[cap-talk] Wikipedia: Object-capability model

Mark S. Miller markm at cs.jhu.edu
Fri Jan 5 10:15:27 CST 2007 

Ka-Ping Yee wrote:
> I think it's high time Wikipedia had an article entitled
> "Object-capability model".  Here's what i think should go in the
> main definition of the term:
> 
>     - Objects access or designate other objects through unforgeable
>       references (pointers).
> 
>     - Computation is performed by sending messages along these
>       references to other objects.
> 
>     - One comes to have a reference to an object via (a) creation,
>       (b) endowment, or (c) introduction.
> 
> Is that enough for a precise definition?

No, but it's a great start. It probably is the right thing for a high level 
summary on the wikipedia page, given that the reader is referred elsewhere for 
a more precise statement. The one thing I would add to it, even as a summary, 
is "(d) initial conditions".

* It doesn't account for how local naming preserves distinctions. That's why 
there's all this stuff about "index" in Section 9.1 "The Object-Capability 
Model". This logic needs to be stated to account for how (and how much) an 
object can come to know about other objects by interacting with them. Without 
this, one cannot precisely account for confused deputy issues. See for example 
previous e-lang discussions about "c-lists as sets" vs "c-lists as maps".

* It doesn't explain how new code enters the system. My attempt to state the 
issues here precisely, in my Chapter 10, is the least clear part of my thesis, 
and the one most needing a rewrite. However, without making these points, it's 
hard to say why existing memory safe encapsulated object languages like Java 
and Smalltalk are not object-cap languages.

* It doesn't say that an object is *only* able to (overtly) affect the world 
outside itself according to the references it holds, and is only able to be 
effected by the world outside itself according to those who hold references to it.



> (The rest of the article, which i hope you will all help me write,
> can cite systems and papers and compare the specific meaning of
> "object-capability" to the usage of "capability" in security theory
> and the usage of "capability" in practice.)

I think it's a great idea! Please do!

-- 
Text by me above is hereby placed in the public domain

     Cheers,
     --MarkM

More information about the cap-talk mailing list