Why not object capability languages?
a year ago
- #Programming Languages
- #Supply Chain Attacks
- #Security
- Supply chain attacks are increasing due to deep dependency chains in software.
- Object capability languages propose sandboxing with opaque objects (capabilities) to limit actions.
- Capabilities are already used in handles, file descriptors, and JWT tokens but not within individual programs.
- Challenges include defining threat models, preventing memory tampering, and reusing existing code.
- Java's Joe-E subset demonstrates the radical changes needed for pure capability programming.
- The 'God Object' problem arises as main() must encapsulate all ambient authorities.
- Java's SecurityManager offered a non-pure capability system but was deprecated due to complexity and lack of use.
- Spectre attacks complicate in-process sandboxing by allowing unauthorized memory access.
- Chrome's Mojo system exemplifies a real-world object capability system with inter-process communication.
- Hardware isolation and memory protection keys (MPKs) can reduce overhead but require careful implementation.