Object-capability model

Object-capability model

The object-capability model is a computer security model based on the Actor model of computation. The name "object-capability model" is due to the idea that the capability to perform an operation can be obtained by the following combination:

  • an unforgeable reference (in the sense of object references or protected pointers) that can be sent in messages.
  • a message that specifies the operation to be performed.

The security model relies on not being able to forge references; see Synthesizing addresses of actors.

  • Objects can interact only by sending messages on references.
  • A reference can be obtained by:
  1. initial conditions: In the initial state of the computational world being described, object A may already have a reference to object B.
  2. parenthood: If A creates B, at that moment A obtains the only reference to the newly created B.
  3. endowment: If A creates B, B is born with that subset of A's references with which A chose to endow it.
  4. introduction: If A has references to both B and C, A can send to B a message containing a reference to C. B can retain that reference for subsequent use.

In the Object-capability model, all computation is performed following the above rules.

Advantages that motivate object-oriented programming, such as encapsulation or information hiding, modularity, and separation of concerns, correspond to security goals such as least privilege and privilege separation in capability-based programming. [1][2]


Loopholes in Object-Oriented Programming Languages

Some object-based programming languages (e.g. JavaScript, Java, and C#) provide ways to access resources in other ways than according to the rules above including the following:

  • global variables exported into the environment in JavaScript
  • static methods in Java and C#
  • direct assignment to the instance variables of an object in Java and C#
  • direct reflexive inspection of the meta-data of an object in Java and C#
  • the pervasive ability to import primitive modules (like java.io.File) that enable external effects.

Such use of undeniable authority effectively defeats the security benefits of the Object-capability model. Caja and Joe-E are variants of JavaScript and Java, respectively, that impose restrictions to eliminate these loopholes.

Advantages of object capabilities

The structural properties of object capability systems favor modularity in code design and ensure reliable encapsulation in code implementation.

These structural properties facilitate the analysis of some security properties of an object-capability program or operating system. Some of these — in particular, information flow properties — can be analyzed at the level of object references and connectivity, independent of any knowledge or analysis of the code that determines the behavior of the objects. As a consequence, these security properties can be established and maintained in the presence of new objects that contain unknown and possibly malicious code.

These structural properties stem from the two rules governing access to existing objects:

1) An object A can send a message to B only if object A holds a reference to B.
2) An object A can obtain a reference to C only if object A receives a message containing a reference to C.

As a consequence of these two rules, an object can obtain a reference to another object only through a preexisting chain of references. In short, "Only connectivity begets connectivity."

Glossary of related terms

object-capability system
A computational system that implements principles described in this article.
An object has local state and behavior. An object in this sense is both a subject and an object in the sense used in the access control literature. In the Actor model, this concept is called an "actor".
An unforgeable communications channel (protected pointer, opaque address) that unambiguously designates a single object, and provides permission to send messages to that object. In the Actor model, this concept is called an "address".
What is sent on a reference. Depending on the system, messages may or may not themselves be first-class objects.
An operation in which a message is sent on a reference. When the message is received, the receiver will have access to any references included in the message.
A common design pattern in object-capability systems: given one reference of an object, create another reference for a proxy object with certain security restrictions, such as only permitting read-only access or allowing revocation. The proxy object performs security checks on messages that it receives and passes on any that are allowed. Deep attenuation refers to the case where the same attenuation is applied transitively to any objects obtained via the original attenuated object, typically by use of a "membrane".


Almost all historical systems that have been described as "capability systems" can be modeled as object-capability systems. (Note, however, that some uses of the term "capability" are not consistent with the model, such as POSIX "capabilities".)

KeyKOS, EROS, CapROS, Coyotos, seL4, OKL4 and Fiasco.OC are secure operating systems that implement the object-capability model.

Languages that implement object capabilities

  • Act 1 (1981) [3][4]
  • Eden (1985),
  • Vulcan (1986),
  • Emerald (1987),
  • Trusty Scheme (1992),
  • W7 (1995),
  • Joule (1996),
  • Original-E (1997),
  • E (1998),
  • J-Kernel (1999),
  • Oz-E (2005),
  • Joe-E (2005),
  • CaPerl (2006),
  • Emily (2006)
  • Caja (2007 — present)
  • Jacaranda (2008-9)

Relationship of the Object-capability model and the Actor model

Most of the object-capability model was first formalized as the Actor model of concurrent computation as follows:[5]. However, there are a few differences between the object-capability model and the Actor model:

  • Since object-capability systems differ regarding concurrency control, storage management, equality, typing, the primitiveness of messages, and the ordering of message delivery, the object-capability model by itself is neutral on these issues. By contrast, the Actor model does specify some of these elements. In this sense, the Object-capability model corresponds most directly to the Actor locality laws taken by themselves. In particular there are the following differences:
  • concurrency control
  • storage management
  • equality
  • typing
  • primitiveness of messages
  • ordering of message delivery
  • The object-capability model requires a loader (eval, exec) having the property of loader isolation. A loader loads data describing behavior (code, script, lambda expression) together with an initial state (c-list, environment, instance variable frame, acquaintances) to create a new object. A loader obeys loader isolation if the new object's only initial references are from the explicitly provided state, with no implicit grants by the loader itself. On the other hand, the Actor model simply requires that loaders, evaluators, etc. obey the laws for actors. The Java ClassLoader violates loader isolation, making confinement of unexamined loaded code impossible.
  • There are minor differences in the preferred terminology used for the two models (see "Glossary of related terms" above).

Of course, some systems have all the properties required by both models, and so are both Object-capability systems and Actor systems.

See also


  1. ^ Mark S. Miller (2006). Robust Composition: Towards a Unified Approach to Access Control and Concurrency Control. http://erights.org/talks/thesis/. 
  2. ^ Mark S. Miller, Ka-Ping Yee, Jonathan S. Shapiro (2003) (PDF). Capability Myths Demolished. Technical Report SRL2003-02. Systems Research Lab, Johns Hopkins University. http://srl.cs.jhu.edu/pubs/SRL2003-02.pdf. 
  3. ^ Henry Lieberman (June 1981). A Preview of Act 1. MIT AI memo 625. 
  4. ^ Henry Lieberman (June 1981). Thinking About Lots of Things at Once without Getting Confused: Parallelism in Act 1. MIT AI memo 626. 
  5. ^ Henry Baker and Carl Hewitt (August 1977). Laws for Communicating Parallel Processes. IFIP. 

Wikimedia Foundation. 2010.

Игры ⚽ Поможем решить контрольную работу

Look at other dictionaries:

  • Object Process Graph — An Object Process Graph (OPG) is a general purpose executable graph that incorporates every aspect of an application, including process, user interface, and database.[1][2][3] No programming language, tool, or database is required to handle any… …   Wikipedia

  • Model-driven architecture — (MDA) is a software design approach for the development of software systems. It provides a set of guidelines for the structuring of specifications, which are expressed as models. Model driven architecture is a kind of domain engineering, and… …   Wikipedia

  • Capability Maturity Model — Capability Maturity Model  модель зрелости возможностей создания ПО: эволюционная модель развития способности компании разрабатывать программное обеспечение. Содержание 1 История 2 Уровни 3 Развитие …   Википедия

  • Computer security model — A computer security model is a scheme for specifying and enforcing security policies. A security model may be founded upon a formal model of access rights, a model of computation, a model of distributed computing, or no particular theoretical… …   Wikipedia

  • Object Process Methodology — (OPM) is an approach to designing information systems by depicting them using object models and process models. OPM was conceived and developed by Prof. Dov Dori, at the Technion – Israel Institute of Technology. A paper that first presented… …   Wikipedia

  • Object-relational mapping — For another use of ORM , see Object role modeling. Object relational mapping (ORM, O/RM, and O/R mapping) in computer software is a programming technique for converting data between incompatible type systems in object oriented programming… …   Wikipedia

  • Actor model — In computer science, the Actor model is a mathematical model of concurrent computation that treats actors as the universal primitives of concurrent digital computation: in response to a message that it receives, an actor can make local decisions …   Wikipedia

  • Component Object Model — Not to be confused with COM file. Component Object Model (COM) is a binary interface standard for software componentry introduced by Microsoft in 1993. It is used to enable interprocess communication and dynamic object creation in a large range… …   Wikipedia

  • Waterfall model — The waterfall model is a sequential design process, often used in software development processes, in which progress is seen as flowing steadily downwards (like a waterfall) through the phases of Conception, Initiation, Analysis, Design,… …   Wikipedia

  • Entity–attribute–value model — (EAV) is a data model to describe entities where the number of attributes (properties, parameters) that can be used to describe them is potentially vast, but the number that will actually apply to a given entity is relatively modest. In… …   Wikipedia

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”