...
Wiki Markup |
---|
In an object-capability language, all program state is contained in objects that cannot be read or written without a reference, which serves as an unforgeable capability. All external resources are also represented as objects. Objects encapsulate their internal state, providing reference holders access only through prescribed interfaces \[[Mettler 2010A|AA. Bibliography#Mettler 2010A]\]. |
Wiki Markup |
---|
Because of Java’s {{==}} operator, which tests pointer equality, every Every Java object has an unforgeable identity in addition to its contents. Identity tests mean that any object can be used, because the {{==}} operator tests reference equality. This unforgeable identity allows use of a reference to an object as a token, serving as an unforgeable proof of authorization to perform some action \[[Mettler 2010B|AA. Bibliography#Mettler 2010B]\]. |
Wiki Markup |
---|
Authority is embodied by object references, which serve as capabilities. Authority refers to any effects that running code can have other than to perform side-effect-free computations. Authority includes not only effects on external resources such as files or network sockets, but also on mutable data structures that are shared with other parts of the program \[[Mettler 2010B|AA. Bibliography#Mettler 2010B]\]. |
Rules that involve capabilities include:
...
References to objects whose methods can perform sensitive operations can serve as capabilities that enable the holder to perform those operations (or to request that the object perform those operations on behalf of the holder). Consequently, such references must themselves be treated as sensitive data, and must not be leaked to untrusted code.
Wiki Markup |
---|
InnerOne classessurprising havesource accessof toleaked allcapabilities theand fieldsleaked ofdata theiris surroundinginner classclasses, makingwhich themhave aaccess sourceto ofall leakedthe capabilitiesfields andof oftheir leakedenclosing dataclass. ThereJava isbytecodes nolack bytecodebuilt-in support for inner classes; consequently, soinner theyclasses are compiled into ordinary classes with stylized names, likesuch as OuterClass$InnerClass. SoBecause inner thatclasses themust innerbe classable canto access the private fields of thetheir outerenclosing class, the private access access control for those fields is changed to package access in the bytecode. For that reasonConsequently, handcrafted bytecode can access these nominally private fields (see “Security Aspects in Java Bytecode Engineering†\[[Schoenefeld 04|AA. Bibliography#Schoenefeld 04]\] for an example). |
Rules regarding capabilities include:
Content by Label |
---|
showLabels | false |
---|
maxResults | 99 |
---|
label | +capability,-void |
---|
showSpace | false |
---|
sort | title |
---|
space | @self |
---|
cql | label = "capability" and label != "void" and space = currentSpace() |
---|
|