Awesome Object Capabilities and Capability-based Security

Capability-based security enables the concise composition of powerful patterns of cooperation without vulnerability. What Are Capabilities? explains in detail.

Contents

• Applications and Services
• Libraries and Frameworks
• Programming Languages
• Operating Systems
• CPUs
• Presentations, Talks, Slides, and Videos
• Articles
  • Peer-reviewed Articles

Applications and Services

• Sandstorm is a self-hosted web productivity suite and App Market with WordPress, Rocket.Chat, IPython Notebook and many more. Sandstorm's Capability-based Security protects you and your data against application bugs.
  • 2020-02-22: Announcing the release of vagrant-spk 1.0
  • 2020-02-03: Reviving Sandstorm - Sandstorm Blog
  • 2017-03-02: connecting to external HTTP APIs via the Powerbox and related powerbox enhancements
    v0.200 (2017-01-28), v0.203
  • 2015-02-06: One click to try an open source web application
• Tahoe-LAFS is a highly available decentralized cloud storage system. Even if some of the servers fail or are taken over by an attacker, the entire file store continues to function correctly, preserving your privacy and security.
  • 2017-01-18 v1.12.1 released
• capability.io offers capability-based services.
  • 2019-02-28: Delegation: The Missing Piece of Authorization talk by Tristan Slominski at the Austin Node.js meetup
  • 2018-12-16: Membrane Service (Early Access) solves the problem of being able to delegate authority in a decentralized manner. It does this by using capabilities and offering capability-based authorization at any scale in accordance with any policy via membranes.
    By Tristan Slominski -
  • 2018-12-22: Certificate Manager Service (Early Access) simplifies public Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificate management while letting you deploy those certificates wherever you like.
    By Tristan Slominski

Libraries and Frameworks

• JavaScript

  • Secure EcmaScript (SES) is a fail-stop subset of ES5. SES should compatibly run all ES5 code that follows recognized ES5 best practices. The SES restrictions support the writing of defensively consistent abstractions -- object abstractions that can defend their integrity while being exposed to untrusted but confined objects.
    • 2020-03-31: SES-0.7.6 9385d44
    • 2018-10-15: SF Cryptocurrency Devs: Agoric - Programming Secure Smart Contracts
    • 2018-07-28: Agoric Releases SES: Secure JavaScript f4d3d5a
    • Distributed Resilient Secure ECMAScript (Dr. SES) ESOP 2013
  • Caja is a compiler for making third-party HTML, CSS and JavaScript safe for embedding. Caja safely supports mashups and extends JSON with code.
    • Apr 2, 2018: release v6013 964609d
    • 12 Jan 2017: release v6011 74ba0da
  • Capper is a web application server built on Node.js/Express using the Waterken webkey protocol for object capability security.
    • fun with Capper and OFX financial transaction fetching Jan 2016 to cap-talk

• C++

  • Cap’n Proto is a high performance serialization and RPC protocol with distributed and persistent capabilities and promise pipelining. Bindings to python, JavaScript (in node.js), Go, Rust, etc. are available
    • 2020-04-23: Cap'n Proto: Cap'n Proto 0.8: Streaming flow control, HTTP-over-RPC, fibers, etc.
    • 2014-12-15: Cap'n Proto 0.5, and how it is central to Sandstorm by Kenton Varda

• Scheme (racket)

  • Spritely

    • 2020-05-13 Spritely's NLNet grant: Interface Discovery for Distributed Systems -- DustyCloud Brainstorms

  • COAST is COmputAtional State Transfer, An Architectural Style for Secure Decentralized Systems. The sole means of interaction among computations is the asynchronous messaging. Motile is a single-assignment, functional, and mobile code language based on Scheme

    • Gorlick, Michael M., and Richard N. Taylor.
      Motile: Reflecting an Architectural Style in a Mobile Code Language. (2013).
    • Baquero, Alegria.
      COASTmed: software architectures for delivering customizable, policy-based differential web services. Companion Proceedings of the 36th International Conference on Software Engineering. ACM, 2014.

  • Shill: Shill is a shell scripting language designed to make it easy to follow the Principle of Least Privilege. It runs on FreeBSD and is developed in Racket.

    • Shill: A Secure Shell Scripting Language. Scott Moore, Christos Dimoulas, Dan King, and Stephen Chong. 11th USENIX Symposium on Operating Systems Design and Implementation (OSDI), October 2014.

• Scala

  • ocaps is a library for working with object capabilities in Scala.
    • Revoker / Revocable classes for revoking capabilities.
    • Brand for sealing and unsealing capabilities
    • PermeableMembrane for revocation as an effect.
    • Macros for composition, attenuation, revocable and modulating capabilities.
  • Comes with a guide to capabilities
    • 2018-06-20 v0.1.0 released
    • 2018-09-22 Presentation at Scaladays

• rust

  • cap-std Capability-oriented version of the Rust standard library
    0.4.0 Sep 24, 2020
  • Using Capabilities to Design Safer, More Expressive APIs Zack Mullaly Jan 19, 2018

• Network protocols, sans I/O supports object capability discipline by letting the caller handle network access.

Programming Languages

• Pony is an open-source, object-oriented, actor-model, capabilities-secure, high performance programming language.

  • March 22, 2019: 0.28.0 Released 0e67d08
  • bootstrapped using LLVM on x86 and ARM; packaged for linux and Mac OS X
  • docker images: ponylang
  • Fully concurrent garbage collection of actors on many-core machines
    S. Clebsch and S. Drossopoulou
    OOPSLA 2013

• Monte is a nascent dynamic programming language reminiscent of Python and E. It is based upon The Principle of Least Authority (POLA), which governs interactions between objects, and a capability-based object model, which grants certain essential safety guarantees to all objects.

  • bootstrapped from rpython (pypy toolchain) and libuv and libsodium using (primarily) the nix build system.
  • Docker images: montelang
  • 2017-03: Monte: A Spiritual Successor to E presented by Corbin Simpson at OCAP 2017

Operating Systems

• genode is a novel OS architecture that is able to master the complexity of code and policy -- the most fundamental security problem shared by modern general-purpose operating systems -- by applying a strict organizational structure to all software components including device drivers, system services, and applications.
  • 2020-05-28 Genode OS Framework 20.05 with Capability-based security using seccomp on Linux, ...
  • 2020-05-07: MNT Reform - The Campaign is Live

    we’re collaborating with Genode Labs to ship Genode for Reform.

  • 2020-03-10: Sculpt OS release 20.02 Version 20.02 of the Sculpt operating system revisits the administrative user interface for a more intuitive and logical user experience.
  • 2020-02-28: Genode OS Framework release 20.02 With version 20.02, Genode makes Sculpt OS fit for running on i.MX 64-bit ARM hardware, optimizes the performance throughout the entire software stack, and takes the next evolutionary step of the user-facing side of Sculpt OS.
  • 2020-01-20: Road Map for 2020
  • 2019-05: Genode OS Framework Foundations book (PDF)
  • Genode OS Framework release 17.11 Nov 30, 2017

    Most of the many improvements of version 17.11 are geared towards the practical use of Genode as day-to-day OS. They include a reworked GUI stack, new user-input features, and the packaging of many components. The new version also revises the boot concept on x86, updates the seL4 kernel, and enhances Genode's user-level networking facilities.

• seL4 is the world's first operating-system kernel with an end-to-end proof of implementation correctness and security enforcement; it is available as open source.

  • 2020-05-25 The seL4® Microkernel An Introduction Gernot Heiser
  • 2020-04-08: seL4 developers create open source foundation to enable safer, more secure and more reliable computing systems - CSIRO
  • Getting started with seL4, CAmkES, and L4v: Dependencies MAY 19, 2017
  • seL4 on the Raspberry Pi 3 FEBRUARY 8, 2017
  • Gerwin Klein, June Andronick, Kevin Elphinstone, Toby Murray, Thomas Sewell, Rafal Kolanski and Gernot Heiser
    Comprehensive formal verification of an OS microkernel
  • Thomas Sewell, Simon Winwood, Peter Gammie, Toby Murray, June Andronick and Gerwin Klein
    seL4 enforces integrity
    International Conference on Interactive Theorem Proving, pp. 325-340, Nijmegen, The Netherlands, August, 2011

    Abstract. We prove the enforcement of two high-level access control properties in the seL4 microkernel: integrity and authority confinement. Integrity provides an upper bound on write operations. Authority con- finement provides an upper bound on how authority may change. Apart from being a desirable security property in its own right, integrity can be used as a general framing property for the verification of user-level system composition. The proof is machine checked in Isabelle/HOL and the results hold via refinement for the C implementation of the kernel.

• Capsicum Capsicum is a lightweight OS capability and sandbox framework that extends the POSIX API, providing several new OS primitives to support object-capability security on UNIX-like operating systems

  • 2019-10 Capsicum Update 2019 by Mariusz Zaborski in FreeBSD Journal: Security

  • 2017-07-19 Capsicum Go support Ben Laurie

  • Capsicum for FreeBSD

  • Capsicum for Linux

  • Watson, R. N. M. 2013 Capsicum year in review. Light Blue Touchpaper, 20 December, 2013. Robert Watson reviews Capsicum events from 2013: work funded by the FreeBSD Foundation and Google on FreeBSD 10.0, Casper in FreeBSD 11, David Drysdale's port of Capsicum to Linux at Google, Summer of Code students, joint work with the University of Wisconsin on Capsicum, and future funded Capsicum work.

• Fuchsia is a real-time operating system in development by Google since Aug 2016. It's based on a microkernel, Magenta, with a capability security model.

  • 2020-06-09 Playing Around With The Fuchsia Operating System - Quarkslab's blog

• CloudABI is a runtime environment for Unix-like systems that introduces dependency injection to full Unix applications. Instead of allowing applications to open arbitrary files on disk and connect to arbitrary systems on the network, you as a user exactly inject those resources that the application should access.

  • reference platform: FreeBSD
  • Capability-Based Network Communication for Capsicum/CloudABI April–June 2017 FreeBSD status report.
    • ARPC: GRPC-Like RPC Library That Supports File Descriptor Passing
    • Flower: A Label-Based Network Backplane
  • Kumina sponsoring CloudABI: practical sandboxing for UNIX October 14th, 2016
  • Welcoming all Python enthusiasts: CPython 3.6 for CloudABI! August 1, 2016 by Ed Schouten

• cosix is a capability-based operating system that consists of a small kernel that provides memory management and inter-process communication, and a userland that provides an IP stack and filesystems. The capability enforcing mechanism comes from implementing only CloudABI as an Application Binary Interface between the userland and the kernel.

  • 2017-06-17: Release of Cosix 1.0

• Barrelfish is a research operating system motivated by two closely related trends in hardware design: the rapidly growing number of cores and the increasing diversity in computer hardware. Barrelfish uses a single model of capabilities to control access to all physical memory, kernel objects, communication end-points, and other miscellaneous access rights.

  • release2016-07-20

CPUs

• CHERI is an open source capability CPU design.
  • 2019-09 The Arm Morello Board Arm announced Morello, an experimental CHERI-extended, multicore, superscalar ARMv8-A processor, System-on-Chip (SoC), and prototype board to be available from late 2021. Morello is a part of the UKRI £187M Digital Security by Design Challenge (DSbD) supported by the UK Industrial Strategy Challenge Fund, including a commitment of over £50M commitment by Arm.
  • 2019-09 An Introduction to CHERI

    CHERI (Capability Hardware Enhanced RISC Instructions) extends conventional processor Instruction-Set Architectures (ISAs) with architectural capabilities to enable fine-grained memory protection and highly scalable software compartmentalization. CHERI’s hybrid capability-system approach allows architectural capabilities to be integrated cleanly with contemporary RISC architectures and microarchitectures, as well as with MMU-based C/C++- language software stacks.

    CHERI’s capabilities are unforgeable tokens of authority, which can be used to implement both explicit pointers (those declared in the language) and implied pointers (those used by the runtime and generated code) in C and C++. When used for C/C++ memory protection, CHERI directly mitigates a broad range of known vulnerability types and exploit techniques. Support for more scalable software compartmentalization facilitates software mitigation techniques such as sandboxing, which also defend against future (currently unknown) vulnerability classes and exploit techniques.

    We have developed, evaluated, and demonstrated this approach through hardware-software prototypes, including multiple CPU prototypes, and a full software stack. This stack includes an adapted version of the Clang/LLVM compiler suite with support for capability-based C/C++, and a full UNIX-style OS (CheriBSD, based on FreeBSD) implementing spatial, referential, and (currently for userspace) non-stack temporal memory safety. Formal modeling and verification allow us to make strong claims about the security properties of CHERI-enabled architectures.

    This report is a high-level introduction to CHERI. The report describes our architectural approach, CHERI’s key microarchitectural implications, our approach to formal modeling and proof, the CHERI software model, our software-stack prototypes, further reading, and potential areas of future research.

  • June 2016: CHERI ISAv5 specification: improves the maturity of 128-bit capabilities, code efficiency, and description of the protection model.
  • June 2016: CHERI-JNI: Sinking the Java security model into the C, explores how CHERI capabilities can be used to support sandboxing with safe and efficient memory sharing between Java Native Interface (JNI) code and the Java Virtual Machine. ASPLOS 2017
  • May 2016: slides from the first CHERI microkernel workshop, Cambridge, UK in April 2016.

Presentations, Talks, Slides, and Videos

- 2019-02-28: [Delegation: The Missing Piece of Authorization](https://capability.io/blog/2019/02/28/delegation-the-missing-piece-of-authorization) talk by Tristan Slominski at the Austin Node.js meetup

• CloudABI - Pure capability-based security for UNIX
  Ed Schouten, 32nd Chaos Communication Congress (32C3), Dec 2015

• Secure Distributed Programming with Object-capabilities in JavaScript

  • Oct 2011 video

• Bringing Object-orientation to Security Programming

  • Nov 2011 video

• Passwords or Webkeys: Which is More Secure?
  video by Marc Stiegler Feb 2012

• Barth, Adam, Joel Weinberger, and Dawn Song.
  Cross-Origin JavaScript Capability Leaks: Detection, Exploitation, and Defense. USENIX security symposium. 2009.

• Sargent, Will Security in Scala: Refined Types and Object Capabilities Scaladays NYC 2018.

Articles

• POLA Would Have Prevented the Event-Stream Incident
  Nov 30, 2018 Kate Sills, Agoric

• What Are Capabilities?
  May 7, 2017 by Chip Morningstar (Hacker News discussion Jan 7, 2018)

Peer-reviewed Articles

See also Usable Security and Capabilities bibliography.

• D. Devriese, Birkedal, and Piessens
  Reasoning about Object Capabilities with Logical Relations and Effect Parametricity
  1st IEEE European Symposium on Security and Privacy, Congress Center Saar, Saarbrücken, GERMANY, 2016.

• Gerwin Klein, June Andronick, Kevin Elphinstone, Toby Murray, Thomas Sewell, Rafal Kolanski and Gernot Heiser
  Comprehensive formal verification of an OS microkernel
  ACM Transactions on Computer Systems, Volume 32, Number 1, pp. 2:1-2:70, February, 2014

• S. Clebsch and S. Drossopoulou
  Fully concurrent garbage collection of actors on many-core machines
  OOPSLA 2013

• Mark S. Miller, Tom Van Cutsem, Bill Tulloh
  Distributed Electronic Rights in JavaScript
  ESOP'13 22nd European Symposium on Programming, Springer (2013)

• Barth, Adam, Joel Weinberger, and Dawn Song.
  Cross-Origin JavaScript Capability Leaks: Detection, Exploitation, and Defense. USENIX security symposium. 2009.

• Close, T.: Web-key: Mashing with permission. In: W2SP’08. (2008)

• Miller MS
  Robust composition: towards a unified approach to access control and concurrency control
  Ph.D. Thesis, Johns Hopkins University; 2006.

  When separately written programs are composed so that they may cooperate, they may instead destructively interfere in unanticipated ways. These hazards limit the scale and functionality of the software systems we can successfully compose. This dissertation presents a framework for enabling those interactions between components needed for the cooperation we intend, while minimizing the hazards of destructive interference.

  Great progress on the composition problem has been made within the object paradigm, chiefly in the context of sequential, single-machine programming among benign components. We show how to extend this success to support robust composition of concurrent and potentially malicious components distributed over potentially malicious machines. We present E, a distributed, persistent, secure programming language, and CapDesk, a virus-safe desktop built in E, as embodiments of the techniques we explain.

• Miller, Mark S., E. Dean Tribble, and Jonathan Shapiro. Concurrency among strangers. TGC. Vol. 5. 2005.

• Mark S. Miller, Chip Morningstar, Bill Frantz
  Capability-based Financial Instruments
  Proc. Financial Cryptography 2000, Springer-Verlag, Anguila, BWI, pp. 349-378.

  Every novel cooperative arrangement of mutually suspicious parties interacting electronically — every smart contract — effectively requires a new cryptographic protocol. However, if every new contract requires new cryptographic protocol design, our dreams of cryptographically enabled electronic commerce would be unreachable. Cryptographic protocol design is too hard and expensive, given our unlimited need for new contracts. Just as the digital logic gate abstraction allows digital circuit designers to create large analog circuits without doing analog circuit design, we present cryptographic capabilities as an abstraction allowing a similar economy of engineering effort in creating smart contracts. We explain the E system, which embodies these principles, and show a covered-call-option as a smart contract written in a simple security formalism independent of cryptography, but automatically implemented as a cryptographic protocol coordinating five mutually suspicious parties