ABSTRACT
Existing systems often do a poor job of meeting the principle of least privilege. I will discuss how object capability systems and language-based methods can help address this shortcoming. In language-based object capability systems, an object reference is treated as a capability; unforgeability of references ensures unforgeability of capabilities; and all privileges are expressed as capabilities in this way. This makes it possible to decompose the system into distrusting "privilege-separated" components, providing each component with the least privilege it needs to do its job; to reason about the privileges and powers available to various program elements, often in a local (modular) way; and to avoid common pitfalls, such as confused deputy and TOCTTOU vulnerabilities. I will attempt to introduce the audience to some work in this area that is perhaps not so widely known, and I will describe some work in progress to construct a subset of Java, called Joe-E, that is intended to enable capability-style programming using a programming syntax that is familiar to Java programmers.
Index Terms
- Object capabilities for security
Recommendations
Canada's cyber warfare capabilities
CERIAS '13: Proceedings of the 14th Annual Information Security SymposiumThis paper discusses Canada and its ability to wage cyber warfare. Several definitions of cyber warfare are presented and discussed, as well as the motives and potential actors behind a cyber attack. Several definitions of cyberspace are also discussed ...
Features and object capabilities: reconciling two visions of modularity
AOSD '12: Proceedings of the 11th annual international conference on Aspect-oriented Software DevelopmentThe prevalence of threats and attacks in modern systems demands programming techniques that help developers maintain security and privacy. In particular, frameworks for composing components written by multiple parties must enable the authors of each ...
Incorporating attacker capabilities in risk estimation and mitigation
The risk exposure of a given threat to an information system is a function of the likelihood of the threat and the severity of its impacts. Existing methods for estimating threat likelihood assume that the attacker is able to cause a given threat, that ...
Comments