority violates the conditions of the object-capability model. <a href="/facts/Caja_(programming_language)/qnI7NYh0">Caja</a> and <a href="/facts/Joe-E/R82FrS6H">Joe-E</a> are variants of JavaScript and Java, respectively, that impose restrictions to eliminate these loopholes. </p> <h2 id="advantages-of-object-capabilities">Advantages of object capabilities</h2> <p>Computer scientist E. Dean Tribble stated that in <a href="/facts/Smart_contracts/D5TN1q4n">smart contracts</a>, identity-based access control did not support well dynamically changing permissions, compared to the object-capability model. He analogized the ocap model with giving a <a href="/facts/Valet_parking/V5zQWj4F">valet</a> the key to one's car, without handing over the right to car ownership.<a class="footnote-ref" id="fnref:4" href="#fn:4"><sup>4</sup></a> </p><p>The structural properties of object capability systems favor modularity in code design and ensure reliable encapsulation in code implementation. </p><p>These structural properties facilitate the analysis of some security properties of an object-capability program or operating system. Some of these – in particular, information flow properties – can be analyzed at the level of object references and connectivity, independent of any knowledge or analysis of the code that determines the behavior of the objects. As a consequence, these security properties can be established and maintained in the presence of new objects that contain unknown and possibly malicious code. </p><p>These structural properties stem from the two rules governing access to existing objects: </p> 1) An object <i>A</i> can send a message to <i>B</i> only if object <i>A</i> holds a reference to <i>B</i>. 2) An object <i>A</i> can obtain a reference to <i>C</i> only if object <i>A</i> receives a message containing a reference to <i>C</i>. <p>As a consequence of these two rules, an object can obtain a reference to another object only through a preexisting chain of references. In short, "Only connectivity begets connectivity." </p> <h2 id="glossary-of-related-terms">Glossary of related terms</h2> object-capability system A computational system that implements principles described in this article. object An object has local state and behavior. An object in this sense is both a <i>subject</i> and an <i>object</i> in the sense used in the access control literature. reference An unforgeable communications channel (protected pointer, opaque address) that unambiguously designates a single object, and provides permission to send messages to that object. message What is sent on a reference. Depending on the system, messages may or may not themselves be first-class objects. request An operation in which a message is sent on a reference. When the message is received, the receiver will have access to any references included in the message. attenuation A common <a href="/facts/Design_pattern/bHvkoxsu">design pattern</a> in object-capability systems: given one reference of an object, create another reference for a proxy object with certain security restrictions, such as only permitting read-only access or allowing revocation. The proxy object performs security checks on messages that it receives and passes on any that are allowed. Deep attenuation refers to the case where the same attenuation is applied transitively to any objects obtained via the original attenuated object, typically by use of a "membrane". <h2 id="implementations">Implementations</h2> <p>Almost all historical systems that have been described as "capability systems" can be modeled as object-capability systems. (Note, however, that some uses of the term "capability" are not consistent with the model, such as POSIX "capabilities".) </p><p><a href="/facts/KeyKOS/TNKAuUmV">KeyKOS</a>, <a href="/facts/Extremely_Reliable_Operating_System/otH0PLPh">EROS</a>, <a href="/facts/Integrity_(operating_system)/9Dz1gPK2">Integrity (operating system)</a>,[<i>dubious – discuss</i>] CapROS, Coyotos, <a href="/facts/SeL4/1rrWcHKB">seL4</a>, <a href="/facts/OKL4/1rrWcHKB">OKL4</a> and <a href="/facts/Fiasco_(L4_clone)/1rrWcHKB">Fiasco.OC</a> are secure operating systems that implement the object-capability model. </p> <h2 id="languages-that-implement-object-capabilities">Languages that implement object capabilities</h2> <ul><li>Act 1 (1981) <a class="footnote-ref" id="fnref:5" href="#fn:5"><sup>5</sup></a><a class="footnote-ref" id="fnref:6" href="#fn:6"><sup>6</sup></a></li> <li>Eden (1985),</li> <li><a href="/facts/Emerald_(programming_language)/dqIe3C2c">Emerald</a> (1987),</li> <li>Trusty Scheme (1992),</li> <li>W7 (1995),</li> <li><a href="/facts/Joule_(programming_language)/ffS4eTAd">Joule</a> (1996),</li> <li>Original-E (1997),</li> <li><a href="http://www.info.ucl.ac.be/~pvr/oze.pdf">Oz-E</a> (2005),</li> <li><a href="/facts/Joe-E/R82FrS6H">Joe-E</a> (2005),</li> <li><a href="https://web.archive.org/web/20070515041003/http://caperl.links.org/">CaPerl</a> (2006),</li> <li><a href="http://wiki.erights.org/wiki/Emily">Emily</a> (2006)</li> <li><a href="/facts/Caja_(programming_language)/qnI7NYh0">Caja</a> (2007–2021)</li> <li><a href="http://www.monte-language.org/">Monte</a> (2008–present)</li> <li><a href="http://www.ponylang.org/">Pony</a> (2014–present)<a class="footnote-ref" id="fnref:7" href="#fn:7"><sup>7</sup></a></li> <li><a href="/facts/Wyvern_(programming_language)/0IzKIl0K">Wyvern</a> (2012–present)</li> <li><a href="/facts/Newspeak_(programming_language)/QL4sDDVY">Newspeak</a> (2007–present)</li> <li><a href="/facts/Hack_(programming_language)/yIpr4zfv">Hacklang</a> (2021-present)</li> <li><a href="https://rchain-community.github.io/">Rholang</a> (2018-present)</li></ul> <h2 id="see-also">See also</h2> <ul><li><a href="/facts/Capability-based_security/negzSwhS">Capability-based security</a></li> <li><a href="/facts/Capability-based_addressing/PJ1GTnvM">Capability-based addressing</a></li> <li><a href="/facts/Actor_model/MJ49opnU">Actor model</a></li></ul> <h2 id="references">References</h2> <ol> <li id="fn:1"><p>Miller, Mark Samuel (May 2006). "Robust Composition: Towards a Unified Approach to Access Control and Concurrency Control". erights.org. Baltimore, Maryland. Retrieved 28 July 2013. <a href="http://erights.org/talks/thesis/" target="_blank">http://erights.org/talks/thesis/</a> <a href="#fnref:1" class="footnote-back-ref">↩</a></p></li> <li id="fn:2"><p>Mark S. Miller; Ka-Ping Yee; Jonathan S. Shapiro (2003). "Capability Myths Demolished" (PDF). Technical Report SRL2003-02. Systems Research Lab, Johns Hopkins University. {{cite journal}}: Cite journal requires |journal= (help) <a href="http://srl.cs.jhu.edu/pubs/SRL2003-02.pdf" target="_blank">http://srl.cs.jhu.edu/pubs/SRL2003-02.pdf</a> <a href="#fnref:2" class="footnote-back-ref">↩</a></p></li> <li id="fn:3"><p>[1] citing: J.B. Dennis, E.C. Van Horn. “Programming Semantics for Multiprogrammed Computations.” Communications of the ACM, 9(3):143–155, March 1966. <a href="http://srl.cs.jhu.edu/pubs/SRL2003-03.pdf" target="_blank">http://srl.cs.jhu.edu/pubs/SRL2003-03.pdf</a> <a href="#fnref:3" class="footnote-back-ref">↩</a></p></li> <li id="fn:4"><p>Lutsch, Felix (26 August 2019). "Agoric Q&A with Dean Tribble". Chorus One. <a href="https://blog.chorus.one/agoric-qa-transcript/" target="_blank">https://blog.chorus.one/agoric-qa-transcript/</a> <a href="#fnref:4" class="footnote-back-ref">↩</a></p></li> <li id="fn:5"><p>Henry Lieberman (June 1981). "A Preview of Act 1". MIT AI memo 625. {{cite journal}}: Cite journal requires |journal= (help) <a href="/wiki/Template:Cite_journal" target="_blank">/wiki/Template:Cite_journal</a> <a href="#fnref:5" class="footnote-back-ref">↩</a></p></li> <li id="fn:6"><p>Henry Lieberman (June 1981). "Thinking About Lots of Things at Once without Getting Confused: Parallelism in Act 1". MIT AI memo 626. {{cite journal}}: Cite journal requires |journal= (help) <a href="/wiki/Template:Cite_journal" target="_blank">/wiki/Template:Cite_journal</a> <a href="#fnref:6" class="footnote-back-ref">↩</a></p></li> <li id="fn:7"><p>Lutsch, Felix (26 August 2019). "Agoric Q&A with Dean Tribble". Chorus One. <a href="https://blog.chorus.one/agoric-qa-transcript/" target="_blank">https://blog.chorus.one/agoric-qa-transcript/</a> <a href="#fnref:7" class="footnote-back-ref">↩</a></p></li> </ol>