aschrijver

aschrijver

Elixir and Object Capabilities

Capability-based Security as a security model exists for a very long time, but recently there’s a lot of research for using Object Capabilities in distributed (actor-based) programming.

I am referring here to the work of Christine Lemmer-Webber (co-author of the Fediverse’s W3C ActivityPub specification) started in the Spritely Project and now continued with Randy Farmer in Spritely Institute.

Based on the Principle of Least Authority (PoLA) and applied to regular programming this research will explore new paradigms of distributed programming. A lot of work still needs to be done, but Spritely Institute envision emergence of an open-standards based Object Capabilities Network (OCapN):

https://github.com/ocapn/ocapn

The following whitepaper gives an overview of what Spritely Institute is working on: The Heart of Spritely: Distributed Objects and Capability Security and working prototypes exist implemented in Racket and Guile (a Scheme dialect).

How is this relevant?

I am creating this topic first of all to alert the Elixir community: This stuff is major!
Don’t take me on my word. I encourage anyone to check things out to find that out for yourself.

Also Erlang/Elixir seems a bit of a ‘dead zone’ wrt Object Capabilities implementations AFAICS. I wonder if anyone has knowledge on any projects implementing it. The Cap’n Proto protocol (used by Sandstorm) has an Erlang implementation, but it is unmaintained.

Finally.. a lot of this stuff may seem abstract. Scott Wlaschin has a fabulous page on “Designing with Capabilities” equating good design == good security and “intention revealing interfaces”. Watch the video at:

(PS. I am only a beginner Elixir programmer myself. I really hope to see experts entering this field)

Most Liked

jhogberg

jhogberg

Erlang Core Team

There was a lot of work on this around the turn of the century :slight_smile:

al2o3cr

al2o3cr

A minor gripe: that’s the same thing everybody kept saying the last time this became a popular research topic twenty years ago. It’s probably the same thing everybody on the iAPX 432 team said to each other 40+ years ago - I wasn’t around for that one. There are interesting ideas in the space, but prematurely declaring them the Next Big Thing helps nobody.


IMO the biggest challenge with bringing something like capabilities to Erlang-land would be the mismatched execution model: capabilities assume that code has no access by default but the BEAM explicitly rejects even isolating nodes from each other, nevermind processes on a single node. There’s been some discussion about filtering/firewalling but it’s a tough problem, especially to retrofit onto an existing runtime.


Re: Austral specifically, a couple things jumped out reading through the examples + issues:

  • “no exceptions” is only technically true, as there are no user-observable exceptions and no mechanism for cleaning user-defined things up when something goes wrong. There’s still PLENTY of places that call abort and hard-exit from the OS process though, and even just writing a + b could lead to a runtime abort if the numbers are large…

  • the first place that users might reasonably expect to encounter capabilities is when they want to print to the terminal, but Austral works around that because it would be too verbose

  • another place to encounter capabilities might be when directly manipulating memory (for instance, type-punning with memmove) but that’s also side-stepped with a specific “are you importing the Memory module?” check

  • borrowing is powerful, but also brings plenty of edge-cases. For instance, in the example “capability-based file API”, what happens if a Path value is created using the borrowed result of Get_Filesystem but the Path is still in-scope after Release_Filesystem has been called? Should a call to Read_File succeed, or crash? Can/should the compiler catch this? It may not even be an error :thinking: - for instance, I could imagine a capabilities API where best-practice was to derive smaller capabilities at the beginning of a program and then discard the root capability, similar to how setuid programs “drop root” as soon as it’s no longer needed.

Based on the examples + the tutorial around capability-based security, my vibe is that Austral is a language where there could be interesting design possibilities; it seems like a reasonable foundation. But there’s a LOT of capital-H Hard design work still to come to make a usable API that avoids things like “pass your RootCapability to this random code, trust me bro” actually happen.

mayel

mayel

While a topic I need to take more time to explore, object capabilities sure are something we’re very interested to use in Bonfire (an Elixir toolkit for building federated/ActivityPub apps). Would love to see more activity in this space!

Where Next?

Popular in Discussions Top

owaisqayum
I have a sample string sentence = "Hello, world ... 123 *** ^%&*())^% %%:>" From this string, I want to only keep the integers, ...
New
mmport80
I have put far too much effort into Dialyzer over the last year or so - and basically - I doubt it’s worth the effort. It’s not as easy ...
New
nburkley
AWS re:Invent is on at the moment with some interesting announcements. One new feature in particular is the Lambda Runtime API for AWS La...
New
AlexMcConnell
The reason that Rails is as popular as it is is because it’s very easy for relatively inexperienced developers to get a lot of work done....
588 19568 166
New
AstonJ
Please see the new poll here: Which code editor or IDE do you use? (Poll) (2022 Edition) It’s been a while since we first asked this, I...
208 31142 143
New
tmbb
This is a post to discuss the new Phoenix LiveView functionality. From Chris’s talk, it appears that they generate all HTML on the serve...
342 18146 126
New
New
jer
I’ve been using umbrellas for a while, and generally started off (on greenfield projects at least) by isolating subapps based on clearly ...
New
hazardfn
I suppose this question is effectively hackney vs. ibrowse but we are at a point in our project where we have to make a choice between th...
New
scouten
I’m looking for a host for the server part of a small (personal) side project that I’m working on. It’s currently written in Node.js and ...
New

Other popular topics Top

mcarvalho
What is the difference between System.get_env and Application.get_env? For example, what are best practices to use one versus another.
New
msaraiva
Surface is an experimental library built on top of Phoenix LiveView and its new LiveComponent API that aims to provide a more declarative...
564 43622 214
New
josevalim
Hi everyone, One of the features added to Elixir early on to help integration with Erlang code was the idea of overridable function defi...
New
hariharasudhan94
lets say i have a sample like a = 20; b = 10; if (a > b) do {:ok, "a"} end if (a < b) do {:ok, b} end if (a == b) do {:ok, "equa...
New
AngeloChecked
What learn first? Rust or Elixir Hi Elixir community! I’m here because i want learn a new language. I’m a junior developer and mainly i ...
New
aalberti333
As the title describes, I’m trying to run Enum.map() over a list of key/value pairs, where the value is a map. My data looks like this: ...
New
sergio_101
I am VERY much an elixir newbie. I have taken one elixir course and one phoenix course on Udemy. During that course, I saw the instructor...
New
AstonJ
Please see the new poll here: Which code editor or IDE do you use? (Poll) (2022 Edition) It’s been a while since we first asked this, I...
208 31142 143
New
nobody
Hi! In PHP: $_SERVER[‘SERVER_ADDR’] - in Elixir? Searched the docs for ip address and the web, no good results. Thanks!
New
klo
Got a question about when to concat vs. prepending items to list then reversing to achieve appending. So i know lists boil down to [1 | ...
New

We're in Beta

About us Mission Statement