aschrijver
Elixir and Object Capabilities
Capability-based Security as a security model exists for a very long time, but recently there’s a lot of research for using Object Capabilities in distributed (actor-based) programming.
I am referring here to the work of Christine Lemmer-Webber (co-author of the Fediverse’s W3C ActivityPub specification) started in the Spritely Project and now continued with Randy Farmer in Spritely Institute.
Based on the Principle of Least Authority (PoLA) and applied to regular programming this research will explore new paradigms of distributed programming. A lot of work still needs to be done, but Spritely Institute envision emergence of an open-standards based Object Capabilities Network (OCapN):
https://github.com/ocapn/ocapn
The following whitepaper gives an overview of what Spritely Institute is working on: The Heart of Spritely: Distributed Objects and Capability Security and working prototypes exist implemented in Racket and Guile (a Scheme dialect).
How is this relevant?
I am creating this topic first of all to alert the Elixir community: This stuff is major!
Don’t take me on my word. I encourage anyone to check things out to find that out for yourself.
Also Erlang/Elixir seems a bit of a ‘dead zone’ wrt Object Capabilities implementations AFAICS. I wonder if anyone has knowledge on any projects implementing it. The Cap’n Proto protocol (used by Sandstorm) has an Erlang implementation, but it is unmaintained.
Finally.. a lot of this stuff may seem abstract. Scott Wlaschin has a fabulous page on “Designing with Capabilities” equating good design == good security and “intention revealing interfaces”. Watch the video at:
(PS. I am only a beginner Elixir programmer myself. I really hope to see experts entering this field)
Most Liked
jhogberg
There was a lot of work on this around the turn of the century ![]()
al2o3cr
A minor gripe: that’s the same thing everybody kept saying the last time this became a popular research topic twenty years ago. It’s probably the same thing everybody on the iAPX 432 team said to each other 40+ years ago - I wasn’t around for that one. There are interesting ideas in the space, but prematurely declaring them the Next Big Thing helps nobody.
IMO the biggest challenge with bringing something like capabilities to Erlang-land would be the mismatched execution model: capabilities assume that code has no access by default but the BEAM explicitly rejects even isolating nodes from each other, nevermind processes on a single node. There’s been some discussion about filtering/firewalling but it’s a tough problem, especially to retrofit onto an existing runtime.
Re: Austral specifically, a couple things jumped out reading through the examples + issues:
-
“no exceptions” is only technically true, as there are no user-observable exceptions and no mechanism for cleaning user-defined things up when something goes wrong. There’s still PLENTY of places that call
abortand hard-exit from the OS process though, and even just writinga + bcould lead to a runtimeabortif the numbers are large… -
the first place that users might reasonably expect to encounter capabilities is when they want to print to the terminal, but Austral works around that because it would be too verbose
-
another place to encounter capabilities might be when directly manipulating memory (for instance, type-punning with
memmove) but that’s also side-stepped with a specific “are you importing theMemorymodule?” check -
borrowing is powerful, but also brings plenty of edge-cases. For instance, in the example “capability-based file API”, what happens if a
Pathvalue is created using the borrowed result ofGet_Filesystembut thePathis still in-scope afterRelease_Filesystemhas been called? Should a call toRead_Filesucceed, or crash? Can/should the compiler catch this? It may not even be an error
- for instance, I could imagine a capabilities API where best-practice was to derive smaller capabilities at the beginning of a program and then discard the root capability, similar to how setuid programs “drop root” as soon as it’s no longer needed.
Based on the examples + the tutorial around capability-based security, my vibe is that Austral is a language where there could be interesting design possibilities; it seems like a reasonable foundation. But there’s a LOT of capital-H Hard design work still to come to make a usable API that avoids things like “pass your RootCapability to this random code, trust me bro” actually happen.
Popular in Discussions
Other popular topics
Categories:
Sub Categories:
Forums
Popular Tags
- #ecto
- #liveview
- #troubleshooting
- #learning-elixir
- #deployment
- #library
- #erlang
- #testing
- #genserver
- #mix
- #absinthe
- #remote-other
- #otp
- #plug
- #how-to-question
- #macros
- #postgres
- #channels
- #elixirconf
- #exunit
- #discussion
- #code-sync
- #javascript
- #podcasts
- #onsite
- #dialyzer
- #docker
- #authentication
- #umbrella
- #full-time-contract
- #podcasts-by-brainlid
- #ecto-query
- #elixir-ls
- #phoenix_html
- #iex
- #blog-post
- #graphql
- #genstage
- #ai
- #websockets
- #supervisor
- #advent-of-code
- #elixirconf-us
- #distillery
- #processes
- #forms
- #api
- #metaprogramming
- #security
- #performance








