pith. sign in

arxiv: 1907.07154 · v1 · pith:AW2URSCHnew · submitted 2019-07-16 · 💻 cs.SE · cs.PL

Object-Capability as a Means of Permission and Authority in Software Systems

J\"orn Koepe This is my paper

Pith reviewed 2026-05-24 20:38 UTC · model grok-4.3

classification 💻 cs.SE cs.PL
keywords object-capabilitysoftware securityaccess rightspermission modelauthority in softwaresecurity reviewobject interactions
0
0 comments X

The pith

Object capabilities increase software security by encoding access rights in individual objects but remain uncommon.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper reviews the object-capability model, which encodes access rights directly in objects to restrict how they interact with each other. It surveys formalizations and implementations developed since the model's introduction in 2013. The review finds that these approaches can raise the security level of software systems. A sympathetic reader would care because the model offers a concrete alternative to conventional permission and authority mechanisms that often allow broader access than intended.

Core claim

The object-capability model consists in encoding access rights in individual objects to restrict its interactions with other objects. Since its introduction in 2013, different approaches to object-capability have been formalized and implemented. The state-of-the-art research shows that object capabilities can help in increasing the security of software, although this concept is not widely spread.

What carries the argument

Object-capability model: encoding access rights in individual objects to restrict interactions with other objects.

If this is right

  • Software systems can achieve higher security by restricting object interactions through encoded access rights.
  • Formalized approaches developed after 2013 demonstrate practical implementations of the model.
  • The model serves as an explicit means for managing permission and authority in object-oriented designs.
  • Limited spread indicates that barriers to adoption persist despite the security potential.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The model could be compared directly to capability-based security in operating systems for transferrable lessons on enforcement.
  • Empirical measurements of attack surface reduction in systems that adopt object capabilities would quantify the claimed benefits.
  • Integration with existing languages or frameworks might lower the barriers that have kept adoption low.

Load-bearing premise

The state-of-the-art research reviewed since 2013 accurately represents the field and provides evidence supporting both the security benefits and the assessment of limited adoption.

What would settle it

A broad survey of current production software systems that finds widespread adoption of object-capability mechanisms since 2013 would falsify the limited-spread conclusion.

Figures

Figures reproduced from arXiv: 1907.07154 by J\"orn Koepe.

Figure 1
Figure 1. Figure 1: Object-capabilities from Listing 1. Edges represent [PITH_FULL_IMAGE:figures/full_fig_p003_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: Access path from Listing 2. Solid lines are indicate [PITH_FULL_IMAGE:figures/full_fig_p004_2.png] view at source ↗
read the original abstract

The object-capability model is a security measure that consists in encoding access rights in individual objects to restrict its interactions with other objects. Since its introduction in 2013, different approaches to object-capability have been formalized and implemented. In this paper, we present the object-capability model, and present and discuss the state-of-the-art research in the area. In the end, we conclude, that object capabilities can help in increasing the security of software, although this concept is not widely spread.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

3 major / 0 minor

Summary. The paper presents the object-capability model as a security mechanism that encodes access rights within individual objects to restrict their interactions. It reviews state-of-the-art research since the model's claimed introduction in 2013, discusses various formalizations and implementations, and concludes that object capabilities can increase software security although the approach remains not widely adopted.

Significance. A sound and comprehensive survey could usefully synthesize evidence on security benefits of capability-based designs and document adoption barriers. The manuscript supplies none of the standard survey apparatus (selection protocol, search strings, inclusion criteria, or explicit mapping from reviewed works to the security and adoption claims), so its potential contribution cannot be evaluated from the provided text.

major comments (3)
  1. [Abstract] Abstract: the claim that the object-capability model 'was introduced in 2013' is factually incorrect. Foundational work (Miller 2006 dissertation, E language, earlier capability literature) predates the stated cutoff by years. Because the review is explicitly limited to 'state-of-the-art research since 2013,' this dating error directly undermines whether the selected corpus can support the central claims of security benefits and limited adoption.
  2. [(entire manuscript; no methods section present)] No section describes literature-search method, databases queried, search terms, inclusion/exclusion criteria, or quality assessment. Without these details the reader cannot determine whether the reviewed papers constitute a representative sample or whether the security-benefit and adoption conclusions rest on systematic evidence or on selective citation.
  3. [Abstract / Conclusion] The conclusion that 'object capabilities can help in increasing the security of software' is asserted without citing any concrete result, metric, or comparative evaluation from the reviewed papers. The abstract supplies no evidence table, summary of findings, or mapping from individual works to the claimed benefits.

Simulated Author's Rebuttal

3 responses · 0 unresolved

We thank the referee for the detailed and constructive comments. We agree that the manuscript requires corrections for factual accuracy on the model's history, addition of a methods section for transparency, and stronger linkage of claims to specific evidence from the reviewed works. We will incorporate revisions to address all points.

read point-by-point responses

  1. Referee: [Abstract] Abstract: the claim that the object-capability model 'was introduced in 2013' is factually incorrect. Foundational work (Miller 2006 dissertation, E language, earlier capability literature) predates the stated cutoff by years. Because the review is explicitly limited to 'state-of-the-art research since 2013,' this dating error directly undermines whether the selected corpus can support the central claims of security benefits and limited adoption.

    Authors: We agree the dating is incorrect. The object-capability model has earlier foundations, including Miller's 2006 dissertation and prior capability literature. The 2013 reference was an imprecise attempt to bound the survey to recent work but misrepresents the model's origins. In revision we will correct the abstract and introduction to accurately describe the historical context while retaining the focus on post-2013 developments; the corpus itself remains unchanged. revision: yes

  2. Referee: [(entire manuscript; no methods section present)] No section describes literature-search method, databases queried, search terms, inclusion/exclusion criteria, or quality assessment. Without these details the reader cannot determine whether the reviewed papers constitute a representative sample or whether the security-benefit and adoption conclusions rest on systematic evidence or on selective citation.

    Authors: The manuscript is a narrative review and therefore lacks a formal methods section. To remedy this we will add a new 'Review Methodology' section specifying the databases (ACM DL, IEEE Xplore, Google Scholar), search terms (e.g., 'object capability' AND security), inclusion criteria (peer-reviewed works 2013 onward on formalizations or implementations), exclusion criteria, and selection process. This will make the sample selection transparent and allow evaluation of representativeness. revision: yes

  3. Referee: [Abstract / Conclusion] The conclusion that 'object capabilities can help in increasing the security of software' is asserted without citing any concrete result, metric, or comparative evaluation from the reviewed papers. The abstract supplies no evidence table, summary of findings, or mapping from individual works to the claimed benefits.

    Authors: We concur that the security-benefit claim is stated without direct citations or mappings. In the revised version we will update the abstract and conclusion to reference specific results from the surveyed papers (e.g., formal safety proofs or empirical reductions in attack surface) and add a summary table that maps each reviewed work to its reported security outcomes and adoption observations, thereby grounding the conclusions in the reviewed evidence. revision: yes

Circularity Check

0 steps flagged

No circularity in literature survey

full rationale

The paper is a literature survey with no derivations, equations, fitted parameters, predictions, or self-defined quantities. The central claim rests on external reviewed literature rather than any internal reduction by construction. No self-citation load-bearing steps, uniqueness theorems, or ansatz smuggling are present. The noted date discrepancy in the abstract is a factual issue outside the circularity criteria.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

The paper is a survey and introduces no new free parameters, axioms, or invented entities.

pith-pipeline@v0.9.0 · 5596 in / 863 out tokens · 18278 ms · 2026-05-24T20:38:56.564903+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

20 extracted references · 20 canonical work pages

  1. [1]

    Dave Clarke, Tobias Wrigstad, Johan ÃŰstlund, and Einar Broch Johnsen

    work page

  2. [2]

    In Programming Languages and Systems , G

    Minimal Ownership for Active Objects. In Programming Languages and Systems , G. Ramalingam (Ed.). Vol. 5356. Springer Berlin Heidelberg, Berlin, Heidelberg, 139–154. https://doi.org/10.1007/978-3-540-89330-1_11 bib- tex:ramalingam_2008

    work page doi:10.1007/978-3-540-89330-1_11

  3. [3]

    Sylvan Clebsch, Sophia Drossopoulou, Sebastian Blessing, and Andy McNeil

    work page

  4. [4]

    In Proceedings of the 5th International Workshop on Programming Based on Actors, Agents, and Decentralized Control - AGERE! 2015

    Deny capabilities for safe, fast actors. In Proceedings of the 5th International Workshop on Programming Based on Actors, Agents, and Decentralized Control - AGERE! 2015. ACM Press, Pittsburgh, PA, USA, 1–12. https://doi.org/10.1145/ 2824815.2824816

    work page arXiv 2015

  5. [5]

    Dominique Devriese, Lars Birkedal, and Frank Piessens. 2016. Reasoning about Object Capabilities with Logical Relations and Effect Parametricity. In 2016 IEEE European Symposium on Security and Privacy (EuroS&P) . IEEE, Saarbrucken, 147–162. https://doi.org/10.1109/EuroSP.2016.22

    work page doi:10.1109/eurosp.2016.22 2016

  6. [6]

    Sophia Drossopoulou and James Noble. 2013. The need for capability policies. In Proceedings of the 15th Workshop on Formal Techniques for Java-like Programs - FTfJP ’13. ACM Press, Montpellier, France, 1–7. https://doi.org/10.1145/2489804. 2489811

    work page doi:10.1145/2489804 2013

  7. [7]

    Sophia Drossopoulou and James Noble. 2014. How to Break the Bank: Semantics of Capability Policies. In Integrated Formal Methods , Elvira Albert and Emil Sekerinski (Eds.). Vol. 8739. Springer International Publishing, Cham, 18–35. https://doi.org/10.1007/978-3-319-10181-1_2

    work page doi:10.1007/978-3-319-10181-1_2 2014

  8. [8]

    Sophia Drossopoulou, James Noble, and Mark S. Miller. 2015. Swapsies on the Internet: First Steps Towards Reasoning About Risk and Trust in an Open World. In Proceedings of the 10th ACM Workshop on Programming Languages and Analysis for Security (PLAS’15) . ACM, New York, NY, USA, 2–15. https: //doi.org/10.1145/2786558.2786564

    work page doi:10.1145/2786558.2786564 2015

  9. [9]

    Sophia Drossopoulou, James Noble, Mark S Miller, and Toby Murray. 2015. Rea- soning about Risk and Trust in an Open Word. (2015), 34

    work page 2015

  10. [10]

    Miller, and Toby Murray

    Sophia Drossopoulou, James Noble, Mark S. Miller, and Toby Murray. 2016. Permission and Authority Revisited towards a formalisation. In Proceedings of the 18th Workshop on Formal Techniques for Java-like Programs - FTfJP’16 . ACM Press, Rome, Italy, 1–6. https://doi.org/10.1145/2955811.2955821

    work page doi:10.1145/2955811.2955821 2016

  11. [11]

    Philipp Haller and Martin Odersky. 2010. Capabilities for Uniqueness and Borrow- ing. In ECOOP 2010 âĂŞ Object-Oriented Programming (Lecture Notes in Computer Science), Theo DâĂŹHondt (Ed.). Springer Berlin Heidelberg, 354–378

    work page 2010

  12. [12]

    Mitchell, and Ankur Taly

    Sergio Maffeis, John C. Mitchell, and Ankur Taly. 2010. Object Capabilities and Isolation of Untrusted Web Applications. In2010 IEEE Symposium on Security and Privacy. IEEE, Oakland, CA, USA, 125–140. https://doi.org/10.1109/SP.2010.16

    work page doi:10.1109/sp.2010.16 2010

  13. [13]

    Darya Melicher. 2018. Controlling Module Authority via Programming Language Design. (2018), 24

    work page 2018

  14. [14]

    Darya Melicher, Yangqingwei Shi, Alex Potanin, and Jonathan Aldrich. 2017. A Capability-Based Module System for Authority Control. In 31st European Conference on Object-Oriented Programming (ECOOP 2017) (Leibniz Interna- tional Proceedings in Informatics (LIPIcs)) , Peter MÃijller (Ed.), Vol. 74. Schloss DagstuhlâĂŞLeibniz-Zentrum fuer Informatik, Dagstuhl...

    work page doi:10.4230/lipics.ecoop.2017.20 2017

  15. [15]

    Mark Samuel Miller. 2006. Robust Composition: Towards a Unified Approach to Access Control and Concurrency Control . PhD Thesis. Johns Hopkins University, Baltimore, Maryland, USA

    work page 2006

  16. [16]

    Mark S Miller, Ka-Ping Yee, and Jonathan Shapiro. 2003. Capability Myths Demolished. (2003), 15

    work page 2003

  17. [17]

    Toby Murray. 2010. Analysing the Security Properties of Object-Capability Patterns. (2010), 239

    work page 2010

  18. [18]

    Rajani, D

    V. Rajani, D. Garg, and T. Rezk. 2016. On Access Control, Capabilities, Their Equivalence, and Confused Deputy Attacks. In 2016 IEEE 29th Computer Security Foundations Symposium (CSF). 150–163. https://doi.org/10.1109/CSF.2016.18

    work page doi:10.1109/csf.2016.18 2016

  19. [19]

    Dustin Rhodes, Tim Disney, and Cormac Flanagan. 2014. Dynamic Detection of Object Capability Violations Through Model Checking. In Proceedings of the 10th ACM Symposium on Dynamic Languages (DLS ’14). ACM, New York, NY, USA, 103–112. https://doi.org/10.1145/2661088.2661099

    work page doi:10.1145/2661088.2661099 2014

  20. [20]

    David Swasey, Deepak Garg, and Derek Dreyer. 2017. Robust and Compositional Verification of Object Capability Patterns. Proc. ACM Program. Lang. 1, OOPSLA (Oct. 2017), 89:1–89:26. https://doi.org/10.1145/3133913 5

    work page doi:10.1145/3133913 2017