@MISC{Drossopoulou_towardscapability, author = {Sophia Drossopoulou and James Noble}, title = {Towards Capability Policy Specification and Verification}, year = {} }
Share
OpenURL
Abstract
The object-capability model is a de-facto industry standard widely adopted for the implementation of security policies for web based software. Unfortunately, code written using capabilities tends to concentrate on the low-level mechanism rather than the high-level policy, and the parts implementing the policy tend to be tangled with the parts implementing the functionality. In this paper we argue that the policies followed by pro-grams using object capabilities should be made explicit and written separately from the code implementing them. We also argue that the specification of such capability policies requires concepts that go beyond the features of current specification languages. Moreover, we argue that we need methodologies with which to prove that programs adhere to their capability policies as specified. To write policy specifications, we propose execution ab-stractions, which talk about various properties of a pro-gram’s execution. We use execution abstractions to write the formal specification of five out of the six informal policies in the mint example, famous in the object capability literature. In these specifications, the conclusions but also the premises may relate to the state before as well as after execution, the code may be existentially or universally quantified, and in-terpretation quantifies over all modules extending the current module. In the process of writing these specifications, we uncov-ered several different and plausible alternative meanings for the policies of the mint example, and also discovered some new policies not mentioned in the original papers. Finally, we demonstrate how we can prove that the ex-ample implemented in Java satisfies the capability policies. These proofs make extensive use of the guarantees provided by type system features such as final and private. [Copyright notice will appear here once ’preprint ’ option is removed.] 1.