research-article

The need for capability policies

Authors:

Sophia Drossopoulou,

James NobleAuthors Info & Claims

FTfJP '13: Proceedings of the 15th Workshop on Formal Techniques for Java-like Programs

Article No.: 6, Pages 1 - 7

https://doi.org/10.1145/2489804.2489811

Published: 01 July 2013 Publication History

Abstract

The object-capability model is one of the industry standards adopted for the implementation of security policies for web-based software. Object-capabilities in various forms are supported by programming languages such as E, Joe-E, Newspeak, Grace, and the newer versions of Javascript. Unfortunately, code written using capabilities tends to concentrate on the low-level mechanism rather than the high-level policy.

In this position paper, we argue that current specification methodologies cannot adequately capture all aspects of the capability policies required to support object-capability systems. We outline informally the features that such security policies should support, and we demonstrate (also informally) how we can reason that examples satisfy the capability policies.

References

[1]

Pieter Agten, Steven Van Acker, Yoran Brondsema, Phu H. Phung, Lieven Desmet, and Frank Piessens. Jsand: Complete client-side sandboxing of third-party JavaScript without browser modifications. In ACSAC, 2012.

Digital Library

[2]

Jonathan Aldrich and Craig Chambers. Ownership domains: Separating aliasing policy from mechanism. In ECOOP, Springer, 2004.

[3]

M. Barnett and D. Naumann. Friends need a bit more: Maintaining invariants over shared state. In MPC, LNCS, 2004.

[4]

David Basin, Felix Klaedtke, and Samuel Müller. Monitoring security policies with metric first-order temporal logic. In SACMAT, 2010.

Digital Library

[5]

Lujo Bauer, Jay Ligatti, and David Walker. Composing security policies with polymer. In PLDI, 2005.

Digital Library

[6]

Jesper Bengtson, Kathiekeyan Bhargavan, Cedric Fournet, Andrew Gordon, and S. Maffeis. Refinement Types for Secure Implementations. ACM ToPLAS, 2011.

Digital Library

[7]

Nicholas Cameron, Sophia Drossopoulou, James Noble, and Matthew Smith. Multiple Oownership. In OOPSLA, ACM, 2007.

Digital Library

[8]

D. G. Clarke, J. M. Potter, and J. Noble. Ownership types for flexible alias protection. In OOPSLA. ACM, 1998.

Digital Library

[9]

Dave Clarke and Sophia Drossopoulou. Ownership, Encapsulation and the Disjointness of Types and Effects. In OOPSLA, 2002.

Digital Library

[10]

Tom Van Cutsem and Mark S. Miller. Trustworthy proxies: Virtualizing objects with invariants. In ECOOP, 2013.

[11]

Jack B. Dennis and Earl C. Van Horn. Programming Semantics for Multiprogrammed Computations. Comm. ACM, 9(3), 1966.

Digital Library

[12]

Werner M. Dietl and Peter Müller. Object Ownership in Program Verification. Aliasing in Object-Oriented Programming, 2012.

[13]

Mike Dodds, Xinyu Feng, Matthew Parkinson, and Viktor Vafeiadis. Deny-guarantee reasoning. In ESOP. Springer, 2009.

Digital Library

[14]

S. Drossopoulou, A. Francalanza, P. Müller, and A. J. Summers. A unified framework for verification techniques for object invariants. In ECOOP, LNCS. Springer, 2008.

Digital Library

[15]

Sophia Drossopoulou, David Clarke, and James Noble. Roles for Owners - Work in Progress. In IWACO 2011, ACM DL, July 2011.

[16]

Deepak Garg, Lujo Bauer, Kevin D. Bowers, Frank Pfenning, and Michael K. Reiter. A linear knowledge of authorization and knowledge. In ESoRICS, LNCS. Springer, 2006.

Digital Library

[17]

Andrew D. Gordon and Alan Jeffrey. Typing correspondence assertions for communication protocols. In MFPS. Elsevier, ENTCS, 2001.

[18]

Donald Gordon and James Noble. Dynamic Ownership in a Dynamic Language. In Dynamic Languages Symposium. ACM, 2007.

Digital Library

[19]

C. A. R. Hoare. Proofs of correctness of data representation. Acta Informatica, 1:271--281, 1972.

Digital Library

[20]

Yves Jaradin, Fred Piessens, and Peter Van Roy. Capability confinement by membranes, 2005. TR Université Catholique De Louvain.

[21]

Rezwana Karim, Mohan Dhawan, Vinod Ganapathy, and Chung-Chieh Shan. An Analysis of the Mozilla Jetpack Extension Framework. In ECOOP, Springer, 2012.

Digital Library

[22]

Butler W. Lampson and Howard E. Sturgis. Reflection on an Operating System Design. Communications of the ACM, 19(5), 1976.

Digital Library

[23]

G. T. Leavens, E. Poll, C. Clifton, Y. Cheon, C. Ruby, D. R. Cok, P. Müller, J. Kiniry, and P. Chalin. JML Reference Manual. Iowa State Univ. www.jmlspecs.org, February 2007.

[24]

K. Rustan M. Leino and Peter Müller. Object invariants in dynamic contexts. In ECOOP, Springer, 2004.

[25]

K. Rustan M. Leino and Wolfram Schulte. Using history invariants to verify observers. In ESOP, 2007.

Digital Library

[26]

Y. Lu and J. Potter. Protecting Representation with Effect Encapsulation. In POPL, pages 359--371, 2006.

Digital Library

[27]

S. Maffeis, J. C. Mitchell, and A. Taly. Object capabilities and isolation of untrusted web applications. In Proc of IEEE Security and Privacy, 2010.

Digital Library

[28]

Adrian Mettler, David Wagner, and Tyler Close. Joe-E a Security-Oriented Subset of Java. In NDSS, 2010.

[29]

B. Meyer. Object-Oriented Software Construction. Prentice-Hall, 1988.

Digital Library

[30]

Mark Samuel Miller. Robust Composition: Towards a Unified Approach to Access Control and Concurrency Control. PhD thesis, Baltimore, Maryland, 2006.

[31]

Mark Samuel Miller. Secure Distributed Programming with Object-capabilities in JavaScript. Talk at Vrije Universiteit Brussel, mobicrant-talks.eventbrite.com, October 2011.

[32]

Mark Samuel Miller, Chip Morningstar, and Bill Frantz. Capability-based Financial Instruments: From Object to Capabilities. In Financial Cryptography. Springer, 2000.

Digital Library

[33]

Mark Samuel Miller, Mike Samuel, Ben Laurie, Ihab Awad, and Mike Stay. Safe active content in sanitized JavaScript. code.google.com/p/google-caja/.

[34]

Roger Needham. Protection systems and protection implementations. In Joint Computer Conference, pages 571--578, 1972.

Digital Library

[35]

Matthew Parkinson. Class invariants: the end of the road? In IWACO, 2007.

[36]

Matthew Parkinson and Alexander J. Summers. The Relationship between Separation Logic and Implicit Dynamic Frames. In ESOP, 2011.

Digital Library

[37]

Roly Perera, Umut Acar, James Cheney, and Paul Blain Levy. Functional programs that explain their work. In ICFP. ACM, 2012.

Digital Library

[38]

Alex Potanin, Monique Damitio, and James Noble. Are your incoming aliases really necessary? Counting the cost of object ownership. In ICSE, 2013.

Digital Library

[39]

Azalea Raad and Sophia Drossopoulou. A Sip of the Chalice. In FTFJP, July 2011.

Digital Library

[40]

Jerome H. Saltzer. Protection and the control of information sharing in Multics. CACM, 17(7):p.389ff, 1974.

Digital Library

[41]

Jan Smans, Bart Jacobs, and Frank Piessens. Implicit Dynamic Frames. ToPLAS, 2012.

Digital Library

[42]

Marc Stiegler. The lazy programmer's guide to security. HP Labs, www.object-oriented-security.org.

[43]

Alexander J. Summers and Sophia Drossopoulou. Considerate Reasoning and the Composite Pattern. In VMCAI, 2010.

Digital Library

[44]

Alexander J. Summers, Sophia Drossopoulou, and Peter Müller. The need for Flexible Object Invariants. In IWACO, ACM DL, July 2009.

Digital Library

[45]

Ankur Taly, Ulfar Erlingsson, John C. Mitchell, Mark S. Miller, and Jasvir Nagra. Automated Analysis of Security-Critical JavaScript APIs. In IEEE Symposium on Security and Privacy (SP), 2011.

Digital Library

[46]

The NewpeakTeam. Several Newspeak Documents. newspeaklanguage.org/, September 2012.

[47]

Tom van Cutsem. Membranes in Javascript. prog.vub.ac.be/ tvcutsem/invokedynamic/js-membranes.

[48]

M. V. Wilkes and R. M. Needham. The Cambridge CAP computer and its operating system, 1979.

Digital Library

[49]

T. Wood and S. Lam. A semantic model for authentication protocols. In IEEE Computer Society Symposium on Research in Security and Privacy, 1993.

Digital Library

Cited By

Vasilakis NStaicu CNtousakis GKallas KKarel BDeHon APradel MKim YKim JVigna GShi E(2021)Preventing Dynamic Library Compromise on Node.js via RWX-Based Privilege ReductionProceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security10.1145/3460120.3484535(1821-1838)Online publication date: 12-Nov-2021
https://dl.acm.org/doi/10.1145/3460120.3484535
Drossopoulou SNoble JMackay JEisenbach S(2020)Holistic Specifications for Robust ProgramsFundamental Approaches to Software Engineering10.1007/978-3-030-45234-6_21(420-440)Online publication date: 17-Apr-2020
https://doi.org/10.1007/978-3-030-45234-6_21
Drossopoulou SNoble JMiller MMurray T(2016)Permission and Authority Revisited towards a formalisationProceedings of the 18th Workshop on Formal Techniques for Java-like Programs10.1145/2955811.2955821(1-6)Online publication date: 17-Jul-2016
https://dl.acm.org/doi/10.1145/2955811.2955821
Show More Cited By

Index Terms

The need for capability policies

Recommendations

Declarative Policies for Capability Control
CSF '14: Proceedings of the 2014 IEEE 27th Computer Security Foundations Symposium

In capability-safe languages, components can access a resource only if they possess a capability for that resource. As a result, a programmer can prevent an untrusted component from accessing a sensitive resource by ensuring that the component never ...
Self-optimizing AST interpreters
DLS '12: Proceedings of the 8th symposium on Dynamic languages

An abstract syntax tree (AST) interpreter is a simple and natural way to implement a programming language. However, it is also considered the slowest approach because of the high overhead of virtual method dispatch. Language implementers therefore ...
Formal enforcement and management of obligation policies

Obligations are generally actions that users are required to take and are essential for the expression of a large number of requirements. For instance, obligation actions may represent prerequisites to gain some privilege (pre obligations), to satisfy ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

FTfJP '13: Proceedings of the 15th Workshop on Formal Techniques for Java-like Programs

July 2013

52 pages

ISBN:9781450320429

DOI:10.1145/2489804

Program Chair:
Werner Dietl
University of Washington

Copyright © 2013 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

CNRS: Centre National De La Rechercue Scientifique
UM2: University Montpellier 2
AITO: Association Internationale pour les Technologies Objets

In-Cooperation

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 01 July 2013

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Royal Society of New Zealand

Conference

ECOOP '13

Sponsor:

CNRS
UM2
AITO

ECOOP '13: European Conference on Object-Oriented Programming

July 1, 2013

Montpellier, France

Acceptance Rates

FTfJP '13 Paper Acceptance Rate 7 of 14 submissions, 50%;

Overall Acceptance Rate 51 of 75 submissions, 68%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

11
Total Citations
View Citations
201
Total Downloads

Downloads (Last 12 months)7
Downloads (Last 6 weeks)1

Reflects downloads up to 07 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Vasilakis NStaicu CNtousakis GKallas KKarel BDeHon APradel MKim YKim JVigna GShi E(2021)Preventing Dynamic Library Compromise on Node.js via RWX-Based Privilege ReductionProceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security10.1145/3460120.3484535(1821-1838)Online publication date: 12-Nov-2021
https://dl.acm.org/doi/10.1145/3460120.3484535
Drossopoulou SNoble JMackay JEisenbach S(2020)Holistic Specifications for Robust ProgramsFundamental Approaches to Software Engineering10.1007/978-3-030-45234-6_21(420-440)Online publication date: 17-Apr-2020
https://doi.org/10.1007/978-3-030-45234-6_21
Drossopoulou SNoble JMiller MMurray T(2016)Permission and Authority Revisited towards a formalisationProceedings of the 18th Workshop on Formal Techniques for Java-like Programs10.1145/2955811.2955821(1-6)Online publication date: 17-Jul-2016
https://dl.acm.org/doi/10.1145/2955811.2955821
Devriese DBirkedal LPiessens F(2016)Reasoning about Object Capabilities with Logical Relations and Effect Parametricity2016 IEEE European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP.2016.22(147-162)Online publication date: Mar-2016
https://doi.org/10.1109/EuroSP.2016.22
Rajani VGarg DRezk T(2016)On Access Control, Capabilities, Their Equivalence, and Confused Deputy Attacks2016 IEEE 29th Computer Security Foundations Symposium (CSF)10.1109/CSF.2016.18(150-163)Online publication date: Jun-2016
https://doi.org/10.1109/CSF.2016.18
Drossopoulou SNoble JMiller MClarkson MJia L(2015)Swapsies on the InternetProceedings of the 10th ACM Workshop on Programming Languages and Analysis for Security10.1145/2786558.2786564(2-15)Online publication date: 4-Jul-2015
https://dl.acm.org/doi/10.1145/2786558.2786564
Rhodes DDisney TFlanagan C(2014)Dynamic detection of object capability violations through model checkingACM SIGPLAN Notices10.1145/2775052.266109950:2(103-112)Online publication date: 14-Oct-2014
https://dl.acm.org/doi/10.1145/2775052.2661099
Rhodes DDisney TFlanagan CBlack ATratt L(2014)Dynamic detection of object capability violations through model checkingProceedings of the 10th ACM Symposium on Dynamic languages10.1145/2661088.2661099(103-112)Online publication date: 20-Oct-2014
https://dl.acm.org/doi/10.1145/2661088.2661099
Noble JDrossopoulou SPearce D(2014)Rationally Reconstructing the Escrow ExampleProceedings of 16th Workshop on Formal Techniques for Java-like Programs10.1145/2635631.2635850(1-6)Online publication date: 28-Jul-2014
https://dl.acm.org/doi/10.1145/2635631.2635850
Dimoulas CMoore SAskarov AChong S(2014)Declarative Policies for Capability ControlProceedings of the 2014 IEEE 27th Computer Security Foundations Symposium10.1109/CSF.2014.9(3-17)Online publication date: 19-Jul-2014
https://dl.acm.org/doi/10.1109/CSF.2014.9
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten