SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 5

changes.mady.by.user Dean Sutherland

Saved on

compared with

New Version Current

changes.mady.by.user Carol J. Lallier

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Wiki MarkupA capability is a communicable, unforgeable token of authority. It refers to a value that references an object along with an associated set of access rights. A user program on a capability-based operating system must use a capability to access an object \[Wikipedia 2011\].

Wiki MarkupThe term capability was introduced by Dennis and Van Horn \[ [Dennis 1966|AA. Bibliography#Dennis 1966]\]. The basic idea is that for a program to access an object , it must have a special token. This token designates an object and gives the program the authority to perform a specific set of actions (such as reading or writing) on that object. Such a token is known as a capability.

Wiki MarkupIn an object-capability language, all program state is contained in objects that cannot be read or written without a reference, which serves as an unforgeable capability. All external resources are also represented as objects. Objects encapsulate their internal state, providing reference holders access only through prescribed interfaces \[ [Mettler 2010A|AA. Bibliography#Mettler 2010A]\].

Wiki MarkupEvery Java object has an unforgeable identity in addition to its contents, because the {{==}} operator tests reference equality. This unforgeable identity allows use of a reference to an object as a token, serving as an unforgeable proof of authorization to perform some action \[ [Mettler 2010B|AA. Bibliography#Mettler 2010B]\].

Wiki MarkupAuthority is embodied by object references, which serve as capabilities. Authority refers to any effects that running code can have other than to perform side-effect-free computations. Authority includes effects not only effects on external resources such as files or and network sockets , but also on mutable data structures that are shared with other parts of the program \[ [Mettler 2010B|AA. Bibliography#Mettler 2010B]\].

References to objects whose methods can perform sensitive operations can serve as capabilities that enable the holder to perform those operations (or to request that the object perform those operations on behalf of the holder). Consequently, such references must themselves be treated as sensitive data , and must not be leaked to untrusted code.unmigrated-wiki-markup

One surprising source of leaked capabilities and leaked data is inner classes, which have access to all the fields of their enclosing class. Java bytecodes lack built-in support for inner classes; consequently, inner classes are compiled into ordinary classes with stylized names, such as OuterClass$InnerClass. Because inner classes must be able to access the private fields of their enclosing class, the access control for those fields is changed to package access in the bytecode. Consequently, handcrafted bytecode can access these nominally private fields (see “Security Aspects in Java Bytecode Engineering” \[ [Schoenefeld 04|AA. Bibliography#Schoenefeld 04]\] for an example).

Rules regarding capabilities include:

Content by Label
sort
showLabelsfalse
maxResults99
sorttitle
showSpacefalse
label+capability,-void
showSpacefalse
title
space@selfcqllabel = "capability" and label != "void" and space = currentSpace()