This is a demo of how to make a simple capability-secure language, with some tiny example applications. It's derived from Jonathan Rees's "A Security Kernel Based on the Lambda-Calculus".

The Scheme 48 system includes a more complete and practical development of those ideas. You may still find Consp worth studying because Scheme 48 has much more code to dig through and its documentation doesn't emphasize the security properties as much.

Read the manual, browse the source, or download the latest version. It should run on any R4RS or R5RS Scheme system.


The security model of familiar operating systems like Unix and Windows wasn't brought down from Mount Sinai; I believe capability security is a much better way to live, both safer and easier to program, and through that combination raising the potential to build systems supporting more ambitious patterns of cooperation. Consp is the smallest implementation of a capability-secure language I'm aware of (that's implemented in a language without that property, that is). It can be this small because standard Scheme *almost* has the capability nature already; R5RS is even closer, I think, but I preferred to stick with R4RS. So this is a playground for learning about capabilities, their applications, and how languages can support them.

It's still a toy because I've done nothing for error handling and debugging -- any errors will drop you back into your underlying Scheme system. It's also slow and nonconcurrent. If you incorporate external libraries, you'll probably have to tame them first -- to present their powers as delimited capabilities. See the E language for an example of taming the Java libraries.

License & contact

Copyright © 2004 Darius Bacon under the terms of the MIT X license.

Home   |   © 1994-2004 by Darius Bacon