This article has multiple issues. Please helpimprove it or discuss these issues on thetalk page.(Learn how and when to remove these messages) This articlerelies excessively onreferences toprimary sources. Please improve this article by addingsecondary or tertiary sources. Find sources: "Object-capability model" – news ·newspapers ·books ·scholar ·JSTOR(December 2013) (Learn how and when to remove this message) This articleneeds additional citations forverification. Please helpimprove this article byadding citations to reliable sources. Unsourced material may be challenged and removed. Find sources: "Object-capability model" – news ·newspapers ·books ·scholar ·JSTOR(December 2013) (Learn how and when to remove this message) (Learn how and when to remove this message)

Theobject-capability model is acomputer security model. Acapability describes a transferable right to perform one (or more) operations on a givenobject. It can be obtained by the following combination:

• An unforgeable reference (in the sense of object references or protected pointers) that can be sent in messages.
• A message that specifies the operation to be performed.

The security model relies on not being able to forge references.

• Objects can interact only by sending messages on references.
• A reference can be obtained by:

1. Initial conditions: In the initial state of the computational world being described, object A may already have a reference to object B.
2. Parenthood: If A creates B, at that moment A obtains the only reference to the newly created B.
3. Endowment: If A creates B, B is born with that subset of A's references with which A chose to endow it.
4. Introduction: If A has references to both B and C, A can send to B a message containing a reference to C. B can retain that reference for subsequent use.

In the object-capability model,all computation is performed following the above rules.

Advantages that motivateobject-oriented programming, such as encapsulation orinformation hiding,modular programming (modularity), andseparation of concerns, correspond to security goals such asleast privilege andprivilege separation in capability-based programming.^[1][2]

The object-capability model was first proposed byJack Dennis and Earl C. Van Horn in 1966.^[3]

This sectionpossibly containsoriginal research. Pleaseimprove it byverifying the claims made and addinginline citations. Statements consisting only of original research should be removed.(October 2016) (Learn how and when to remove this message)

Some object-based programming languages (e.g.,JavaScript (criticism),Java, andC#) provide ways to access resources in ways other than according to the rules above, including the following:

• Directassignment to theinstance variables of an object in Java and C#.
• Directreflective programming (reflection) inspection of the meta-data of an object in Java and C#.
• The pervasive ability to import primitive modules, e.g., java.io.File that enable external effects.

Such use ofundeniable authority violates the conditions of the object-capability model.Caja andJoe-E are variants of JavaScript and Java, respectively, that impose restrictions to eliminate these loopholes.

Computer scientist E. Dean Tribble stated that insmart contracts, identity-based access control did not support well dynamically changing permissions, compared to the object-capability model. He analogized the ocap model with giving avalet the key to a car, without giving the right to car ownership.^[4]

The structural properties of object capability systems favor modularity in code design and ensure reliable encapsulation in code implementation.

These structural properties facilitate the analysis of some security properties of an object-capability program oroperating system. Some of these, specifically information flow properties, can be analyzed at the level of object references and connectivity, independent of any knowledge or analysis of the code that determines the behavior of the objects. As a consequence, these security properties can be established and maintained in the presence of new objects that contain unknown and possibly malicious code.

These structural properties stem from the two rules governing access to existing objects:

1) An objectA can send a message toB only if objectA holds a reference toB.

2) An objectA can obtain a reference toC only if objectA receives a message containing a reference toC.

As a consequence of these two rules, an object can obtain a reference to another object only through a preexisting chain of references. In short, "Only connectivity begets connectivity."

object-capability system

A computational system that implements principles described in this article.

object

An object has local state and behavior. An object in this sense is both asubject and anobject in the sense used in the access control literature.

reference

An unforgeable communications channel (protected pointer, opaque address) that unambiguously designates one object, and provides permission to send messages to that object.

message

What is sent on a reference. Depending on the system, messages may or may not be first-class objects.

request

An operation in which a message is sent on a reference. When the message is received, the receiver will have access to any references included in the message.

attenuation

A commondesign pattern in object-capability systems: given one reference of an object, create another reference for a proxy object with certain security restrictions, such as only permitting read-only access or allowing revocation. The proxy object performs security checks on messages that it receives and passes on any that are allowed.Deep attenuation refers to the case where the same attenuation is applied transitively to any objects obtained via the original attenuated object, typically by use of amembrane.

Almost all historical systems that have been described ascapability systems can be modeled as object-capability systems. However, some uses of the termcapability are inconsistent with the model, such asPOSIXcapabilities.

KeyKOS,EROS,Integrity (operating system),^{[dubious –discuss]} CapROS, Coyotos,seL4,OKL4 andFiasco.OC are secure operating systems that implement the object-capability model.

• Act 1 (1981)^[5][6]
• Eden (1985)
• Emerald (1987)
• Trusty Scheme (1992)
• W7 (1995)
• Joule (1996)
• Original-E (1997)
• Oz-E (2005)
• Joe-E (2005)
• CaPerl (2006)
• Emily (2006)
• Caja (2007–2021)
• Monte (2008–present)
• Pony (2014–present)^[4]
• Wyvern (2012–present)
• Newspeak (2007–present)
• Hack (2021-present)
• Rholang (2018-present)

• Capability-based security
• Capability-based addressing
• Actor model

• Computer security models

• Articles with short description
• Short description matches Wikidata
• Articles lacking reliable references from December 2013
• All articles lacking reliable references
• Articles needing additional references from December 2013
• All articles needing additional references
• Articles with multiple maintenance issues
• Articles that may contain original research from October 2016
• All articles that may contain original research
• All accuracy disputes
• Articles with disputed statements from October 2016