cf Ponylang for an implementation of this model: https://tutorial.ponylang.io/capabilities/
Pony also has capabilities on external resources. For example, you need a capability to open a socket.
This seems very similar to Rust’s borrowing model, and both of these are excellent!
However, capabilities with regards to variables is only one part of the picture.
I very much want my programs to be capability safe in terms of external resources too: the filesystem, exec, network access, etc. Functions and modules which require access to these would need to be provided them in order to utilize it.
Monte implements this and has interesting demonstrations like https://monte.readthedocs.io/en/latest/taste.html#cooperation-without-vulerability which can safely eval() code from the internet. It doesn’t prevent an abusive user from using all the RAM or all the CPU, but it is impossible for the abusive user to read RAM, write to the FS, send spam emails, etc.
EDIT 1 Additionally, capability safety doesn’t even have to apply to a single program! TahoeLAFS is a capability-safe networked filesystem.
I was going to write a rant about how bad this page is, but it’s actually gotten a bit of a cleanup sometime in the past few months. Certainly, it’s no longer suggested that the page be merged with the one on RBAC, which is progress. Instead, I’m going to pick one thing missing from this page and talk about that.
The biggest distinction between object-capability models and other capability models is that an object has rights. This is so intertwined with the history of object-capability discipline that the most well-known ocap language, E, put “rights” in their URL, erights.org.
An object has a right to keep its closure of object references, its own capabilities, private from other objects. This right to privacy means that an object communicates only by passing messages, and that objects appear “unityped” or otherwise common since they all share a single unified messaging API. We can actually enumerate a series of corresponding rights:
Specific to Monte (which I work on) and other members of the E family are some additional rights:
Objects have rights because objects do not have to trust each other in order to compute, only pass messages between each other.
There is an informative series or articles from one of the Midori authors which includes object-capabilities as provided/defined/enforced by the kernel, see Midori: Objects as Secure Capabilities.
Joe’s series is awesome. Highly recommended.
Google’s new operating system, Fuchsia, is self-described as a “modular, capability-based system”, for another example of modern systems that are organized along these lines.