We propose embedding executable code fragments in cryptographically protected capabilities to enable flexible discretionary access control in cloud-like computing infrastructures. We are developing this as part of a sports analytics application that runs on a federation of public and enterprise clouds. The capability mechanism is implemented completely in user space. Using a novel combination of X.509 certificates and Javscript code, the capabilities support restricted delegation, confinement, revocation, and rights amplification for secure abstraction.
@article{arxiv.1210.5443,
title = {Secure Abstraction with Code Capabilities},
author = {Robbert van Renesse and Håvard Johansen and Nihar Naigaonkar and Dag Johansen},
journal= {arXiv preprint arXiv:1210.5443},
year = {2012}
}