Capabilities as Alias Control: Secure Cooperation in Dynamically Extensible Systems

Secure cooperation is the problem of protecting mutually suspicious code units within the same execution environment from their potentially malicious peers. A statically enforceable capability type system is proposed for the JVM bytecode language to provide fine-grained access control of shared resources among peer code units. The design of the type system is inspired by recent advances in alias control type systems for object-oriented programming languages. The exercise of access rights and the propagation of capabilities are given a uniform interpretation as alias creation events. Each capability type assigns to a reference a dataflow trajectory, prescribing the set of aliases that is allowed to be created from the reference. An orthogonal and complementary type system for controlling object creation and downcasting is also designed to avoid a class of capability spoofing attacks. The combined type system successfully addresses a number of classical protection problems recast in a programming language context. This work therefore demonstrates the need and the feasibility of a languagebased approach to enforce application-level security among peer code units.