<< Previous <<         [Session1 Index]            >> Next >>

Solution Model: Capabilities

Definition of Capability


Models of Capability Behavior

Naivete and security

A Capability is a reference to an object along with a set of access rights. In the simplest, base case, a reference to an object can be thought of as a capability on that object. If the reference is the capability, the "access rights" are all the method calls that must read or write information "outside", where "outside" is a person or the operating system or the hardware, in general, anything that would require system privileges in another system.

Throughout this discussion we will treat all capabilities as base case capabilities, i.e., we will treat all object references as capabilities.  With Java, this simple mapping of a capability as a reference can be made sufficient to handle all cases, as discussed later.

A key concept to wrap your mind around -- perhaps the key concept to wrap your mind around--to start thinking in the "Path Of True Security" is the concept of expressivity. You cannot tell someone to do something if you have no way of expressing the request. Capability Security frequently takes the form of never bothering to give the untrusted object the ability to express a dangerous request. If you get in the habit of thinking in terms of expressivity, you are over halfway to the goal of thinking in terms of capability.

Expressivity concepts allow you to get rid of "if" statements: if the object can't express an invalid request, you don't have to check to see whether or not it made the request. Because expressivity is so fundamental to capability-based thinking, we will look at a couple of examples.