Object-capability model
Encyclopedia
The object-capability model is a computer security model
based on the Actor model
of computation. The name "object-capability model" is due to the idea that the capability to perform an operation can be obtained by the following combination:
The security model relies on not being able to forge references; see Synthesizing addresses of actors.
In the Object-capability model, all computation is performed following the above rules.
Advantages that motivate object-oriented programming
, such as encapsulation or information hiding
, modularity
, and separation of concerns
, correspond to security goals such as least privilege
and privilege separation
in capability-based programming.
, and C#) provide ways to access resources in other ways than according to the rules above including the following:
Such use of undeniable authority effectively defeats the security benefits of the Object-capability model. Caja
and Joe-E
are variants of JavaScript and Java, respectively, that impose restrictions to eliminate these loopholes.
These structural properties facilitate the analysis of some security properties of an object-capability program or operating system. Some of these — in particular, information flow properties — can be analyzed at the level of object references and connectivity, independent of any knowledge or analysis of the code that determines the behavior of the objects. As a consequence, these security properties can be established and maintained in the presence of new objects that contain unknown and possibly malicious code.
These structural properties stem from the two rules governing access to existing objects:
As a consequence of these two rules, an object can obtain a reference to another object only through a preexisting chain of references. In short, "Only connectivity begets connectivity."
object
reference
message
request
attenuation
KeyKOS
, EROS
, CapROS
, Coyotos
, seL4, OKL4 and Fiasco.OC are secure operating systems that implement the object-capability model.
of concurrent computation as follows:. However, there are a few differences between the object-capability model and the Actor model:
Of course, some systems have all the properties required by both models, and so are both Object-capability systems and Actor systems.
Computer security model
A computer security model is a scheme for specifying and enforcing security policies.A security model may be founded upon a formal model of access rights, a model of computation, a model of distributed computing, or no particular theoretical grounding at all....
based on the Actor model
Actor model
In computer science, the Actor model is a mathematical model of concurrent computation that treats "actors" as the universal primitives of concurrent digital computation: in response to a message that it receives, an actor can make local decisions, create more actors, send more messages, and...
of computation. The name "object-capability model" is due to the idea that the capability to perform an operation can be obtained by the following combination:
- an unforgeable reference (in the sense of object references or protected pointers) that can be sent in messages.
- a message that specifies the operation to be performed.
The security model relies on not being able to forge references; see Synthesizing addresses of actors.
- Objects can interact only by sending messages on references.
- A reference can be obtained by:
-
-
- initial conditions: In the initial state of the computational world being described, object A may already have a reference to object B.
- parenthood: If A creates B, at that moment A obtains the only reference to the newly created B.
- endowment: If A creates B, B is born with that subset of A's references with which A chose to endow it.
- introduction: If A has references to both B and C, A can send to B a message containing a reference to C. B can retain that reference for subsequent use.
-
In the Object-capability model, all computation is performed following the above rules.
Advantages that motivate object-oriented programming
Object (computer science)
In computer science, an object is any entity that can be manipulated by the commands of a programming language, such as a value, variable, function, or data structure...
, such as encapsulation or information hiding
Information hiding
In computer science, information hiding is the principle of segregation of the design decisions in a computer program that are most likely to change, thus protecting other parts of the program from extensive modification if the design decision is changed...
, modularity
Modularity (programming)
Modular programming is a software design technique that increases the extent to which software is composed of separate, interchangeable components called modules by breaking down program functions into modules, each of which accomplishes one function and contains everything necessary to accomplish...
, and separation of concerns
Separation of concerns
In computer science, separation of concerns is the process of separating a computer program into distinct features that overlap in functionality as little as possible. A concern is any piece of interest or focus in a program. Typically, concerns are synonymous with features or behaviors...
, correspond to security goals such as least privilege
Principle of least privilege
In information security, computer science, and other fields, the principle of least privilege, also known as the principle of minimal privilege or just least privilege, requires that in a particular abstraction layer of a computing environment, every module must be able to access only the...
and privilege separation
Privilege separation
In computer programming and computer security, privilege separation is a technique in which a program is divided into parts which are limited to the specific privileges they require in order to perform a specific task...
in capability-based programming.
Loopholes in Object-Oriented Programming Languages
Some object-based programming languages (e.g. JavaScript, JavaJava (programming language)
Java is a programming language originally developed by James Gosling at Sun Microsystems and released in 1995 as a core component of Sun Microsystems' Java platform. The language derives much of its syntax from C and C++ but has a simpler object model and fewer low-level facilities...
, and C#) provide ways to access resources in other ways than according to the rules above including the following:
- global variableGlobal variableIn computer programming, a global variable is a variable that is accessible in every scope . Interaction mechanisms with global variables are called global environment mechanisms...
s exported into the environment in JavaScript - static methods in Java and C#
- direct assignmentAssignment (computer science)In computer programming, an assignment statement sets or re-sets the value stored in the storage location denoted by a variable name. In most imperative computer programming languages, assignment statements are one of the basic statements...
to the instance variableInstance variableIn object-oriented programming with classes, an instance variable is a variable defined in a class , for which each object of the class has a separate copy. They live in memory for the life of the object....
s of an object in Java and C# - direct reflexiveReflection (computer science)In computer science, reflection is the process by which a computer program can observe and modify its own structure and behavior at runtime....
inspection of the meta-data of an object in Java and C# - the pervasive ability to import primitive modules (like java.io.File) that enable external effects.
Such use of undeniable authority effectively defeats the security benefits of the Object-capability model. Caja
Caja (programming language)
Caja is a Google project and a JavaScript implementation for "virtual iframes" based on the principles of object-capabilities. Caja takes JavaScript , HTML, and CSS input and rewrites it into a safe subset of HTML and CSS, plus a single JavaScript function with no free variables...
and Joe-E
Joe-E
Joe-E is a subset of the Java programming language intended to support programming according to object-capability discipline.The language is notable for being an early object-capability subset language...
are variants of JavaScript and Java, respectively, that impose restrictions to eliminate these loopholes.
Advantages of object capabilities
The structural properties of object capability systems favor modularity in code design and ensure reliable encapsulation in code implementation.These structural properties facilitate the analysis of some security properties of an object-capability program or operating system. Some of these — in particular, information flow properties — can be analyzed at the level of object references and connectivity, independent of any knowledge or analysis of the code that determines the behavior of the objects. As a consequence, these security properties can be established and maintained in the presence of new objects that contain unknown and possibly malicious code.
These structural properties stem from the two rules governing access to existing objects:
- 1) An object A can send a message to B only if object A holds a reference to B.
- 2) An object A can obtain a reference to C only if object A receives a message containing a reference to C.
As a consequence of these two rules, an object can obtain a reference to another object only through a preexisting chain of references. In short, "Only connectivity begets connectivity."
Glossary of related terms
object-capability system- A computational system that implements principles described in this article.
object
- An object has local state and behavior. An object in this sense is both a subject and an object in the sense used in the access control literature. In the Actor model, this concept is called an "actor".
reference
- An unforgeable communications channel (protected pointer, opaque address) that unambiguously designates a single object, and provides permission to send messages to that object. In the Actor model, this concept is called an "address".
message
- What is sent on a reference. Depending on the system, messages may or may not themselves be first-class objects.
request
- An operation in which a message is sent on a reference. When the message is received, the receiver will have access to any references included in the message.
attenuation
- A common design patternDesign patternA design pattern in architecture and computer science is a formal way of documenting a solution to a design problem in a particular field of expertise. The idea was introduced by the architect Christopher Alexander in the field of architecture and has been adapted for various other disciplines,...
in object-capability systems: given one reference of an object, create another reference for a proxy object with certain security restrictions, such as only permitting read-only access or allowing revocation. The proxy object performs security checks on messages that it receives and passes on any that are allowed. Deep attenuation refers to the case where the same attenuation is applied transitively to any objects obtained via the original attenuated object, typically by use of a "membrane".
Implementations
Almost all historical systems that have been described as "capability systems" can be modeled as object-capability systems. (Note, however, that some uses of the term "capability" are not consistent with the model, such as POSIX "capabilities".)KeyKOS
KeyKOS
KeyKOS is a persistent, pure capability-based operating system for the IBM S/370 mainframe computers. It allows emulating the VM, MVS, and POSIX environments. It is a predecessor of the Extremely Reliable Operating System , and its successors, the CapROS and Coyotos operating systems...
, EROS
Extremely Reliable Operating System
EROS is an operating system developed by The EROS Group, LLC., the Johns Hopkins University, and the University of Pennsylvania. Features include automatic data and process persistence, some preliminary real-time support, and capability-based security. EROS is purely a research operating system,...
, CapROS
CapROS
CapROS is an open source operating system. It is a pure capability-based system that features automatic persistence of data and processes, even across system reboots. Capability systems naturally support the principle of least authority, which improves security and fault tolerance.CapROS is an...
, Coyotos
Coyotos
Coyotos is a capability-based security-focused microkernel operating system developed by The EROS Group, LLC. It is a successor to the EROS system that was created at the University of Pennsylvania and Johns Hopkins University.- History :...
, seL4, OKL4 and Fiasco.OC are secure operating systems that implement the object-capability model.
Languages that implement object capabilities
- Act 1 (1981)
- Eden (1985),
- Vulcan (1986),
- Emerald (1987),
- Trusty Scheme (1992),
- W7 (1995),
- JouleJoule (programming language)Joule is a concurrent dataflow programming language, designed for building distributed applications. It is so concurrent, that the order of statements within a block is irrelevant to the operation of the block. Statements are executed whenever possible, based on their inputs. Everything in Joule...
(1996), - Original-E (1997),
- EE (programming language)E is an object-oriented programming language for secure distributed computing, created by Mark S. Miller, Dan Bornstein, and others at Electric Communities in 1997. E is mainly descended from the concurrent language Joule and from Original-E, a set of extensions to Java for secure distributed...
(1998), - J-Kernel (1999),
- Oz-E (2005),
- Joe-E (2005),
- CaPerl (2006),
- Emily (2006)
- CajaCaja (programming language)Caja is a Google project and a JavaScript implementation for "virtual iframes" based on the principles of object-capabilities. Caja takes JavaScript , HTML, and CSS input and rewrites it into a safe subset of HTML and CSS, plus a single JavaScript function with no free variables...
(2007 — present) - Jacaranda (2008-9)
Relationship of the Object-capability model and the Actor model
Most of the object-capability model was first formalized as the Actor modelActor model
In computer science, the Actor model is a mathematical model of concurrent computation that treats "actors" as the universal primitives of concurrent digital computation: in response to a message that it receives, an actor can make local decisions, create more actors, send more messages, and...
of concurrent computation as follows:. However, there are a few differences between the object-capability model and the Actor model:
- Since object-capability systems differ regarding concurrency control, storage management, equality, typing, the primitiveness of messages, and the ordering of message delivery, the object-capability model by itself is neutral on these issues. By contrast, the Actor model does specify some of these elements. In this sense, the Object-capability model corresponds most directly to the Actor locality laws taken by themselves. In particular there are the following differences:
-
-
- concurrency control
- storage management
- equality
- typing
- primitiveness of messages
- ordering of message delivery
- The object-capability model requires a loader (eval, exec) having the property of loader isolation. A loader loads data describing behavior (code, script, lambda expression) together with an initial state (c-list, environment, instance variable frame, acquaintances) to create a new object. A loader obeys loader isolation if the new object's only initial references are from the explicitly provided state, with no implicit grants by the loader itself. On the other hand, the Actor model simply requires that loaders, evaluators, etc. obey the laws for actors. The Java ClassLoader violates loader isolation, making confinement of unexamined loaded code impossible.
- There are minor differences in the preferred terminology used for the two models (see "Glossary of related terms" above).
-
Of course, some systems have all the properties required by both models, and so are both Object-capability systems and Actor systems.
See also
- Capability-based securityCapability-based securityCapability-based security is a concept in the design of secure computing systems, one of the existing security models. A capability is a communicable, unforgeable token of authority. It refers to a value that references an object along with an associated set of access rights...
- Capability-based addressingCapability-based addressingIn computer science, capability-based addressing is a scheme used by some computers to control access to memory. Under a capability-based addressing scheme, pointers are replaced by protected objects that can only be created through the use of privileged instructions which may only be executed by...
- Actor modelActor modelIn computer science, the Actor model is a mathematical model of concurrent computation that treats "actors" as the universal primitives of concurrent digital computation: in response to a message that it receives, an actor can make local decisions, create more actors, send more messages, and...
- the E-rights Wiki
- google-caja