Extending the Object-Capability Model with Fine-Grained Type-Based Capabilities

By: Roland Wismüller, Damian Ludwig, Felix Breitweiser


Although the Principle Of Least Authority (POLA) is a well-recognized guideline for building secure software systems, there is actually a lack of concepts that really encourage programmers to use POLA consequently. The best support for POLA is currently offered by secure languages based on the Object-Capability (OCap) paradigm, where object references serve as capabilities for accessing objects. However, the OCap model just controls the overall accessibility of objects, it does not directly support fine-grained control over the use of specific operations on these objects. While access control at the level of individual methods can be implemented by using the membrane pattern, this approach creates a heavy burden for the programmer, may lead to performance problems, and suffers from the fact that it is difficult to determine the minimum permissions that must be granted. In this paper, we present a type-based split capability model, where the access permissions granted by a reference are restricted by the type of the variables used to send and receive that reference. In this way, required and granted permissions are directly represented in the type definition of a software component’s interface. Furthermore, compliance with access restrictions can often be checked statically when a software component is deployed, thus avoiding the run-time overhead of using a membrane. In the case where membranes are needed to enforce access control at run-time, these membranes are automatically built by the run-time system. As a foundation for this model, we specify type checking rules that prevent software components from from amplifying their authority by downcasting a reference to a more permissive type. Finally, we identify the necessary requirements for the run-time system as well as the run-time overhead induced by our security model.


Access control, Object-capability model, Capabilities, Type system.

Cite as:

Roland Wismüller, Damian Ludwig, Felix Breitweiser, “Extending the Object-Capability Model with Fine-Grained Type-Based Capabilities”, Journal of Object Technology, Volume 23, no. 1 ( 2024), pp. 1:1-36, doi:10.5381/jot.2024.23.1.a1.

PDF | DOI | BiBTeX | Tweet this | Post to CiteULike | Share on LinkedIn

The JOT Journal   |   ISSN 1660-1769   |   DOI 10.5381/jot   |   AITO   |   Open Access   |    Contact