Skip to main content


Analysing the security properties of object-capability patterns


Toby Murray

Oxford University Computing Laboratory


The object-capability model is an increasingly popular architecture for building secure software systems. This model promotes the construction of reusable patterns for enforcing security properties within object-capability systems. In this thesis, we apply the process algebra CSP, and its automatic refinement-checker FDR, to analyse object-capability patterns and prove whether they uphold the security properties they are designed to enforce.

We show how CSP can accurately model object-capability systems and patterns, and express their wide variety of features.

We show that complex safety properties of object-capability patterns can be reasoned about by encoding them as CSP refinement checks for FDR. This enables one to detect vulnerabilities automatically in patterns due to concurrent and recursive invocation.

We show that CSP's theory of data-independence can be applied to allow one to generalise the results obtained from analysing small fixed-sized systems, to systems of arbitrary size.

We show how to reason about the information flow properties of object-capability patterns. We argue that in order to do so sensibly, one must make the assumption that objects can directly influence each other only through their overt interactions together. We show how traditional noninterference properties can be adapted to take this assumption into account, and how they can then be tested with FDR.

We consider how to reason about liveness properties of object-capability patterns under necessary fairness assumptions. We prove that such properties cannot always be expressed as CSP refinement checks for FDR, making them impossible for FDR to test precisely, but how FDR can be applied to reason about them by testing sufficient conditions for them instead.

To reason about authority, we develop a framework for expressing general non-causation properties and show how it can capture various kinds of authority, as well as the notions of defensive correctness and defensive consistency. We show that, for deterministic systems, non-causation of safety effects can be expressed as refinement checks in CSP models that FDR can support. However, for nondeterministic systems, we prove that even certain simple non-causation properties cannot be precisely captured this way.

BibTeX Entry

    school           = {University of Oxford},
    title            = {Analysing the Security Properties of Object-Capability Patterns},
    author           = {Toby Murray},
    year             = {2010},
    type             = {{D.Phil.} Thesis}


Served by Apache on Linux on seL4.
Served by Apache on Linux on seL4.