Capabilities: Effects for Free

Object capabilities are increasingly used to reason informally about the properties of secure systems. But can capabilities also aid in formal reasoning? To answer this question, we examine a calculus that uses effects to capture resource use and extend it to support capability-based reasoning. We demonstrate that capabilities provide a way to reason about effects: we can bound the effects of an expression based on the capabilities to which it has access. This reasoning is “free” in that it relies only on type-checking (not effect-checking), does not require the programmer to add effect annotations within the expression, and does not require the expression to be analysed for its effects. Our result sheds light on the essence of what capabilities provide and suggests ways of integrating lightweight capability-based reasoning into languages.

[1]  Michael Maass,et al.  A Theory and Tools for Applying Sandboxes Effectively , 2016 .

[2]  Jonathan Aldrich,et al.  A Capability-Based Module System for Authority Control , 2017, ECOOP.

[3]  James R. Larus,et al.  Sealing OS processes to improve dependability and safety , 2007, EuroSys '07.

[4]  Ankur Taly,et al.  Object Capabilities and Isolation of Untrusted Web Applications , 2010, 2010 IEEE Symposium on Security and Privacy.

[5]  Mark S. Miller,et al.  Robust composition: towards a unified approach to access control and concurrency control , 2006 .

[6]  Martin Odersky,et al.  Lightweight Polymorphic Effects , 2012, ECOOP.

[7]  Mark S. Miller,et al.  Capability Myths Demolished , 2003 .

[8]  Flemming Nielson,et al.  Type and Effect Systems , 1999 .

[9]  Dominique Devriese,et al.  Reasoning about Object Capabilities with Logical Relations and Effect Parametricity , 2016, 2016 IEEE European Symposium on Security and Privacy (EuroS&P).

[10]  Jack B. Dennis,et al.  Programming semantics for multiprogrammed computations , 1966, CACM.

[11]  Sophia Drossopoulou,et al.  Swapsies on the Internet: First Steps towards Reasoning about Risk and Trust in an Open World , 2015, PLAS@ECOOP.

[12]  Jonathan Aldrich,et al.  Using object capabilities and effects to build an authority-safe module system: poster , 2018, HotSoS.

[13]  Pierre Jouvelot,et al.  The type and effect discipline , 1992, [1992] Proceedings of the Seventh Annual IEEE Symposium on Logic in Computer Science.

[14]  David K. Gifford,et al.  Polymorphic effect systems , 1988, POPL '88.

[15]  Benjamin C. Pierce,et al.  Types and programming languages: the next generation , 2003, 18th Annual IEEE Symposium of Logic in Computer Science, 2003. Proceedings..

[16]  Daan Leijen,et al.  Koka: Programming with Row Polymorphic Effect Types , 2014, MSFP.

[17]  Scott Moore,et al.  Declarative Policies for Capability Control , 2014, 2014 IEEE 27th Computer Security Foundations Symposium.

[18]  Jonathan Aldrich,et al.  Modules in wyvern: advanced control over security and privacy , 2016, HotSoS.

[19]  Jon Crowcroft,et al.  Unikernels: library operating systems for the cloud , 2013, ASPLOS '13.

[20]  Claire Le Goues,et al.  Evaluating the Flexibility of the Java Sandbox , 2015, ACSAC.

[21]  Joseph Kiniry Exceptions in Java and Eiffel: Two Extremes in Exception Design and Application , 2006, Advanced Topics in Exception Handling Techniques.