LowCapsFormally: Low-level Object Capabilities for Formally Watertight Security

Printer-friendly version
January 2019 to December 2023
FWO ERC Runner-up Project

Object capabilities (ocaps) are a technique for fine-grained privilege separation in programming languages, with applications in security and software engineering. Ocaps are practically used in high-level programming languages like JavaScript, but recently, there is also a renewed interest in capability machines: processors that apply ocaps at the low level of assembly languages (lowcaps). Security measures based on lowcaps offer the perspective of efficient but watertight defences against realistic attackers, that protect against arbitrary attacks, not just the ones we already know. Such measures promise to end the attack-defence arms race that plagues many current measures. In this research project, I aim to validate and demonstrate this potential, as well as deepen the scientific understanding of ocaps in general.

To reach this objective, this project takes the perspective that a lowcap assembly language is just another programming language, that can be studied using powerful techniques that are developed for high-level programming languages, particularly logical relations and program logics. Using this methodology, I intend to propose, study and implement novel lowcap security measures and rigorously prove their effectiveness. On the other hand, I also intend to further study effect parametricity: a general property I proposed that formally captured the essence of ocaps. I intend to study and apply it in different contexts: for modular reasoning about ocap and lowcap code, but also in the context of functional and dependently typed programming languages, for a number of different purposes (elaborated below).

This project’s results will range from novel, provably correct security measures built on lowcaps, novel methods for reasoning about such measures, but also novel insights about the nature of ocaps, the relation between object-oriented and functional code and the use of effect parametricity in dependently-typed proof assistants.