The principle of least authority states that each component of a software system must have only the authority necessary for its execution and nothing else. This principle is a cornerstone of the security of software applications, but it is difficult to enforce in practice. Current programming languages, as well as non-linguistic approaches, do not provide adequate control over the authority of untrusted modules. For example, Java, one of the most popular programming languages, provides two mechanisms to control module authority—sandboxes and the Java security manager—both of which are complicated to use and can be subverted. To fill this gap, we designed and implemented a capability-based module system that facilitates controlling the permissions of software modules. Furthermore, we are currently working on augmenting our module system with an effects system to make our design authority-safe. Our approach simplifies the process of ensuring that a software system maintains the principle of least authority, and also allows for attenuation of module authority. The implementation of our design is part of the Wyvern programming language.

This presentation proposal is based on the work presented at ECOOP 2017. At the workshop, we will review Wyvern’s capability-based module system and how it can be used to control permissions, and then describe our recent work adding an effects system to reason about authority to perform system-level operations. We are interested in receiving feedback on our work as well as having an active discussion with the object-capabilities community about it.