Caja: Capability Javascript

Ben Laurie:

I’ve been running a team at Google for a while now, implementing capabilities in Javascript....a Caja program will run without modification on a standard Javascript interpreter - though it won’t be secure, of course! When it is compiled then, like CaPerl, the result is standard Javascript that enforces capability security. What does this mean? It means that Web apps can embed untrusted third party code without concern that it might compromise either the application’s or the user’s security...I’m very excited about this project and the involvement of some world class capability experts, including Mark Miller (of E fame) who is a full-time member of the Caja development team.

This could possibly be a very important development. I haven't delved into Caja, but I know some members know all there is to know, so perhaps they can enlighten us about the details...

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Broken link to Caja

Presumably the intended URL was the following, until the link gets fixed:

Fixed. Thanks.

Fixed. Thanks.

Caja specification

fine-grained authority

The general approach gives a plausible way to process with units of authority smaller than that of a user or other large principle. This is important because nowadays desktop computers run millions of lines of code written by other people. Even when there is no malice, it means that a bug in any one of those lines can cause arbitrary harm to the user's data.

If you run programs that are written in object-capability languages, then you can dole out small amount of authority to each program. This program can access that file, this one can draw into this window, etc. Other approaches are not looking so good. Java sandboxes work but are too restrictive for most software. ACL's are where a lot of the mindshare is at, but does anyone know of a system where fine-grained ACL's really work to prevent security breaches?

Caja is part of the ongoing investigation into object capability languages. Part of the question is just how hard it is to write within a capability discipline. By providing object-capability languages that are generous subsets of existing languages, this makes it easier for people to try writing their next program in an object-capability style.

Has anyone on here taken the challenge and written a sizable program either in Caja or in some other object-capability language?

The object-capability chalenge

Has anyone on here taken the challenge and written a sizable program either in Caja or in some other object-capability language?

Caja isn't yet ready for this challenge. Today, it is still a paper design + an implementation of a previous attempt. (Both are now open source.)

For applications in other object-capability languages, some appear here on the erights wiki. If you know of more examples, please add them to this list (or just let me know). Thanks.


When will GWT target Caja, I wonder?


Yeah, with Lex and Mark posting, I was trying hard not to say this...