Object-capability model

The object-capability model is a computer security model. A capability describes a transferable right to perform one (or more) operations on a given object. It can be obtained by the following combination:

An unforgeable reference (in the sense of object references or protected pointers) that can be sent in messages.
A message that specifies the operation to be performed.

The security model relies on not being able to forge references.

Objects can interact only by sending messages on references.
A reference can be obtained by:

Initial conditions: In the initial state of the computational world being described, object A may already have a reference to object B.
Parenthood: If A creates B, at that moment A obtains the only reference to the newly created B.
Endowment: If A creates B, B is born with that subset of A's references with which A chose to endow it.
Introduction: If A has references to both B and C, A can send to B a message containing a reference to C. B can retain that reference for subsequent use.

In the object-capability model, all computation is performed following the above rules.

Advantages that motivate object-oriented programming, such as encapsulation or information hiding, modularity, and separation of concerns, correspond to security goals such as least privilege and privilege separation in capability-based programming.^[1]^[2]

The object-capability model was first proposed by Jack Dennis and Earl C. Van Horn in 1966.^[3]

^ Miller, Mark Samuel (May 2006). "Robust Composition: Towards a Unified Approach to Access Control and Concurrency Control". erights.org. Baltimore, Maryland. Retrieved 28 July 2013.
^ Mark S. Miller; Ka-Ping Yee; Jonathan S. Shapiro (2003). "Capability Myths Demolished" (PDF). Technical Report SRL2003-02. Systems Research Lab, Johns Hopkins University. {{cite journal}}: Cite journal requires |journal= (help)
^ [1] citing: J.B. Dennis, E.C. Van Horn. “Programming Semantics for Multiprogrammed Computations.” Communications of the ACM, 9(3):143–155, March 1966.

[thesis-1] Miller, Mark Samuel (May 2006). "Robust Composition: Towards a Unified Approach to Access Control and Concurrency Control". erights.org. Baltimore, Maryland. Retrieved 28 July 2013.

[2] Mark S. Miller; Ka-Ping Yee; Jonathan S. Shapiro (2003). "Capability Myths Demolished" (PDF). Technical Report SRL2003-02. Systems Research Lab, Johns Hopkins University. {{cite journal}}: Cite journal requires |journal= (help)

[3] [1] citing: J.B. Dennis, E.C. Van Horn. “Programming Semantics for Multiprogrammed Computations.” Communications of the ACM, 9(3):143–155, March 1966.

[1]

[2]

[3]