Hidden software capabilities

Software capabilities are a very convenient means to protect co-operating applications. They allow access rights to be dynamically exchanged between mutually suspicious interacting applications. However in all the proposed approaches, capabilities are made available at the programming language level, requiring application developers to wire protection definition in the application code, which is detrimental to both flexibility and reusability. We believe instead that capabilities should be hidden from the application programmer allowing protection definition and application code to be clearly separated. In this paper we propose a new protection model based on hidden software capabilities, in which protection definition is completely disjoined from the application code and described in an extended interface definition language (IDL). This allows to specify protection for existing modules and to easily change the protection policy of an application. This protection model can be integrated in a wide range of operating systems. We are currently implementing it in a single address space operating system based on distributed shared memory