type-based capability for java · type-based capability for java xi wu, yi lu, ian j. hayes and...
TRANSCRIPT
![Page 1: Type-Based Capability for Java · Type-Based Capability for Java Xi Wu, Yi Lu, Ian J. Hayes and Larissa A. Meinicke The University of Queensland Oracle Labs, Australia Sydney November](https://reader035.vdocuments.us/reader035/viewer/2022070110/604801ede7690d188222ca3a/html5/thumbnails/1.jpg)
Type-Based Capability for Java
Xi Wu, Yi Lu, Ian J. Hayes and Larissa A. Meinicke
The University of Queensland
Oracle Labs, Australia
Sydney November 2017
Under the ARC Linkage Project with Oracle Labs, Australia
1 / 13
![Page 2: Type-Based Capability for Java · Type-Based Capability for Java Xi Wu, Yi Lu, Ian J. Hayes and Larissa A. Meinicke The University of Queensland Oracle Labs, Australia Sydney November](https://reader035.vdocuments.us/reader035/viewer/2022070110/604801ede7690d188222ca3a/html5/thumbnails/2.jpg)
Outline
I An Overview of Capabilities for Java
I Motivation
I Ongoing Work
I Summary and Future Direction
2 / 13
![Page 3: Type-Based Capability for Java · Type-Based Capability for Java Xi Wu, Yi Lu, Ian J. Hayes and Larissa A. Meinicke The University of Queensland Oracle Labs, Australia Sydney November](https://reader035.vdocuments.us/reader035/viewer/2022070110/604801ede7690d188222ca3a/html5/thumbnails/3.jpg)
Java Security Issues
I doPrivileged blocksI wide privileges granted to the Java Class LibraryI code can run with fewer restrictions
I Subclassing privileged classes
I unprivileged subclasses of privileged classesI overriding existing methods with rogue code
I Privileged access escape
I access to a privileged object escapes to unauthorized domains
I Caller-sensitive methods
I depend on the privileges of the class loader of the caller
3 / 13
![Page 4: Type-Based Capability for Java · Type-Based Capability for Java Xi Wu, Yi Lu, Ian J. Hayes and Larissa A. Meinicke The University of Queensland Oracle Labs, Australia Sydney November](https://reader035.vdocuments.us/reader035/viewer/2022070110/604801ede7690d188222ca3a/html5/thumbnails/4.jpg)
Java Security Issues
I doPrivileged blocksI wide privileges granted to the Java Class LibraryI code can run with fewer restrictions
I Subclassing privileged classesI unprivileged subclasses of privileged classesI overriding existing methods with rogue code
I Privileged access escape
I access to a privileged object escapes to unauthorized domains
I Caller-sensitive methods
I depend on the privileges of the class loader of the caller
3 / 13
![Page 5: Type-Based Capability for Java · Type-Based Capability for Java Xi Wu, Yi Lu, Ian J. Hayes and Larissa A. Meinicke The University of Queensland Oracle Labs, Australia Sydney November](https://reader035.vdocuments.us/reader035/viewer/2022070110/604801ede7690d188222ca3a/html5/thumbnails/5.jpg)
Java Security Issues
I doPrivileged blocksI wide privileges granted to the Java Class LibraryI code can run with fewer restrictions
I Subclassing privileged classesI unprivileged subclasses of privileged classesI overriding existing methods with rogue code
I Privileged access escapeI access to a privileged object escapes to unauthorized domains
I Caller-sensitive methods
I depend on the privileges of the class loader of the caller
3 / 13
![Page 6: Type-Based Capability for Java · Type-Based Capability for Java Xi Wu, Yi Lu, Ian J. Hayes and Larissa A. Meinicke The University of Queensland Oracle Labs, Australia Sydney November](https://reader035.vdocuments.us/reader035/viewer/2022070110/604801ede7690d188222ca3a/html5/thumbnails/6.jpg)
Java Security Issues
I doPrivileged blocksI wide privileges granted to the Java Class LibraryI code can run with fewer restrictions
I Subclassing privileged classesI unprivileged subclasses of privileged classesI overriding existing methods with rogue code
I Privileged access escapeI access to a privileged object escapes to unauthorized domains
I Caller-sensitive methodsI depend on the privileges of the class loader of the caller
3 / 13
![Page 7: Type-Based Capability for Java · Type-Based Capability for Java Xi Wu, Yi Lu, Ian J. Hayes and Larissa A. Meinicke The University of Queensland Oracle Labs, Australia Sydney November](https://reader035.vdocuments.us/reader035/viewer/2022070110/604801ede7690d188222ca3a/html5/thumbnails/7.jpg)
How to provide a more secure access to
resources for Java,
with the aim of preventing security flaws
4 / 13
![Page 8: Type-Based Capability for Java · Type-Based Capability for Java Xi Wu, Yi Lu, Ian J. Hayes and Larissa A. Meinicke The University of Queensland Oracle Labs, Australia Sydney November](https://reader035.vdocuments.us/reader035/viewer/2022070110/604801ede7690d188222ca3a/html5/thumbnails/8.jpg)
Philosophy behind Capabilities in Java
I All access to resources given by explicit “capabilities”I An object with a restricted interface
I a set of operations that can be invokedI encapsulate what one can do with a resource
I Permission checking done when a capability createdI access the resource via methods of the capabilityI no further permission checking is required
Reference
I Ian J. Hayes, Xi Wu and Larissa A. Meinicke.: Capabilities for Java: Secure Access to Resources.In: Proc. 15th Asian Symposium on Programming Languages and Systems, APLAS 2017. pp67-84.
5 / 13
![Page 9: Type-Based Capability for Java · Type-Based Capability for Java Xi Wu, Yi Lu, Ian J. Hayes and Larissa A. Meinicke The University of Queensland Oracle Labs, Australia Sydney November](https://reader035.vdocuments.us/reader035/viewer/2022070110/604801ede7690d188222ca3a/html5/thumbnails/9.jpg)
Running Example: File Input and Output Streams
6 / 13
![Page 10: Type-Based Capability for Java · Type-Based Capability for Java Xi Wu, Yi Lu, Ian J. Hayes and Larissa A. Meinicke The University of Queensland Oracle Labs, Australia Sydney November](https://reader035.vdocuments.us/reader035/viewer/2022070110/604801ede7690d188222ca3a/html5/thumbnails/10.jpg)
Running Example: File Input and Output Streams
Inherit from the empty capability NullCapI methods inherited from class object are disallowed unless explicitly included with
restrictions6 / 13
![Page 11: Type-Based Capability for Java · Type-Based Capability for Java Xi Wu, Yi Lu, Ian J. Hayes and Larissa A. Meinicke The University of Queensland Oracle Labs, Australia Sydney November](https://reader035.vdocuments.us/reader035/viewer/2022070110/604801ede7690d188222ca3a/html5/thumbnails/11.jpg)
Generating Capabilities
I Capability Manager
7 / 13
![Page 12: Type-Based Capability for Java · Type-Based Capability for Java Xi Wu, Yi Lu, Ian J. Hayes and Larissa A. Meinicke The University of Queensland Oracle Labs, Australia Sydney November](https://reader035.vdocuments.us/reader035/viewer/2022070110/604801ede7690d188222ca3a/html5/thumbnails/12.jpg)
Generating Capabilities
I Capability Manager
7 / 13
![Page 13: Type-Based Capability for Java · Type-Based Capability for Java Xi Wu, Yi Lu, Ian J. Hayes and Larissa A. Meinicke The University of Queensland Oracle Labs, Australia Sydney November](https://reader035.vdocuments.us/reader035/viewer/2022070110/604801ede7690d188222ca3a/html5/thumbnails/13.jpg)
Generating Capabilities
I Capability Manager
7 / 13
![Page 14: Type-Based Capability for Java · Type-Based Capability for Java Xi Wu, Yi Lu, Ian J. Hayes and Larissa A. Meinicke The University of Queensland Oracle Labs, Australia Sydney November](https://reader035.vdocuments.us/reader035/viewer/2022070110/604801ede7690d188222ca3a/html5/thumbnails/14.jpg)
Generating Capabilities
I Capability Manager
7 / 13
![Page 15: Type-Based Capability for Java · Type-Based Capability for Java Xi Wu, Yi Lu, Ian J. Hayes and Larissa A. Meinicke The University of Queensland Oracle Labs, Australia Sydney November](https://reader035.vdocuments.us/reader035/viewer/2022070110/604801ede7690d188222ca3a/html5/thumbnails/15.jpg)
Capabilities Escape to Untrusted Code
capability FileAccessCap { InCap requestInCap (String name) throws FileNotFound Exception, SecurityException;}
class RandomAccessFileManager implements FileAccessCap { RandomAccessFileManager() { } public InCap requestInCap (String name) throws SecurityException, FileNotFoundException { SecurityManager sm = System.getSecurityManager(); If (sm != null) { sm.checkPermission (new FilePermission (name, read )); } return capability (InCap) new RandomAccessFile (name);}
8 / 13
![Page 16: Type-Based Capability for Java · Type-Based Capability for Java Xi Wu, Yi Lu, Ian J. Hayes and Larissa A. Meinicke The University of Queensland Oracle Labs, Australia Sydney November](https://reader035.vdocuments.us/reader035/viewer/2022070110/604801ede7690d188222ca3a/html5/thumbnails/16.jpg)
Capabilities Escape to Untrusted Code
capability FileAccessCap { InCap requestInCap (String name) throws FileNotFound Exception, SecurityException;}
class RandomAccessFileManager implements FileAccessCap { RandomAccessFileManager() { } public InCap requestInCap (String name) throws SecurityException, FileNotFoundException { SecurityManager sm = System.getSecurityManager(); If (sm != null) { sm.checkPermission (new FilePermission (name, read )); } return capability (InCap) new RandomAccessFile (name);}
public class A { public static void main (String[] args) throws Exception { FileAccessCap f = ; B b = ; InCap in = f.requestInCap (fileName); b.use(in); }}
public class B { ... public void use (InCap in) { ... }}
8 / 13
![Page 17: Type-Based Capability for Java · Type-Based Capability for Java Xi Wu, Yi Lu, Ian J. Hayes and Larissa A. Meinicke The University of Queensland Oracle Labs, Australia Sydney November](https://reader035.vdocuments.us/reader035/viewer/2022070110/604801ede7690d188222ca3a/html5/thumbnails/17.jpg)
Capabilities Escape to Untrusted Code
capability FileAccessCap { InCap requestInCap (String name) throws FileNotFound Exception, SecurityException;}
class RandomAccessFileManager implements FileAccessCap { RandomAccessFileManager() { } public InCap requestInCap (String name) throws SecurityException, FileNotFoundException { SecurityManager sm = System.getSecurityManager(); If (sm != null) { sm.checkPermission (new FilePermission (name, read )); } return capability (InCap) new RandomAccessFile (name);}
public class A { public static void main (String[] args) throws Exception { FileAccessCap f = ; B b = ; InCap in = f.requestInCap (fileName); b.use(in); }}
public class B { ... public void use (InCap in) { ... }}
8 / 13
![Page 18: Type-Based Capability for Java · Type-Based Capability for Java Xi Wu, Yi Lu, Ian J. Hayes and Larissa A. Meinicke The University of Queensland Oracle Labs, Australia Sydney November](https://reader035.vdocuments.us/reader035/viewer/2022070110/604801ede7690d188222ca3a/html5/thumbnails/18.jpg)
Capabilities Escape to Untrusted Code
capability FileAccessCap { InCap requestInCap (String name) throws FileNotFound Exception, SecurityException;}
class RandomAccessFileManager implements FileAccessCap { RandomAccessFileManager() { } public InCap requestInCap (String name) throws SecurityException, FileNotFoundException { SecurityManager sm = System.getSecurityManager(); If (sm != null) { sm.checkPermission (new FilePermission (name, read )); } return capability (InCap) new RandomAccessFile (name);}
public class A { public static void main (String[] args) throws Exception { FileAccessCap f = ; B b = ; InCap in = f.requestInCap (fileName); b.use(in); }}
public class B { ... public void use (InCap in) { ... }}
8 / 13
![Page 19: Type-Based Capability for Java · Type-Based Capability for Java Xi Wu, Yi Lu, Ian J. Hayes and Larissa A. Meinicke The University of Queensland Oracle Labs, Australia Sydney November](https://reader035.vdocuments.us/reader035/viewer/2022070110/604801ede7690d188222ca3a/html5/thumbnails/19.jpg)
Type-based Capability
I Attempt to solve
I capabilities obtained by trusted code may be received by untrusted code
I Avoid dynamic permission check
I regarding capabilities as typesI proper use of capabilities by type checking
I Capabilities as permissions
I grant to code by user-defined policy filesI restrict capabilities to only authorised code
9 / 13
![Page 20: Type-Based Capability for Java · Type-Based Capability for Java Xi Wu, Yi Lu, Ian J. Hayes and Larissa A. Meinicke The University of Queensland Oracle Labs, Australia Sydney November](https://reader035.vdocuments.us/reader035/viewer/2022070110/604801ede7690d188222ca3a/html5/thumbnails/20.jpg)
Type-based Capability
I Attempt to solveI capabilities obtained by trusted code may be received by untrusted code
I Avoid dynamic permission check
I regarding capabilities as typesI proper use of capabilities by type checking
I Capabilities as permissions
I grant to code by user-defined policy filesI restrict capabilities to only authorised code
9 / 13
![Page 21: Type-Based Capability for Java · Type-Based Capability for Java Xi Wu, Yi Lu, Ian J. Hayes and Larissa A. Meinicke The University of Queensland Oracle Labs, Australia Sydney November](https://reader035.vdocuments.us/reader035/viewer/2022070110/604801ede7690d188222ca3a/html5/thumbnails/21.jpg)
Type-based Capability
I Attempt to solveI capabilities obtained by trusted code may be received by untrusted code
I Avoid dynamic permission checkI regarding capabilities as typesI proper use of capabilities by type checking
I Capabilities as permissions
I grant to code by user-defined policy filesI restrict capabilities to only authorised code
9 / 13
![Page 22: Type-Based Capability for Java · Type-Based Capability for Java Xi Wu, Yi Lu, Ian J. Hayes and Larissa A. Meinicke The University of Queensland Oracle Labs, Australia Sydney November](https://reader035.vdocuments.us/reader035/viewer/2022070110/604801ede7690d188222ca3a/html5/thumbnails/22.jpg)
Type-based Capability
I Attempt to solveI capabilities obtained by trusted code may be received by untrusted code
I Avoid dynamic permission checkI regarding capabilities as typesI proper use of capabilities by type checking
I Capabilities as permissionsI grant to code by user-defined policy filesI restrict capabilities to only authorised code
9 / 13
![Page 23: Type-Based Capability for Java · Type-Based Capability for Java Xi Wu, Yi Lu, Ian J. Hayes and Larissa A. Meinicke The University of Queensland Oracle Labs, Australia Sydney November](https://reader035.vdocuments.us/reader035/viewer/2022070110/604801ede7690d188222ca3a/html5/thumbnails/23.jpg)
Security Goal
I access(code, cap): code uses the capability cap
I grant(code, cap): code is granted the capability cap by user
I Transitivity:
grant(code, cap2) ∧ cap1 <: cap2 ⇒ grant(code, cap1)
I cap1 <: cap2: is satisfied if cap2 is more privileged than cap1
I relation <: is opposite of the standard Java subset relation
I e.g., InCap <: InOutCap and InCap 6<: OutCap
10 / 13
![Page 24: Type-Based Capability for Java · Type-Based Capability for Java Xi Wu, Yi Lu, Ian J. Hayes and Larissa A. Meinicke The University of Queensland Oracle Labs, Australia Sydney November](https://reader035.vdocuments.us/reader035/viewer/2022070110/604801ede7690d188222ca3a/html5/thumbnails/24.jpg)
Security Goal
access(code, cap) ⇒ grant(code, cap)
I access(code, cap): code uses the capability cap
I grant(code, cap): code is granted the capability cap by user
I Transitivity:
grant(code, cap2) ∧ cap1 <: cap2 ⇒ grant(code, cap1)
I cap1 <: cap2: is satisfied if cap2 is more privileged than cap1
I relation <: is opposite of the standard Java subset relation
I e.g., InCap <: InOutCap and InCap 6<: OutCap
10 / 13
![Page 25: Type-Based Capability for Java · Type-Based Capability for Java Xi Wu, Yi Lu, Ian J. Hayes and Larissa A. Meinicke The University of Queensland Oracle Labs, Australia Sydney November](https://reader035.vdocuments.us/reader035/viewer/2022070110/604801ede7690d188222ca3a/html5/thumbnails/25.jpg)
Security Goal
access(code, cap) ⇒ grant(code, cap)
I access(code, cap): code uses the capability cap
I grant(code, cap): code is granted the capability cap by user
I Transitivity:
grant(code, cap2) ∧ cap1 <: cap2 ⇒ grant(code, cap1)
I cap1 <: cap2: is satisfied if cap2 is more privileged than cap1
I relation <: is opposite of the standard Java subset relation
I e.g., InCap <: InOutCap and InCap 6<: OutCap
10 / 13
![Page 26: Type-Based Capability for Java · Type-Based Capability for Java Xi Wu, Yi Lu, Ian J. Hayes and Larissa A. Meinicke The University of Queensland Oracle Labs, Australia Sydney November](https://reader035.vdocuments.us/reader035/viewer/2022070110/604801ede7690d188222ca3a/html5/thumbnails/26.jpg)
Revisited Capabilities Escape
capability FileAccessCap { InCap requestInCap (String name) throws FileNotFound Exception, SecurityException;}
public class A { public static void main (String[] args) throws Exception { FileAccessCap f = ; B b = ; InCap in = f.requestInCap (fileName); b.use(in); }}
public class B { ... public void use (InCap in) { ... }}
Class RandomAccessFileManager
Create Capabilities
11 / 13
![Page 27: Type-Based Capability for Java · Type-Based Capability for Java Xi Wu, Yi Lu, Ian J. Hayes and Larissa A. Meinicke The University of Queensland Oracle Labs, Australia Sydney November](https://reader035.vdocuments.us/reader035/viewer/2022070110/604801ede7690d188222ca3a/html5/thumbnails/27.jpg)
Revisited Capabilities Escape
capability FileAccessCap { InCap requestInCap (String name) throws FileNotFound Exception, SecurityException;}
public class A { public static void main (String[] args) throws Exception { FileAccessCap f = ; B b = ; InCap in = f.requestInCap (fileName); b.use(in); }}
public class B { ... public void use (InCap in) { ... }}
Class RandomAccessFileManager
Create Capabilities
11 / 13
![Page 28: Type-Based Capability for Java · Type-Based Capability for Java Xi Wu, Yi Lu, Ian J. Hayes and Larissa A. Meinicke The University of Queensland Oracle Labs, Australia Sydney November](https://reader035.vdocuments.us/reader035/viewer/2022070110/604801ede7690d188222ca3a/html5/thumbnails/28.jpg)
Revisited Capabilities Escape
capability FileAccessCap { InCap requestInCap (String name) throws FileNotFound Exception, SecurityException;}
@grant{FileAccessCap, InCap}public class A { public static void main (String[] args) throws Exception { FileAccessCap f = ; B b = ; InCap in = f.requestInCap (fileName); b.use(in); }}
@grant{NullCap}public class B { ... public void use (InCap in) { ... }}
Class RandomAccessFileManager
Create Capabilities
11 / 13
![Page 29: Type-Based Capability for Java · Type-Based Capability for Java Xi Wu, Yi Lu, Ian J. Hayes and Larissa A. Meinicke The University of Queensland Oracle Labs, Australia Sydney November](https://reader035.vdocuments.us/reader035/viewer/2022070110/604801ede7690d188222ca3a/html5/thumbnails/29.jpg)
Revisited Capabilities Escape
capability FileAccessCap { InCap requestInCap (String name) throws FileNotFound Exception, SecurityException;}
@grant{FileAccessCap, InCap}public class A { public static void main (String[] args) throws Exception { FileAccessCap f = ; B b = ; InCap in = f.requestInCap (fileName); b.use(in); }}
@grant{NullCap}public class B { ... public void use (InCap in) { ... }}
Class RandomAccessFileManager
Create Capabilities
11 / 13
![Page 30: Type-Based Capability for Java · Type-Based Capability for Java Xi Wu, Yi Lu, Ian J. Hayes and Larissa A. Meinicke The University of Queensland Oracle Labs, Australia Sydney November](https://reader035.vdocuments.us/reader035/viewer/2022070110/604801ede7690d188222ca3a/html5/thumbnails/30.jpg)
Revisited Capabilities Escape
capability FileAccessCap { InCap requestInCap (String name) throws FileNotFound Exception, SecurityException;}
@grant{FileAccessCap, InCap}public class A { public static void main (String[] args) throws Exception { FileAccessCap f = ; B b = ; InCap in = f.requestInCap (fileName); b.use(in); }}
@grant{NullCap}public class B { ... public void use (InCap in) { ... }}
Class RandomAccessFileManager
Create Capabilities
11 / 13
![Page 31: Type-Based Capability for Java · Type-Based Capability for Java Xi Wu, Yi Lu, Ian J. Hayes and Larissa A. Meinicke The University of Queensland Oracle Labs, Australia Sydney November](https://reader035.vdocuments.us/reader035/viewer/2022070110/604801ede7690d188222ca3a/html5/thumbnails/31.jpg)
Revisited Capabilities Escape
capability FileAccessCap { InCap requestInCap (String name) throws FileNotFound Exception, SecurityException;}
@grant{FileAccessCap, InCap}public class A { public static void main (String[] args) throws Exception { FileAccessCap f = ; B b = ; InCap in = f.requestInCap (fileName); b.use(in); }}
@grant{InOutCap}public class B { ... public void use (InCap in) { ... }}
Class RandomAccessFileManager
Create Capabilities
11 / 13
![Page 32: Type-Based Capability for Java · Type-Based Capability for Java Xi Wu, Yi Lu, Ian J. Hayes and Larissa A. Meinicke The University of Queensland Oracle Labs, Australia Sydney November](https://reader035.vdocuments.us/reader035/viewer/2022070110/604801ede7690d188222ca3a/html5/thumbnails/32.jpg)
Revisited Capabilities Escape
capability FileAccessCap { InCap requestInCap (String name) throws FileNotFound Exception, SecurityException;}
@grant{FileAccessCap, InCap}public class A { public static void main (String[] args) throws Exception { FileAccessCap f = ; B b = ; InCap in = f.requestInCap (fileName); b.use(in); }}
@grant{InOutCap}public class B { ... public void use (InCap in) { ... }}
Class RandomAccessFileManager
Create Capabilities
11 / 13
![Page 33: Type-Based Capability for Java · Type-Based Capability for Java Xi Wu, Yi Lu, Ian J. Hayes and Larissa A. Meinicke The University of Queensland Oracle Labs, Australia Sydney November](https://reader035.vdocuments.us/reader035/viewer/2022070110/604801ede7690d188222ca3a/html5/thumbnails/33.jpg)
Summary and Future Directions
I Summary
I prevent capabilities from escaping to unauthorised codeI security goal can be enforced statically by type system
I Future Direction
I Capabilities as Module Dependency
I applies capabilities on describing dependency in module system
I Properties from Object-Capability and Design Patterns
I describes object-capability properties and design patterns
I Parameterization
I specifies the specific file names that the code with capabilities can access
12 / 13
![Page 34: Type-Based Capability for Java · Type-Based Capability for Java Xi Wu, Yi Lu, Ian J. Hayes and Larissa A. Meinicke The University of Queensland Oracle Labs, Australia Sydney November](https://reader035.vdocuments.us/reader035/viewer/2022070110/604801ede7690d188222ca3a/html5/thumbnails/34.jpg)
Summary and Future Directions
I SummaryI prevent capabilities from escaping to unauthorised codeI security goal can be enforced statically by type system
I Future Direction
I Capabilities as Module Dependency
I applies capabilities on describing dependency in module system
I Properties from Object-Capability and Design Patterns
I describes object-capability properties and design patterns
I Parameterization
I specifies the specific file names that the code with capabilities can access
12 / 13
![Page 35: Type-Based Capability for Java · Type-Based Capability for Java Xi Wu, Yi Lu, Ian J. Hayes and Larissa A. Meinicke The University of Queensland Oracle Labs, Australia Sydney November](https://reader035.vdocuments.us/reader035/viewer/2022070110/604801ede7690d188222ca3a/html5/thumbnails/35.jpg)
Summary and Future Directions
I SummaryI prevent capabilities from escaping to unauthorised codeI security goal can be enforced statically by type system
I Future DirectionI Capabilities as Module Dependency
I applies capabilities on describing dependency in module system
I Properties from Object-Capability and Design Patterns
I describes object-capability properties and design patterns
I Parameterization
I specifies the specific file names that the code with capabilities can access
12 / 13
![Page 36: Type-Based Capability for Java · Type-Based Capability for Java Xi Wu, Yi Lu, Ian J. Hayes and Larissa A. Meinicke The University of Queensland Oracle Labs, Australia Sydney November](https://reader035.vdocuments.us/reader035/viewer/2022070110/604801ede7690d188222ca3a/html5/thumbnails/36.jpg)
Summary and Future Directions
I SummaryI prevent capabilities from escaping to unauthorised codeI security goal can be enforced statically by type system
I Future DirectionI Capabilities as Module Dependency
I applies capabilities on describing dependency in module system
I Properties from Object-Capability and Design PatternsI describes object-capability properties and design patterns
I Parameterization
I specifies the specific file names that the code with capabilities can access
12 / 13
![Page 37: Type-Based Capability for Java · Type-Based Capability for Java Xi Wu, Yi Lu, Ian J. Hayes and Larissa A. Meinicke The University of Queensland Oracle Labs, Australia Sydney November](https://reader035.vdocuments.us/reader035/viewer/2022070110/604801ede7690d188222ca3a/html5/thumbnails/37.jpg)
Summary and Future Directions
I SummaryI prevent capabilities from escaping to unauthorised codeI security goal can be enforced statically by type system
I Future DirectionI Capabilities as Module Dependency
I applies capabilities on describing dependency in module system
I Properties from Object-Capability and Design PatternsI describes object-capability properties and design patterns
I ParameterizationI specifies the specific file names that the code with capabilities can access
12 / 13
![Page 38: Type-Based Capability for Java · Type-Based Capability for Java Xi Wu, Yi Lu, Ian J. Hayes and Larissa A. Meinicke The University of Queensland Oracle Labs, Australia Sydney November](https://reader035.vdocuments.us/reader035/viewer/2022070110/604801ede7690d188222ca3a/html5/thumbnails/38.jpg)
Thanks.
Questions?
13 / 13