The object-capability model is a computer security model. A capability1 describes a transferable right to perform one (or more) operations on a given object. It can be obtained by the following combination:
- An unforgeable reference (in the sense of object references or protected pointers) that can be sent in messages.
- A message that specifies the operation to be performed.
The security model relies on not being able to forge references.
- Objects can interact only by sending messages on references.
- A reference can be obtained by:
- Initial conditions: In the initial state of the computational world being described, object A may already have a reference to object B.
- Parenthood: If A creates B, at that moment A obtains the only reference to the newly created B.
- Endowment: If A creates B, B is born with that subset of A's references with which A chose to endow it.
- Introduction: If A has references to both B and C, A can send to B a message containing a reference to C. B can retain that reference for subsequent use.
In the object-capability model, all computation is performed following the above rules.
Advantages that motivate object-oriented programming, such as encapsulation or information hiding, modularity, and separation of concerns, correspond to security goals such as least privilege and privilege separation in capability-based programming.
The object-capability model was first proposed by Jack Dennis and Earl C. Van Horn in 19662
-
J.B. Dennis, E.C. Van Horn. “Programming Semantics for Multiprogrammed Computations.” (PDF) Communications of the ACM, 9(3):143–155, March 1966. ↩