The object-capability model is a
computer security model. A
capability describes a transferable right to perform one (or more) operations on a given
object
Object may refer to:
General meanings
* Object (philosophy), a thing, being, or concept
** Object (abstract), an object which does not exist at any particular time or place
** Physical object, an identifiable collection of matter
* Goal, an a ...
. It can be obtained by the following combination:
:* An unforgeable reference (in the sense of object references or protected pointers) that can be sent in messages.
:* A message that specifies the operation to be performed.
The security model relies on not being able to forge references.
:* Objects can interact only by sending messages on references.
:* A reference can be obtained by:
::# Initial conditions: In the initial state of the computational world being described, object A may already have a reference to object B.
::# Parenthood: If A creates B, at that moment A obtains the only reference to the newly created B.
::# Endowment: If A creates B, B is born with that subset of A's references with which A chose to endow it.
::# Introduction: If A has references to both B and C, A can send to B a message containing a reference to C. B can retain that reference for subsequent use.
In the object-capability model, ''all'' computation is performed following the above rules.
Advantages that motivate
object-oriented programming
Object-oriented programming (OOP) is a programming paradigm based on the concept of '' objects''. Objects can contain data (called fields, attributes or properties) and have actions they can perform (called procedures or methods and impl ...
, such as encapsulation or
information hiding
In computer science, information hiding is the principle of segregation of the ''design decisions'' in a computer program that are most likely to change, thus protecting other parts of the program from extensive modification if the design decisio ...
,
modular programming
Modular programming is a software design technique that emphasizes separating the functionality of a program into independent, interchangeable modules, such that each contains everything necessary to execute only one aspect or "concern" of the d ...
(modularity), and
separation of concerns
In computer science, separation of concerns (sometimes abbreviated as SoC) is a design principle for separating a computer program into distinct sections. Each section addresses a separate '' concern'', a set of information that affects the code o ...
, correspond to security goals such as
least privilege and
privilege separation
Privilege may refer to:
Arts and entertainment
* Privilege (film), ''Privilege'' (film), a 1967 film directed by Peter Watkins
* Privilege (Ivor Cutler album), ''Privilege'' (Ivor Cutler album), 1983
* Privilege (Television Personalities album ...
in capability-based programming.
[
]
The object-capability model was first proposed by
Jack Dennis
Jack Bonnell Dennis (born October 13, 1931) is an American computer scientist and Emeritus Professor of Computer Science and Engineering at Massachusetts Institute of Technology.
The work of Dennis in computer systems and computer languages is ...
and Earl C. Van Horn in 1966.
Loopholes in object-oriented programming languages
Some object-based programming languages (e.g.,
JavaScript
JavaScript (), often abbreviated as JS, is a programming language and core technology of the World Wide Web, alongside HTML and CSS. Ninety-nine percent of websites use JavaScript on the client side for webpage behavior.
Web browsers have ...
(
criticism
Criticism is the construction of a judgement about the negative or positive qualities of someone or something. Criticism can range from impromptu comments to a written detailed response. , ''the act of giving your opinion or judgment about the ...
),
Java
Java is one of the Greater Sunda Islands in Indonesia. It is bordered by the Indian Ocean to the south and the Java Sea (a part of Pacific Ocean) to the north. With a population of 156.9 million people (including Madura) in mid 2024, proje ...
, and
C#) provide ways to access resources in ways other than according to the rules above, including the following:
:*Direct
assignment to the
instance variable
In class-based, object-oriented programming, an instance variable is a variable defined in a class (i.e., a member variable), for which each instantiated object of the class has a separate copy, or instance. An instance variable has similari ...
s of an object in Java and C#.
:*Direct
reflective programming
In computer science, reflective programming or reflection is the ability of a process to examine, introspect, and modify its own structure and behavior.
Historical background
The earliest computers were programmed in their native assembly lang ...
(reflection) inspection of the meta-data of an object in Java and C#.
:*The pervasive ability to import primitive modules, e.g., java.io.File that enable external effects.
Such use of ''undeniable authority'' violates the conditions of the object-capability model.
Caja and
Joe-E are variants of JavaScript and Java, respectively, that impose restrictions to eliminate these loopholes.
Advantages of object capabilities
Computer scientist E. Dean Tribble stated that in
smart contract
A smart contract is a computer program or a Transaction Protocol Data Unit, transaction protocol that is intended to automatically execute, control or document events and actions according to the terms of a contract or an agreement. The objective ...
s, identity-based access control did not support well dynamically changing permissions, compared to the object-capability model. He analogized the ocap model with giving a
valet
A valet or varlet is a male servant who serves as personal attendant to his employer. In the Middle Ages and Ancien Régime, ''valet de chambre'' was a role for junior courtiers and specialists such as artists in a royal court, but the term "va ...
the key to a car, without giving the right to car ownership.
The structural properties of object capability systems favor modularity in code design and ensure reliable encapsulation in code implementation.
These structural properties facilitate the analysis of some security properties of an object-capability program or
operating system
An operating system (OS) is system software that manages computer hardware and software resources, and provides common daemon (computing), services for computer programs.
Time-sharing operating systems scheduler (computing), schedule tasks for ...
. Some of these, specifically information flow properties, can be analyzed at the level of object references and connectivity, independent of any knowledge or analysis of the code that determines the behavior of the objects. As a consequence, these security properties can be established and maintained in the presence of new objects that contain unknown and possibly malicious code.
These structural properties stem from the two rules governing access to existing objects:
:1) An object ''A'' can send a message to ''B'' only if object ''A'' holds a reference to ''B''.
:2) An object ''A'' can obtain a reference to ''C'' only if object ''A'' receives a message containing a reference to ''C''.
As a consequence of these two rules, an object can obtain a reference to another object only through a preexisting chain of references. In short, "Only connectivity begets connectivity."
Glossary of related terms
;object-capability system
: A computational system that implements principles described in this article.
;object
: An object has local state and behavior. An object in this sense is both a ''subject'' and an ''object'' in the sense used in the access control literature.
;reference
: An unforgeable communications channel (protected pointer, opaque address) that unambiguously designates one object, and provides permission to send messages to that object.
;message
: What is sent on a reference. Depending on the system, messages may or may not be first-class objects.
;request
: An operation in which a message is sent on a reference. When the message is received, the receiver will have access to any references included in the message.
;attenuation
: A common
design pattern
A design pattern is the re-usable form of a solution to a design problem. The idea was introduced by the architect Christopher Alexander and has been adapted for various other disciplines, particularly software engineering. The " Gang of Four" ...
in object-capability systems: given one reference of an object, create another reference for a proxy object with certain security restrictions, such as only permitting read-only access or allowing revocation. The proxy object performs security checks on messages that it receives and passes on any that are allowed. ''Deep attenuation'' refers to the case where the same attenuation is applied transitively to any objects obtained via the original attenuated object, typically by use of a ''membrane''.
Implementations
Almost all historical systems that have been described as ''capability systems'' can be modeled as object-capability systems. However, some uses of the term ''capability'' are inconsistent with the model, such as
POSIX
The Portable Operating System Interface (POSIX; ) is a family of standards specified by the IEEE Computer Society for maintaining compatibility between operating systems. POSIX defines application programming interfaces (APIs), along with comm ...
''capabilities''.
KeyKOS
KeyKOS is a persistent, pure capability-based operating system for the IBM S/370 mainframe computers. It allows emulating the environments of VM, MVS, and Portable Operating System Interface (POSIX). It is a predecessor of the Extremely Reli ...
,
EROS
Eros (, ; ) is the Greek god of love and sex. The Romans referred to him as Cupid or Amor. In the earliest account, he is a primordial god, while in later accounts he is the child of Aphrodite.
He is usually presented as a handsome young ma ...
,
Integrity (operating system)
INTEGRITY and INTEGRITY-178B are real-time operating systems (RTOSes) produced and marketed by Green Hills Software.
INTEGRITY
INTEGRITY is POSIX-certified and intended for use in embedded systems of 32-bits or 64-bits. Supported computer arc ...
, CapROS, Coyotos,
seL4
L4 is a family of second-generation microkernels, used to implement a variety of types of operating systems (OS), though mostly for Unix-like, ''Portable Operating System Interface'' (POSIX) compliant types.
L4, like its predecessor microkernel ...
,
OKL4 and
Fiasco.OC are secure operating systems that implement the object-capability model.
Languages that implement object capabilities
* Act 1 (1981)
[
]
*Eden (1985)
*
Emerald
Emerald is a gemstone and a variety of the mineral beryl (Be3Al2(SiO3)6) colored green by trace amounts of chromium or sometimes vanadium.Hurlbut, Cornelius S. Jr., and Kammerling, Robert C. (1991). ''Gemology'', John Wiley & Sons, New York ...
(1987)
*Trusty Scheme (1992)
*W7 (1995)
*
Joule
The joule ( , or ; symbol: J) is the unit of energy in the International System of Units (SI). In terms of SI base units, one joule corresponds to one kilogram- metre squared per second squared One joule is equal to the amount of work d ...
(1996)
*Original-E (1997)
Oz-E(2005)
*
Joe-E (2005)
CaPerl(2006)
Emily(2006)
*
Caja (2007–2021)
Monte(2008–present)
Pony(2014–present)
*
Wyvern
The wyvern ( ), sometimes spelled wivern ( ), is a type of mythical dragon with bipedalism, two legs, two wings, and often a pointed tail.
The wyvern in its various forms is important in heraldry, frequently appearing as a mascot of schools an ...
(2012–present)
*
Newspeak
In the dystopian novel '' Nineteen Eighty-Four'' (also published as ''1984''), by George Orwell, Newspeak is the fictional language of Oceania, a totalitarian superstate. To meet the ideological requirements of Ingsoc (English Socialism) in O ...
(2007–present)
*
Hack
Hack may refer to:
Arts, entertainment, and media Games
* Hack (Unix video game), ''Hack'' (Unix video game), a 1984 roguelike video game
* .hack (video game series), ''.hack'' (video game series), a series of video games by the multimedia fran ...
(2021-present)
Rholang(2018-present)
See also
*
Capability-based security
Capability-based security is a concept in the design of secure computing systems, one of the existing security models. A capability (known in some systems as a key) is a communicable, unforgeable token of authority. It refers to a value that ref ...
*
Capability-based addressing
*
Actor model
The actor model in computer science is a mathematical model of concurrent computation that treats an ''actor'' as the basic building block of concurrent computation. In response to a message it receives, an actor can: make local decisions, create ...
References
{{DEFAULTSORT:Object-Capability Model
Computer security models