github.com/fibonacci-chain/fbc@v0.0.0-20231124064014-c7636198c1e9/libs/cosmos-sdk/docs/core/ocap.md

github.com/fibonacci-chain/fbc@v0.0.0-20231124064014-c7636198c1e9/libs/cosmos-sdk/docs/core/ocap.md (about)

     1  <!--
     2  order: 8
     3  -->
     4  
     5  # Object-Capability Model
     6  
     7  ## Intro
     8  
     9  When thinking about security, it is good to start with a specific threat model. Our threat model is the following:
    10  
    11  > We assume that a thriving ecosystem of Cosmos-SDK modules that are easy to compose into a blockchain application will contain faulty or malicious modules.
    12  
    13  The Cosmos SDK is designed to address this threat by being the
    14  foundation of an object capability system.
    15  
    16  > The structural properties of object capability systems favor
    17  > modularity in code design and ensure reliable encapsulation in
    18  > code implementation.
    19  >
    20  > These structural properties facilitate the analysis of some
    21  > security properties of an object-capability program or operating
    22  > system. Some of these — in particular, information flow properties
    23  > — can be analyzed at the level of object references and
    24  > connectivity, independent of any knowledge or analysis of the code
    25  > that determines the behavior of the objects.
    26  >
    27  > As a consequence, these security properties can be established
    28  > and maintained in the presence of new objects that contain unknown
    29  > and possibly malicious code.
    30  >
    31  > These structural properties stem from the two rules governing
    32  > access to existing objects:
    33  >
    34  > 1.  An object A can send a message to B only if object A holds a
    35  >     reference to B.
    36  > 2.  An object A can obtain a reference to C only
    37  >     if object A receives a message containing a reference to C. As a
    38  >     consequence of these two rules, an object can obtain a reference
    39  >     to another object only through a preexisting chain of references.
    40  >     In short, "Only connectivity begets connectivity."
    41  
    42  For an introduction to object-capabilities, see [this article](https://en.wikipedia.org/wiki/Object-capability_model).
    43  
    44  ## Ocaps in practice
    45  
    46  The idea is to only reveal what is necessary to get the work done.
    47  
    48  For example, the following code snippet violates the object capabilities
    49  principle:
    50  
    51  ```go
    52  type AppAccount struct {...}
    53  var account := &AppAccount{
    54      Address: pub.Address(),
    55      Coins: sdk.Coins{sdk.NewInt64Coin("ATM", 100)},
    56  }
    57  var sumValue := externalModule.ComputeSumValue(account)
    58  ```
    59  
    60  The method `ComputeSumValue` implies a pure function, yet the implied
    61  capability of accepting a pointer value is the capability to modify that
    62  value. The preferred method signature should take a copy instead.
    63  
    64  ```go
    65  var sumValue := externalModule.ComputeSumValue(*account)
    66  ```
    67  
    68  In the Cosmos SDK, you can see the application of this principle in the
    69  gaia app.
    70  
    71  +++ https://github.com/cosmos/gaia/blob/master/app/app.go#L197-L209
    72  
    73  ## Next
    74  
    75  Learn about [building modules](../building-modules/intro.md) {hide}