Mark Miller — Capability Security and the E Language
<!-- hierarchy:nav -->
Path: OIP › Thinker Reference › Thinkers › Mark Miller — Capability Security and the E Language
Shelf: Thinkers · Traversal: self-explaining · hierarchical · voxel-ready
Machine root: OIP tree · Registry
Mark Miller — Capability Security and the E Language
§SELF — thinker-mark-miller
What this page is: A profile of the computer scientist who built a programming language and protocol around a single security principle: possession conveys authority. What it explains: Capability-based security, the confused deputy problem, CapTP, promise pipelining, and what OIP should take from this work. Why read it: You will understand a different way to think about security — one where authority is carried by references, not checked by permissions lists — and why this matters for systems that delegate power between autonomous agents.
What Mark Miller Did
Mark Miller is a computer scientist who is the most important figure in capability security after the field's founders. Capability security is an approach to computer security where the right to use a resource is granted by holding a reference to that resource. A reference is a pointer or handle that lets a program access an object or service.
Miller created:
- The E programming language (ec-lang.org): A language designed around capability security principles. Every object interaction in E follows the capability model.
- CapTP (Capability Transport Protocol): A protocol for sending capabilities across a network. CapTP lets one system hand another system the authority to use an object, securely and verifiably.
- Promise pipelining: A technique for sending a chain of operations across a network without waiting for each round-trip to complete.
- Agoric computing: A model of computation where objects trade capabilities in a market-like system.
He co-authored the paper "Paradigm Regained: Abstraction Mechanisms for Access Control" with Jonathan Shapiro, which argued that capability-based access control is more fundamental and more secure than permission-based systems.
The Key Idea: Possession Conveys Authority
In a capability system, if you hold a reference to an object, you can use it. There is no separate permission check. There is no central authority that decides who can do what. Authority is decentralized: it lives in the references you hold.
This is different from the security model most systems use today. Most operating systems and applications use Access Control Lists (ACLs). An ACL is a list that says "User A can read File B" and "User C cannot." A separate system — the operating system kernel, the database, the server — checks every request against this list.
In a capability system, there is no list. If you have the reference, you have the authority. If you do not have the reference, you cannot even name the object, so you cannot ask to use it. Security is enforced by the inability to refer to what you cannot access.
What Capability Security Got Right
Capability security eliminates a class of bugs called confused deputy problems. A confused deputy is a program that has authority to perform some action, and performs it on behalf of a caller without checking whether the caller should have that authority.
Example: A compiler has permission to write files in a temporary directory. A user asks the compiler to write output to a file. The user names the file /etc/password (a sensitive system file). The compiler, acting as a deputy for the user, overwrites the system file because it has write permission and does not check whether the user should have that permission.
In a capability system, the user would need to hand the compiler a reference (a capability) to the specific file they want written. The compiler cannot name /etc/password because it was never given a reference to it. The compiler can only write to files it has been explicitly handed.
Other correct contributions:
- Authority always narrows on delegation. When you hand a capability to someone else, you can attenuate it — give them a reduced version. For example, you can hand someone a read-only capability to a file, even though you have read-write access. Authority can only narrow, never widen.
- Composition is safe. Because capabilities are just references, they compose the same way all references do. Security policy emerges from how capabilities flow through the program, not from a separate policy layer.
- No ambient authority. A program in a capability system has no automatic authority just because of who it is. It only has the capabilities it was explicitly given. This makes security reasoning local: you can understand what a component can do by looking at what capabilities it holds.
CapTP and Promise Pipelining
CapTP is a protocol for sending capabilities across a network. When system A wants to let system B use an object, it sends a capability over CapTP. The capability is unforgeable — B cannot guess it or manufacture it. B can then use it, delegate it, or attenuate it.
Promise pipelining solves a latency problem. In a network, every round-trip takes time. If you want to send a chain of operations — "get object X, then call method Y on it, then call method Z on the result" — a naive approach waits for each step before sending the next. Promise pipelining lets you send the entire chain at once. Each step is a promise: a placeholder for a value that will exist in the future. The remote system resolves the promises and executes the chain without waiting for round-trips.
What OIP Should Take From This Work
The Object Interface Protocol (OIP) defines how objects communicate across systems. From Mark Miller's work, OIP should adopt three things:
- CapTP for capability transport between systems. When one OIP endpoint delegates authority to another, it should use a protocol like CapTP to transfer capabilities securely. The receiving system should not be able to forge or escalate capabilities.
- Promise pipelining for asynchronous operations. OIP endpoints will often need to chain operations across network boundaries. Promise pipelining lets them do this efficiently, without blocking on each round-trip.
- The principle that authority always attenuates on delegation. When an OIP endpoint hands a capability to another endpoint, it should only be able to narrow the authority — reduce what the receiver can do, never increase it. This prevents privilege escalation attacks.
How It Connects to Other Ideas
- Roy Fielding's REST: REST's statelessness means each request carries its own context. Capability security means each request carries its own authority. Both principles say: the server should not need to remember who you are or what you can do. The request should speak for itself.
- Tim Berners-Lee's Semantic Web: Linked Data uses URIs to name things. Capabilities use unforgeable references to grant access. Both are systems of decentralized naming and authority, but capabilities add security to the referencing mechanism.
Sources
- Miller, Mark S., and Jonathan S. Shapiro. "Paradigm Regained: Abstraction Mechanisms for Access Control." 2003.
- The E Programming Language: https://www.ec-lang.org
- CapTP specification and Agoric computing papers, available via the Agoric SDK documentation.
---
Up the tree
- OIP root — protocol root, zero-context entry
- Thinker Reference hub — full hierarchy map
- Thinkers shelf — siblings on this shelf
- Voxel graph article — how pages link as voxels
- Self-describing protocol
Related on this shelf
- Alan Kay — The Big Idea Is Messaging
- Alfred North Whitehead — Process and Reality
- J.L. Austin and John Searle — Speech Acts
- Barbara Liskov — Abstract Data Types and Distributed Consensus
- Bram Cohen — BitTorrent and Content-Addressed Protocol Design
- Butler Lampson — Protection and Access Control
- Carl Hewitt — The Actor Model
- Charles Sanders Peirce — Signs, Abduction, and Pragmatism
Machine surfaces
- Public page:
https://miscsubjects.com/a/thinker-mark-miller - JSON article:
https://miscsubjects.com/api/articles/thinker-mark-miller - OIP ask:
https://miscsubjects.com/api/dispatch?ask=Mark%20Miller%20%E2%80%94%20Capability%20Security%20and%20the%20E%20Language
Ask this article · 2 suggested prompts
Text the build (+14245134626) or WhatsApp — slug|question creates a question node. Paste evidence with ingest slug|q:NODE_ID|your paste.