13 repositorios
Access control systems that grant permissions via the possession of specific delegatable authorization objects.
Distinct from Attribute-based Access Controls: Distinct from RBAC or ABAC; uses a resource-oriented approach where the object itself is the key to the function.
Explore 13 awesome GitHub repositories matching security & cryptography · Capability-Based Access Controls. Refine with filters or upvote what's useful.
Sui is a blockchain platform featuring an object-centric state model and resource-oriented smart contracts. It utilizes parallel transaction execution to increase network throughput and supports programmable transaction blocks that bundle multiple operations into single atomic units. The platform distinguishes itself with a capability-based access control system and zero-knowledge login mechanisms, enabling users to authenticate via identity providers without seed phrases. It also implements deterministic object addressing to allow predictable state lookups and supports the creation of soulbo
Gates privileged functions by requiring the possession of delegatable authorization objects instead of address allowlists.
Mbed TLS is an open-source TLS and DTLS library with a small footprint, designed for embedded systems and IoT devices. It provides a portable cryptographic library that includes symmetric ciphers, hashing, and public-key cryptography, along with a reference implementation of the PSA Cryptography API for standardized cryptographic operations across platforms. The library also offers X.509 certificate management for parsing, validating, and managing certificate chains in secure communications. The library is built around a platform abstraction layer that decouples it from OS-specific services t
Returns no capabilities when a page does not exist, which is not a meaningful feature of this library.
Spin is a WebAssembly serverless framework and development toolchain for building and running portable microservices. It functions as an event-driven orchestrator and runtime that executes WebAssembly components, allowing developers to map HTTP requests, Redis messages, and cron schedules to specific modules. The project distinguishes itself by implementing a Wasm-based AI inference gateway, enabling components to perform model inference and generate text embeddings. It utilizes the WebAssembly Component Model and WASI for language-agnostic composition and portable host interfacing, while emp
Implements a capability-based security system to delegate a subset of permissions to dependent modules.
Tock is a secure embedded operating system and microcontroller kernel designed to isolate untrusted applications and drivers. It functions as a memory-safe process isolator that uses a combination of hardware memory protection and language-level type safety to execute mutually distrustful applications on bare metal. The system distinguishes itself through a hardware abstraction layer that decouples high-level components from specific microcontroller implementations using standardized traits. It further employs a virtualization layer to allow multiple independent software components to share a
Employs a security model that requires specific delegatable authorization objects to permit the execution of sensitive kernel functions.
CanCan es una librería de autorización para aplicaciones Ruby on Rails que proporciona un framework declarativo para definir permisos de usuario. Funciona como un sistema de control de acceso basado en roles que desacopla la lógica de seguridad de los controladores centralizando todas las definiciones de habilidades en una única ubicación. La librería se distingue por traducir reglas de permiso en filtros basados en bases de datos. Esto permite al sistema recuperar solo los registros específicos que un usuario tiene permitido ver basados en condiciones de atributos y alcances definidos, en lugar de verificar permisos después de que los datos han sido cargados. El framework cubre la aplicación de la autorización mediante la carga automatizada de recursos y verificaciones de permisos obligatorias. Incluye mecanismos para gestionar la precedencia de permisos, resolver proveedores de habilidades personalizados y manejar excepciones de acceso denegado globalmente para disparar redirecciones o mensajes de error.
Verifies if a user possesses the required permissions to perform specific actions on resource instances or classes.
Timber is a PHP library that integrates the Twig template engine into WordPress themes, providing an object-oriented framework for theme development. It wraps WordPress data — posts, terms, users, menus, and comments — in structured PHP classes, allowing developers to work with objects instead of raw arrays while keeping HTML markup separate from PHP logic through Twig templates. The library distinguishes itself by offering a complete set of tools for modern WordPress theme building. It includes a file-based template hierarchy with fallback chains, dynamic image manipulation with resizing, cr
Tests whether a user has a specific WordPress capability and returns a boolean result.
seL4 is a formally verified microkernel whose C implementation is backed by machine-checked mathematical proofs of correctness, confidentiality, integrity, and availability. It enforces strict isolation between processes through hardware-enforced address space separation and a capability-based access control system, where each process holds explicit rights only to the resources it has been granted. The kernel exposes hardware resources through a minimal API of system calls that manage threads, address spaces, and inter-process communication, with synchronous IPC supporting sender-identifying b
Enforces fine-grained resource access through capabilities where each process holds explicit rights.
Lunatic es un runtime de WebAssembly y gestor de procesos concurrentes que implementa un modelo inspirado en Erlang de concurrencia ligera y tolerancia a fallos. Funciona como un sistema de actores distribuido donde procesos aislados se comunican mediante el paso de mensajes a través de una red de nodos vinculados. El sistema utiliza un entorno sandbox de WebAssembly para aislar la memoria y restringir los permisos de llamadas al sistema para cada proceso individual. Este modelo de seguridad basado en capacidades asegura que los procesos estén aislados para ejecutar código no confiable de forma segura. La plataforma proporciona un árbol de supervisión tolerante a fallos para el monitoreo jerárquico y reinicios automáticos de procesos que fallan. Gestiona cargas de trabajo de alta concurrencia utilizando un programador (scheduler) preventivo de robo de trabajo para ejecutar miles de hilos ligeros (green threads). El runtime admite la coordinación de sistemas distribuidos mediante la agrupación de nodos en diferentes máquinas físicas y maneja el tráfico de red para protocolos como TCP y WebSockets.
Implements a security model that grants permissions via delegatable authorization objects to safely execute untrusted code.
Ockam es un framework de redes de confianza cero diseñado para asegurar el tránsito de datos entre aplicaciones distribuidas utilizando una superposición de red basada en identidad. Proporciona las primitivas necesarias para establecer conexiones autenticadas mutuamente y cifradas de extremo a extremo, eliminando la dependencia de la seguridad tradicional de la capa de red. El proyecto se distingue por su uso de control de acceso basado en atributos y credenciales verificables para gestionar la confianza a escala. Implementa la rotación de identidad criptográfica para mantener la continuidad de la identidad y se integra con sistemas de gestión de claves respaldados por hardware para asegurar claves privadas dentro de enclaves o servicios de gestión de claves en la nube. La plataforma cubre una amplia gama de capacidades, incluyendo enrutamiento binario de múltiples saltos y puente de red basado en relés para conectar redes dispares. Puede envolver tráfico TCP o Kafka heredado en túneles seguros, permitiendo que los servicios privados se comuniquen sin exponer puertos de escucha. Además, emplea un modelo de actor con estado para procesar mensajes de forma asíncrona a través de nodos distribuidos. El despliegue es compatible a través de plantillas de infraestructura como código para el aprovisionamiento de nodos seguros y pasarelas en entornos de nube.
Groups workers together to provide specific capabilities and applies attribute-based access control to restrict usage.
react-native-permissions is a cross-platform permissions library that provides a unified interface for requesting and checking system permissions across iOS, Android, and Windows. It functions as a permission status manager and device capability auditor to determine if access to sensitive data or hardware is granted, denied, or blocked. The project includes a media access controller to handle limited access to photos and contacts through system-native pickers. It also features a system settings integrator that directs users to device settings pages to manually toggle application and notificat
Allows applications to check and request whether the user is sharing their precise location or a coarse approximation.
react-native-permissions is a cross-platform mobile permissions library that provides a unified API for checking and requesting hardware and software permissions on iOS, Android, and Windows. It serves as a device permission manager to verify permission status and prompt users for access to device features across different operating systems. The library includes a system settings navigator to direct users to application-specific device settings for modifying blocked or limited permissions. It provides a single interface for managing platform-specific permission requests and notification autho
Verifies if a user has granted precise location access versus a coarse approximation.
Capnweb is a distributed object communication library and Cap'n Proto RPC framework. It enables type-safe remote procedure calls between clients and servers using shared schemas and generated stubs to invoke methods on remote objects as if they were local. The project utilizes an object-capability security model to govern access to remote resources through unforgeable tokens. It provides a bidirectional network layer that multiplexes asynchronous calls and data streams over persistent WebSocket connections and includes a remote resource lifecycle manager that uses reference counting to automa
Governs access to remote resources using unforgeable tokens and object-capability-based authorization.
KernelSU-Next is a kernel-level framework designed to provide administrative privileges and granular access control on the Android operating system. By integrating directly into the kernel during the build process, the project enables superuser management and system-wide modifications through kernel-level patching and system call interception. The framework distinguishes itself by utilizing non-persistent file system overlays, which allow for system partition modifications and module injection without altering underlying read-only storage blocks. This approach facilitates dynamic functionalit
Enforces granular security policies by validating application requests against defined permission profiles.