[erights]

In light of some feedback we've received on the article, some clarification is needed. The ocap (object-capabilities) approach does not by itself make systems secure. Rather, it an enormous step towards making systems secureable. Even after taking this step, making complex systems secure can still be very hard, depending on the specifics.

In an ocap system such as SES https://github.com/Agoric/SES , an object can only directly cause effects on the world outside itself by using the capabilities it holds. Objects come in graphs held together by references, so an object can still only cause effects, directly or indirectly, according to its connectivity to the rest of the system via references. The different between direct effects vs general causation is the difference between permission and authority [1,2]. Permission is often vastly easier to reason about than authority, but our safety depends on reasoning about limits on authority.

The event-stream exploit would have been prevented merely by practicing the principle of least permission. Hence this article did not need to go into these subtleties. Hence, this exploit is a good example for introducing people to these concepts, tempting them to dig deeper [3].

[1] Paradigm Regained http://www.erights.org/talks/asian03/paradigm-revised.pdf

[2] Permission and Authority Revisited https://ai.google/research/pubs/pub45570

[3] References page https://agoric.com/references/