Capability based security

I'm not a security man at all, but the simplicity of Capability based security is very appealing to me. There have been various influences upon me in this area, but the basic ones are

• the E language - a JVM language created to experiment with capabilities
• Newspeak - a new smalltalk/self language with all dependencies having to passed in
• Singularity - MS's experimental OS written in C#

Of course, while searching for this stuff I've just come across Capros, which seems to do similar things to what I envision (and is of course written by people who know what they're doing). It doesn't, however, use a dynamic, OO language, is written in C, and hence is open to people doing nasty pointer stuff.

The basic concept is that you're program is given capabilities that it can use, and if it doesn't have a particular capability (such as writing a file) then it can't do that thing. The OS developers don't have to worry about checking if a function call is allowed - it simply can't be made. This should simplify development of secure software.

It also makes testing (because the whole OS is dependency injected) easier, and provides default sandboxing.