Features and object capabilities: reconciling two visions of modularity

The prevalence of threats and attacks in modern systems demands programming techniques that help developers maintain security and privacy. In particular, frameworks for composing components written by multiple parties must enable the authors of each component to erect safeguards against intrusion by other components. Object-capability systems have been particularly prominent for enabling encapsulation in such contexts. We describe the program structures dictated by object capabilities and compare these against those that ensue from feature-oriented programming. We argue that the scalability offered by the latter appears to clash with the precision of authority designation demanded by the former. In addition to presenting this position from first principles, we illustrate it with a case study. We then offer a vision of how this conflict might be reconciled, and discuss some of the issues that need to be considered in bridging this mismatch. Our findings suggest a significant avenue for research at the intersection of software engineering and security.

[1]  Jerome H. Saltzer,et al.  Protection and the control of information sharing in multics , 1974, CACM.

[2]  Gregor Kiczales,et al.  Aspect-oriented programming , 2001, ESEC/FSE-9.

[3]  Thomas Leich,et al.  Access control in feature-oriented programming , 2012, Sci. Comput. Program..

[4]  Sven Apel,et al.  The road to feature modularity? , 2011, SPLC '11.

[5]  Gunter Saake,et al.  Type checking annotation-based product lines , 2012, TSEM.

[6]  Mark S. Miller,et al.  Robust composition: towards a unified approach to access control and concurrency control , 2006 .

[7]  William G. Griswold,et al.  An Overview of AspectJ , 2001, ECOOP.

[8]  Joe Gibbs Politz,et al.  ADsafety: Type-Based Verification of JavaScript Sandboxing , 2011, USENIX Security Symposium.

[9]  Sven Apel,et al.  FEATUREHOUSE: Language-independent, automated software composition , 2009, 2009 IEEE 31st International Conference on Software Engineering.

[10]  Don S. Batory,et al.  Scaling step-wise refinement , 2004, IEEE Transactions on Software Engineering.

[11]  Mark S. Miller,et al.  Capability Myths Demolished , 2003 .

[12]  G. Kiczales,et al.  Aspect-oriented programming and modular reasoning , 2005, Proceedings. 27th International Conference on Software Engineering, 2005. ICSE 2005..

[13]  Henry M. Levy,et al.  Capability-Based Computer Systems , 1984 .

[14]  Norman Hardy,et al.  The Confused Deputy: (or why capabilities might have been invented) , 1988, OPSR.

[15]  Kathi Fisler,et al.  Foundations of incremental aspect model-checking , 2007, TSEM.

[16]  David A. Wagner,et al.  Joe-E: A Security-Oriented Subset of Java , 2010, NDSS.

[17]  Christian Prehofer,et al.  Feature-Oriented Programming: A Fresh Look at Objects , 1997, ECOOP.

[18]  Robert Bruce Findler,et al.  Modular object-oriented programming with units and mixins , 1998, ICFP '98.

[19]  Don S. Batory,et al.  Feature-oriented programming and the AHEAD tool suite , 2004, Proceedings. 26th International Conference on Software Engineering.

[20]  D. L. Parnas,et al.  On the criteria to be used in decomposing systems into modules , 1972, Software Pioneers.

[21]  J. Aldrich Open Modules : Modular Reasoning in Aspect-Oriented Programming , 2004 .

[22]  Gregor Kiczales,et al.  Aspect-oriented programming , 1996, CSUR.