/awesome-ocap

Awesome Object Capabilities and Capability Security

The UnlicenseUnlicense

Awesome Object Capabilities and Capability-based Security

Awesome

Capability-based security enables the concise composition of powerful patterns of cooperation without vulnerability.

In 3 minutes:

In 15 minutes:

Or for a detailed explanation: What Are Capabilities? 2017 by Morningstar.

Contents

Applications and Services

Libraries and Frameworks

Programming Languages

  • Pony is an open-source, object-oriented, actor-model, capabilities-secure, high performance programming language.

  • Austral - a systems language with linear types and capability security

  • Newspeak is an object-capability programming platform that lets you develop code in your web browser. Like Self, Newspeak is message-based; all names are dynamically bound. However, like Smalltalk, Newspeak uses classes rather than prototypes. The current version of Newspeak runs on top of WASM.

  • Monte is a nascent dynamic programming language reminiscent of Python and E. It is based upon The Principle of Least Authority (POLA), which governs interactions between objects, and a capability-based object model, which grants certain essential safety guarantees to all objects.

    • bootstrapped from rpython (pypy toolchain) and libuv and libsodium using (primarily) the nix build system.
    • Docker images: montelang
    • 2017-03: Monte: A Spiritual Successor to E presented by Corbin Simpson at OCAP 2017
  • Cadence is a smart contract language with resources (linear types) and capability security. Its static type system has direct support for object-capability security. For example, the facade pattern is natively supported, and the type system has special down-casting rules to express access control patterns.

Operating Systems

  • genode is a novel OS architecture that is able to master the complexity of code and policy -- the most fundamental security problem shared by modern general-purpose operating systems -- by applying a strict organizational structure to all software components including device drivers, system services, and applications.

CPUs

  • CHERI is an open source capability CPU design.
    • 2022-01 Arm releases experimental CHERI-enabled Morello board as part of £187M UKRI Digital Security by Design programme CHERI implements architectural capabilities that directly enable software security features such as fine-grained memory protection and scalable software compartmentalisation — both important software vulnerability mitigation techniques that are not well supported on current processor architectures. ... memory-safe C compilation and linkage ...
    • 2019-09 The Arm Morello Board Arm announced Morello, an experimental CHERI-extended, multicore, superscalar ARMv8-A processor, System-on-Chip (SoC), and prototype board to be available from late 2021. Morello is a part of the UKRI £187M Digital Security by Design Challenge (DSbD) supported by the UK Industrial Strategy Challenge Fund, including a commitment of over £50M commitment by Arm.
    • 2019-09 An Introduction to CHERI

      CHERI (Capability Hardware Enhanced RISC Instructions) extends conventional processor Instruction-Set Architectures (ISAs) with architectural capabilities to enable fine-grained memory protection and highly scalable software compartmentalization. CHERI’s hybrid capability-system approach allows architectural capabilities to be integrated cleanly with contemporary RISC architectures and microarchitectures, as well as with MMU-based C/C++- language software stacks.

      CHERI’s capabilities are unforgeable tokens of authority, which can be used to implement both explicit pointers (those declared in the language) and implied pointers (those used by the runtime and generated code) in C and C++. When used for C/C++ memory protection, CHERI directly mitigates a broad range of known vulnerability types and exploit techniques. Support for more scalable software compartmentalization facilitates software mitigation techniques such as sandboxing, which also defend against future (currently unknown) vulnerability classes and exploit techniques.

      We have developed, evaluated, and demonstrated this approach through hardware-software prototypes, including multiple CPU prototypes, and a full software stack. This stack includes an adapted version of the Clang/LLVM compiler suite with support for capability-based C/C++, and a full UNIX-style OS (CheriBSD, based on FreeBSD) implementing spatial, referential, and (currently for userspace) non-stack temporal memory safety. Formal modeling and verification allow us to make strong claims about the security properties of CHERI-enabled architectures.

      This report is a high-level introduction to CHERI. The report describes our architectural approach, CHERI’s key microarchitectural implications, our approach to formal modeling and proof, the CHERI software model, our software-stack prototypes, further reading, and potential areas of future research.

    • June 2016: CHERI ISAv5 specification: improves the maturity of 128-bit capabilities, code efficiency, and description of the protection model.
    • June 2016: CHERI-JNI: Sinking the Java security model into the C, explores how CHERI capabilities can be used to support sandboxing with safe and efficient memory sharing between Java Native Interface (JNI) code and the Java Virtual Machine. ASPLOS 2017
    • May 2016: slides from the first CHERI microkernel workshop, Cambridge, UK in April 2016.

Presentations, Talks, Slides, and Videos

Articles

  • 2018-11 POLA Would Have Prevented the Event-Stream Incident
    Kate Sills, Agoric

  • 2017-06 Capability-Based Network Communication for Capsicum/CloudABI April–June 2017 FreeBSD status report.

  • 2017-05 What Are Capabilities?
    by Chip Morningstar (Hacker News discussion Jan 7, 2018)

  • 2016-08 Welcoming all Python enthusiasts: CPython 3.6 for CloudABI! August 1, 2016 by Ed Schouten

  • 2015-11 Objects as Secure Capabilities Joe Duffy

  • 2009-03 Not One Click for Security Karp, Alan H.; Stiegler, Marc; Close, Tyler, HP Laboratories, HPL-2009-53 Conventional wisdom holds that security must negatively affect usability. We have developed SCoopFS (Simple Cooperative File Sharing) as a demonstration that need not be so. SCoopFS addresses the problem of sharing files, both with others and with ourselves across machines. Although SCoopFS provides server authentication, client authorization, and end-to-end encryption, the user never sees any of that. The user interface and underlying infrastructure are designed so that normal user acts of designation provide all the information needed to make the desired security decisions. While SCoopFS is a useful tool, it may be more important as a demonstration of the usability that comes from designing the infrastructure and user interaction together.

  • 2009-02 ACLs don't Tyler Close, HP Laboratories The ACL model is unable to make correct access decisions for interactions involving more than two principals, since required information is not retained across message sends. Though this deficiency has long been documented in the published literature, it is not widely understood. This logic error in the ACL model is exploited by both the clickjacking and Cross-Site Request Forgery attacks that affect many Web applications

  • 2002-06 DarpaBrowser: Final Report by Marc Stiegler and Mark Miller
    The broad goal of this research was to assess whether capability-based security [Levy84] could achieve security goals that are unachievable with current traditional security technologies such as access control lists and firewalls. The specific goal of this research was to create an HTML browser that could use capability confinement on a collection of plug-replaceable, possibly malicious, rendering engines. In confining the renderer, the browser would ensure that a malicious renderer could do no harm either to the browser or to the underlying system.

Peer-reviewed Articles

See also Usable Security and Capabilities bibliography.

  • D. Devriese, Birkedal, and Piessens
    Reasoning about Object Capabilities with Logical Relations and Effect Parametricity
    1st IEEE European Symposium on Security and Privacy, Congress Center Saar, Saarbrücken, GERMANY, 2016.

  • Gerwin Klein, June Andronick, Kevin Elphinstone, Toby Murray, Thomas Sewell, Rafal Kolanski and Gernot Heiser
    Comprehensive formal verification of an OS microkernel
    ACM Transactions on Computer Systems, Volume 32, Number 1, pp. 2:1-2:70, February, 2014

  • S. Clebsch and S. Drossopoulou
    Fully concurrent garbage collection of actors on many-core machines
    OOPSLA 2013

  • Mark S. Miller, Tom Van Cutsem, Bill Tulloh
    Distributed Electronic Rights in JavaScript
    ESOP'13 22nd European Symposium on Programming, Springer (2013)

  • Maffeis, Sergio, John C. Mitchell, and Ankur Taly. Object capabilities and isolation of untrusted web applications. In 2010 IEEE Symposium on Security and Privacy, pp. 125-140. IEEE, 2010.

  • Barth, Adam, Joel Weinberger, and Dawn Song.
    Cross-Origin JavaScript Capability Leaks: Detection, Exploitation, and Defense. USENIX security symposium. 2009.

  • Close, T.: Web-key: Mashing with permission. In: W2SP’08. (2008)

  • Miller MS
    Robust composition: towards a unified approach to access control and concurrency control
    Ph.D. Thesis, Johns Hopkins University; 2006.

    When separately written programs are composed so that they may cooperate, they may instead destructively interfere in unanticipated ways. These hazards limit the scale and functionality of the software systems we can successfully compose. This dissertation presents a framework for enabling those interactions between components needed for the cooperation we intend, while minimizing the hazards of destructive interference.

    Great progress on the composition problem has been made within the object paradigm, chiefly in the context of sequential, single-machine programming among benign components. We show how to extend this success to support robust composition of concurrent and potentially malicious components distributed over potentially malicious machines. We present E, a distributed, persistent, secure programming language, and CapDesk, a virus-safe desktop built in E, as embodiments of the techniques we explain.

  • Miller, Mark S., E. Dean Tribble, and Jonathan Shapiro. Concurrency among strangers. TGC. Vol. 5. 2005.

  • Mark S. Miller, Chip Morningstar, Bill Frantz
    Capability-based Financial Instruments
    Proc. Financial Cryptography 2000, Springer-Verlag, Anguila, BWI, pp. 349-378.

    Every novel cooperative arrangement of mutually suspicious parties interacting electronically — every smart contract — effectively requires a new cryptographic protocol. However, if every new contract requires new cryptographic protocol design, our dreams of cryptographically enabled electronic commerce would be unreachable. Cryptographic protocol design is too hard and expensive, given our unlimited need for new contracts. Just as the digital logic gate abstraction allows digital circuit designers to create large analog circuits without doing analog circuit design, we present cryptographic capabilities as an abstraction allowing a similar economy of engineering effort in creating smart contracts. We explain the E system, which embodies these principles, and show a covered-call-option as a smart contract written in a simple security formalism independent of cryptography, but automatically implemented as a cryptographic protocol coordinating five mutually suspicious parties