Page History

The term _capability_ was introduced by Dennis and Van Horn \[[Dennis 1966|AA. References#Dennis 1966]\]. The basic idea is that for a program to access an object, it must have a special token. This token designates an object and gives the program the authority to perform a specific set of actions (such as reading or writing) on that object. Such a token is known as a capability.

Authority is embodied by object references, which serve as capabilities. _Authority_ refers to any effects that running code can have other than to perform side-effect-free computations. Authority includes effects not only effects on external resources such as files orand network sockets, but also on mutable data structures that are shared with other parts of the program \[[Mettler 2010B|AA. References#Mettler 2010B]\].

One surprising source of leaked capabilities and leaked data is inner classes, which have access to all the fields of their enclosing class. Java bytecodes lack built-in support for inner classes; consequently, inner classes are compiled into ordinary classes with stylized names, such as {{OuterClass$InnerClass}}. Because inner classes must be able to access the private fields of their enclosing class, the access control for those fields is changed to package access in the bytecode. Consequently, handcrafted bytecode can access these nominally private fields (see “Security Aspects in Java Bytecode Engineering” \[[Schoenefeld 04|AA. References#Schoenefeld 04]\] for an example).