|
The object-capability model is a computer security model. A capability describes a transferable right to perform one (or more) operations on a given object. It can be obtained by the following combination: : * an unforgeable reference (in the sense of object references or protected pointers) that can be sent in messages. : * a message that specifies the operation to be performed. The security model relies on not being able to forge references. : * Objects can interact only by sending messages on references. : * A reference can be obtained by: ::# initial conditions: In the initial state of the computational world being described, object A may already have a reference to object B. ::# parenthood: If A creates B, at that moment A obtains the only reference to the newly created B. ::# endowment: If A creates B, B is born with that subset of A's references with which A chose to endow it. ::# introduction: If A has references to both B and C, A can send to B a message containing a reference to C. B can retain that reference for subsequent use. In the Object-capability model, ''all'' computation is performed following the above rules. Advantages that motivate object-oriented programming, such as encapsulation or information hiding, modularity, and separation of concerns, correspond to security goals such as least privilege and privilege separation in capability-based programming. 〔 〕 The object-capability model was first proposed by Jack Dennis and Earl C. Van Horn in 1966.〔() citing: J.B. Dennis, E.C. Van Horn. “Programming Semantics for Multiprogrammed Computations.” Communications of the ACM, 9(3):143–155, March 1966.〕 ==Loopholes in Object-Oriented Programming Languages== Some object-based programming languages (e.g. JavaScript, Java, and C#) provide ways to access resources in other ways than according to the rules above including the following: : *direct assignment to the instance variables of an object in Java and C# : *direct reflexive inspection of the meta-data of an object in Java and C# : *the pervasive ability to import primitive modules, e.g. java.io.File that enable external effects. Such use of undeniable authority effectively defeats the security benefits of the Object-capability model. Caja and Joe-E are variants of JavaScript and Java, respectively, that impose restrictions to eliminate these loopholes. 抄文引用元・出典: フリー百科事典『 ウィキペディア(Wikipedia)』 ■ウィキペディアで「Object-capability model」の詳細全文を読む スポンサード リンク
|