A Secure Execution Framework for Java

antlertextureΛογισμικό & κατασκευή λογ/κού

14 Ιουλ 2012 (πριν από 4 χρόνια και 9 μήνες)

458 εμφανίσεις

A Secure Execution Framework for Java
Manfred Hauswirth Clemens Kerer Roman Kurmanowytsch
Distributed Systems Group Distributed Systems Group Distributed Systems Group
Technical University of Vienna, Technical University of Vienna, Technical University of Vienna,
Austria Austria Austria
mh@infosys.tuwien.ac.at ck@infosys.tuwien.ac.at q@infosys.tuwien.ac.at
ABSTRACT ment c onur K Securit y Protection
Unauthorized Access Java mobile c o de se curity ac
The a J v a p latform facilitates to ynamically d load and exe
c ess
cute co de from remote sources whic h c an threaten the secu
rit y and in tegrit y f o a system and the priv acy of its users
General Terms
T o ddress a these roblems p Ja v a i ncludes a securit yarc hi
tecture whic h i s based on a closed p olicy mo del Although
Securit y Managemen t
this mo del i s suien t to p s cify e arbitrary p o licies it
ily ma y b ecome cum b ersome to use and is not w elluited
for administering a consisten t ecurit s y p olicy for a complete
net w ork The Ja v a Secure Execution F ramew ork SEF Ja v a ecurit s y managemen t XMLased securit y conura
o v ercomes these wbac in tro d uces higherev el ab tion managemen t G UIs
stractions whic h nhance e the expressiv eness o f p olicy rules
it simplis the main tenance f o s ecurit y c onurations and
it pro vides additional functionalit y and to ols to mak e ad
Mobile co de denotes co de that tra v erses a net w ork and ex
ministration less errorrone In JSEF w e p rop ose a h ybrid
ecutes at a remote site The pro cess of tra v ersing can either
p olicy mo del whic h upp s o rts dditiv a e and subtractiv eper
b e e as i n the case of mobile agen ts whic hmo v e around
missions with a denialak erecedence rule to resolv e con
in a net w rokattehir o v olition or it can b e passiv e i
cts Securit y roes p can b e expressed in terms of hierar
a user do wnloads the co de to a site executes it there
c hical groups where a ubgroup s inherits the p olicy deed
b y ts i paren t All mem b e rs of a group share the same set of
Ja v a can be used as a platform for both t yp es of co de
p rmissions e a nd users can b e mem b rs e of an arbitrary n um
mobilit y and in conjunction with the In ternet op ens
ber of groups JSEF administrativ e mo del supp orts
p ossibilities for soft w are dev elopmen t soft w are deplo ymen t
deition f o a net w orkide p olicy whic h users can tailor to
and arc hitectural st yles do is it op ens
their needs but ot n break A t run time JSEF enforces
new securit y threats F or example do wnloaded co de can
deed securit y p olicy and supp orts securit y negotiation in
include a virus or b e a T ro jan horse and th us p erv ert the
case f o insuien t p ermissions A s et of graphical to ols sup
concept f o o c de mobilit yo v n I ternet in a v ery danger
p orts the user in deing securit y p olicies and conuring
ous w a y ortable viruses As an y mobile co de platform
Ja v a surs from four basic categories of p oten tial securit y
threats le akage nauthorized attempts
Categories and Subject Descriptors
obtain information b longing e to or in tended for some
one else tamp ering nauthorized c hangingncluding
D Op erating Systems Securit y and Protection Java
deletingf information r esour c e aling nautho
management c onur ation Securit y and Protec
rized use of resources or facilities suc has memory or disk
tion Access C on trols Java m obile c o de se curity and a c
space and antagonism n teractions not resulting in a
c ess K Managemen t of Computing and Informa
gain for the in truder but anno ying for the attac k ed part y
tion Systems Securit y and Protection Java manage
T o these threats Ja v a pro vides a sp ecial run

time en vironmen t that tries to protect users from erroneous
This w w supp orted n i part b y the Europ ean Com
or malicious mobile co de and tries t o e nsure the in tegrit y
mission u nder con tract IST OPELIX
securit y and priv acy of the user system It pro vides go o d
protection against leak age and tamp ering b ut resource steal
ing and an tagonism cannot b e fully prev en ted since it is hard
distinguish automatically bet w een legitimate and mali
Permission to make digital or hard copies of all or part of this work for
personal or classroom use is granted without fee provided that copies are cious actions
not made or distributed for profit or commercial advantage and that copies
Ja v a securit y arc hitecture ors man ylo wev el securit y
bear this notice and the full citation on the first page. To copy otherwise, to
hanisms e access p ermissions on resources and sup
republish, to post on servers or to redistribute to lists, requires prior specific
p orts the deition of arbitrary securit y
permission and/or a fee.
vides no higherev el securit y anagemen m t concepts suc h
CCS ’00, Athens, Greece.
as hierarc hical p olicies or user groups It do es s ort
Copyright 2000 ACM 1-58113-203-4/00/0011 .. 5.00
upp not
but ts constrain
as ork
with deal


the er
also that wnside The

it ks dra
and ationxible systemide ecurit s y p olicies and ors no oncepts c V erir p e rforms a set of securit yc hec ks to guaran
for deing securit y proes No notions of users and groups tee prop erties suc h as the correct class e format correct
exist and it pro vides only v ery imited l means for hierarc hi parameter t yp es and binary compatibilit y b a is
cally organized securit y conurations The lac k of suc h loaded These c ks enhance run time p erformance b cause e
higherev el concepts complicates main tenance of a onsis c otherwise they w ould ha v e to b e p erformed during run time
ten t ecurit s y p olicy for a complete net w ork and tailoring of Also they assure the in tegrit yof eth Ja v a run en
securit y r equiremen ts to the n eeds of a sp eci user and th us t ince s no malformed class an c b e loaded Ha ving passed
ma y cause misconurations or the in tro duction of securit y V erir he t class lo ader the b yteco de represen
holes tion of the and c hec ks optional signatures F urther
This pap er presen ts the a J v a ecure S Execution F ramew ork
more he t class co de source is constructed whic h consists
SEF whic h solv es these s hortcomings JSEF ronounced of the lo cation from whic h t he w as a set
Joseph pro vides a h ierarc hical securit ypcyoli sc heme whic h of certiates represen ting the signature
supp orts boht lo cal userp e ci securit y p o licies and a co de source is the k ey input for the securit y
global securit y p olicy deed b y he t administrator It sup p olicy construction for a giv en class In Ja v a the securit y
potsr the deition of user groups with assigned securit y p olicy is deed in terms of pr ote ction domains whic h ee d
p olicies whic h can b e freely structured in to a hierarc h y A what a piece of co de with a giv en co de source is allo w
user be mem ber of a set of groups with diren t se do Hence a rotection p domain con tains a co de source with
curit y proes whic h aids administrators in the deition a of asso ciated p ermissions Giv co de source of
assignmen t and main tenance of securit y p olicies for a user a class the securit y p olicy a collection of protection
or a group of users JSEF ors sev eral additional features domains is searc hed to comp ose the p rmissions e of the class
bey ond aJ v a tandard s capabilities P olicy and group e d Finally the class is b eing deed Deing a class mak
nitions are epresen r ted as ML X do cumen ts p olicies con it publicly a v ailable and adds it to the lass c loader cac he of
urations and mobile c o de can b e retriev ed from arbitrary classes whic h s i imp ortan t o t nsure e class uniqueness Ja v a
lo cations and securit y concts can be negotiated in ter considers t w o classes equal if and only if they ha v e the
activ ely run time JSEF is based on the Ja v a secu same name and w ere loaded b y t he same class loader
rit yarc hitecture and is fully compatible ith w it b e After these initial steps the c lass can b e used in the Ja v a
used ithw an yJa v a c o de a yen vironmen twhic his time en vironmen t Ho w er ev ery time the class tries o t
compatible with Ja v a for example in Ja v aased mobile access a system resource its p ermissions ha v eto be c hec k ed
agen t systems extended applet securit y features in b ycon tacting the se curity manager If the call to the secu
W wsers JSEF originally w as dev elop ed as part of the rit y m anager returns ilen s tly the requesting caller has suf
Minstrel push system pro ject t o pro vide a xible secu ien t p ermissions to access the esource r and the execution
rit y en vironmen tfro executable c hannel con t oalled con tin ues If not a securit y e is r to
pushlets and agen ts b e handled b y the caller or otherwise the JVM terminates
This pap er is organized as follo ws Section pro vides an The remaining question is h o w the securit y manager de
o v erview f o J a v a securit y mo d el This mo del is discussed cides whether access to a resource gran ted Since Ja v a
in Section a nd w e p oin t out its shortcomings whic hpor the securit y manager is mainly included for compatibilit y
vided the motiv ation nd a requiremen ts for J SEF Section reasons and delegates nearly all of its tasks to the ac c ess
then presen JSEF securit y mo del and concepts c ontr ol ler The ccess a con troller ses u a stack insp e ction al
k ey parts of SEF J mplemen i tation are highligh ted in Sec gorithm and the securit y p olicy t o decide ho w to p ro ceed
tion nda w eo v erview the m ain to ls o dev elop ed for JSEF s k nsp i ection algorithm is based on the call stac kof
whic h or easyose access conuration and manage the c urren t d ev ery c lass w as an ap
men t functionalities for users and administrators Section propriate set of p rmissions e when it w as loaded the stac k
presen ts w ork r elated to JSEF and w e ummarize s and giv e insp ection algorithm can use this information to mak eist
our conclusions i n S ection JSEF and ll a asso ciated to ols decision An inepth discussion of Ja v a stac k insp ection
are a v ailable a t h ttpwwnfosysu wienctsef algorithm is bey ond the scop e of pap er A detailed
description of Ja v a securit yarc hitecture and the stac kin
sp ection algorithm can b e found in
According to four practical tec hniques for
mobile co de exist sandb o x mo del signing e
w alling and pro farrying o co de Ja v a uses a h ybrid ap
proac hwhic h com bines sandb oxes and c o de signatur
Ja v a core classes act as a securit y shield and enforce Ja v a curren tsitcure y mo el d only upp s rts o explicit sp ec
sandb o x mo d el b ygarn ting or forbidding access to resources iation of accesses that are p e rmitted This is suien tto
based o n a securit y p olicy The r ules sp ecid in the securit y sp arbitrary securit y p olicies but ma y b e impractical
p olicy dee he t actions a iece p of co de is allo w ed to p e r ho w ev er if a user needs an adv anced securit y p olicy Instead
form dep ending on the origin of the co de and an optional of sp ecifying what is p e rmitted t i s i frequen to
signature a of v a po w erful securit ymce hanisms sp ecify what is not p e rmitted F or example a directory hi
are in place per default when launc hing the Ja v a Virtual erarc h yma y h old conuration es whic hma y only b e read
Mac hine VM While ome s basic c hec ks are p erformed au and data es whic hma y a lso b e mo did If the n um ber
tomatically the more s ophisticated concepts including of es and directories is high it ma y b e cum b ersome to ex
sandb o xmodel ha v eto beput ni to action man ually n plicitly list all es and directories hma y b e a ccessed
the ollo f wing sections w e assume that this has b een done with the according p ermissions and main tenance of this dec
When a class is loaded the follo wing steps o ccur First larations can b ecome diult It ma y b e considerably easier
Ja ll Not
necessary tly
The es
de co the

assigned Since metho
tac The
Some ts

has and aised xception ten
bro eb
for or
ev run an in nd
can It
the en set
to ed
class The
and obtained class
ta loads the
viron time
class efore
theto assign readrite p ermissions o t the whole directory tree w an ted to p rform e the access set t he appropriate p e rmis
and only forbid write access f or certain les Of course this sions restart the program and retry its execution
dep ends on the concrete requiremen but ving suc h a can be tedious timeonsuming esp ecially for
feature a t h and lea v es the d ecision to the user whic hw a yof and mobile agen ts F or example a ser u do n a a p
conuration ts b est hiser n eeds JSEF supp orts b oth plet and the a pplet w an ts to a r do es
w a ys of sp eciation b y ts i soalled additiv e and subtractiv e not p ermit access to y et Then the user w ould ha v etoad
p rmissions e just the p rmissions e and reload the applet p ossibly again
The curren t s ecurit ymodel fo Ja v a u a t w el con o v er the net w ork and restart it This pro cess has to be
uration approac h A global p o licy e holds the default rep eated for ev ery denied access un til all required p e rmis
p rmissions e f or an y user on a p s eci site and a user lo cal
sions are a v ailable since the applet fails as so on it en
p olicy e can sp ecify additional p rmissions e Since Ja v a coun ters suc h a problem The required p ermissions cannot
securit y mo d el only supp orts additiv e p olicies only t w o ex b e determined during do wnload or v eriation time b cause e
tremes for meaningful securit y conuration exist Either the securit y requiremen ts of a Ja v a on its
eac huserm ust main tain a priv ate securit y p olicy e or a dynamic run time b eha vior Additionally o n formal correct
global p olicy is sp ecid and userp eci conurations are ness pro of of the Ja v av erir exists so far
ignored With the rst s trategy users can easily in tro duce a securit y negotiation y a forbidden op
securit y h olesegardless of whether a g lobal p olicy e ex attempted JSEF in tercepts it b e the actual access and
ists since the user lo cal p olicy can extend the global p olicy starts a negotiation pro cess whic h also be used as a
in an yw a yut can ha v e a p e rsonalized conuration In blueprin t f or other emi automatic negotiation sc hemes
the s econd c ase t he administrator has total con trol o v er This supp orts managemen tof the y p o licy
securit y p olicy b ut cannot tailor it to sp eci users needs while still ensuring that the existing p olicy settings are not
JSEF o v ercomes t hese roblems p b ypro viding a hierarc hi violated T o circum v en t t hese run y negotiations
cal securit y p olicy s c heme whic h supp rts o b oth lo cal user users m a y p ermit all accesses b ut this problem also applies
sp eci securit y p olicies and a global securit y p olicy deed to the standard securit y arc hitecture It is ev en more lik ely
b y he t administrator hic w htak es precedence o v er user p oli to o ccur there since it requires more ert than with JSEF
cies A t run time a user actual p olicy is deed b y merging to adjust p ermissions correctly
the user lo cal p olicy with the global p olicy The user p ol
icy o w ev er c annot circum v en t estrictions r imp osed b ythe
administrator in global p olicy This heme attempts
One of the ain m goals of JSEF ecurit s y mo is to re
to impro v e the managemen t of s ecurit y p olicies and will b e
main ompatible c ith w he t default Ja v a securit y mo
explained in detail in Section F or example the system
As a onsequence c JSEF p olicy concepts extend the
administrator ma y dee the compan yide securit y p olicy
loading execution a nd monitoring of a lass c as describ ed in
in the global p olicy and J SEF ensures that ev ery user m i
this section Inepth descriptions of the JSEF p olicy con
plicitly follo ws it Ho w er u sers can s till ree this p olicy
cepts are giv en in and
e b y deing a m ore r estrictiv e p olicy f or their p ersonal
F or the further discussion of JSEF main con
data but cannot o v errule it
sider the follo wing example scenario a user called Charly
Moreo v er the Ja v a securit y mo d ks supp ort for user
Br own is w orking on a computer in a lo cal area net w ork
groups while JSEF supp orts the deition of hierarc hical
managed b y a system administrator He has just do wn
user groups ith w assigned securit y p olicies A user can b e
loaded a demo v ersion of a promising new Ja v a program f rom
mem ber fo evs eral groups that ha v e iren d t s ecurit ypro
wwwnfosysu wienct and w an ts to it F or
es With user groups b e ing supp orted a n dministrator a
rit y r easons the system administrator has nstalled i JSEF o n
can easily dee a set of proes in terms f o groups and as
all mac hines in the net w Based n o this scenario the fol
sign these p roes o t sers u dep nding e on t heir requiremen ts
lo wing sections presen t the concepts underlying JSEF and
Additionally these groups can be freely structured in to a
ally c ompare the b eha vior of Ja v a and JSEF
hierarc h y to simplify main tenance and tailoring of the se
curit y p licy o us p olicies the sp eci user roles can
4.1 Additive and Subtractive Policy
b e easily d eed nested and main tained F or example de
JSEF in tro duces the notions of additive and subtr active
v ma y b e assigned a c ertain p roe a subgroup for
p ermissions Additiv e p ermissions are the class of p e rmis
testers a m y inherit t hese p ermissions but b e refrained from
sions as used b y t he Ja v a ecurit s y m o del They gran tpre
mo difying he t source es
mission to access a resource Subtractiv e p ermissions are
In con trast t o a J v a JSEF supp orts the retriev al of p olicy
deed in a s imilar w a y but sp ecify h resources m
deitions from arbitrary sources It curren tly uses es
not b e accessed As with additiv e p ermissions subtractiv e
hic h hold t he necessary deitions epresen r tedinXML
p ermissions are group e d n i ubtractiv e
but can easily b e tailored o t load the p olicy deitions from
acode source with a of p ermissions The
other sources suc h databases or remote lo cations F or
collection of additiv e protection omains d dees the user
example a compan yma yw an ttok eep these deitions in a
additive se curity p olicy and the collection of subtractiv epro
database on a secure computer hic w h can only b e ccessed a
tection omains d dees hiser subtr active se curity p olicy
via a sp ecial securit y pro cedure Also mobile co de that is to
Figure sho ws the additiv e and subtractiv e p olicy dei
b e executed can b e loaded rom f a rbitrary sources
tion of the user Charly Br own Since Charly Bro wn
In the tandard s a J v a ecurit s y o m el d the requester of an
co de originating from wwwnfosysu wienct if it is signed
op eration eceiv r es a securit y exception whenev er an access
b y CK he dees an additiv e p rotection domain g ran ting
is denied b y he t user securit y p olicy This t ypically termi
all p rmissions e h co de Not withstanding his trust
nates he t execution the user has to exit the rogram p that
Charly Bro wn w an ts to e sure his p e
data rsonal that mak
suc to

set ciate asso to
domains protection

ust whic

ers elop
for Th
secu execute

lac el
sc the

securit time
securit time run the
is eration If facilit
vides pro JSEF
end dep program
oev ses

user the esource access
applets and ha ts
Thisremains u n touc hed Th us he dees a negativ e p olicy item is discussed in the next ection s
prev en ting suc h co d e f rom accessing his home directory
4.3 Global and Local Policies
xml version
As already men tioned in Section Ja v a neither supp orts
DOCTYPE localPolicy SYSTEM ocalPolicytd
ocalPolicy u serNameCharly Brown lastChanged
the concept of groups n or the enforcemen t of systemide
securit y settings T oo v ercome this dra k the p olicy con
olicyItem signedByCK
cept of JSEF distinguishes b et w een a glob al p olicy de
ermission classjavaecurityllPermission ed b y the net w ork securit y administrator and a lo c al
p olicy eed b y the user whic h boht can hold e
and subtractiv e p ermissions and p olicy exceptions A
lo cal p olicy s ettings are under full con trol of the user a nd al
olicyItem signedByCK
lo w a user to dee whatev er privileges or restrictions hehe
w an ts All xamples e presen so ha v e b een tak en from
ermission classjavaoilePermission
ermissionName nameome Charly Bro wn lo cal p settings In our example sce
ctions nameread write execute
nario ho w ev er t he net w ork is managed b y a system admin
who is in terested in enforcing a
rit y p olicyhe global p olicy The global p olicy is deed
as a hierarc hical structure of groups JSEF distinguishes
bet w een an additiv e and a subtractiv e h ierarc h y of roupsg
In an additiv e hierarc h y p e rmissions are broadened a long
Figure Charly wn additiv e subtractiv e
the inheritance tree whereas in subtractiv e hierarc hies the
p o licy eition d
restrictions increase along the inheritance hierarc h y Global
additiv e p ermissions represen t a default set of p ermissions
This example already indicates that negativ e p ermissions
mem b e rs of groups the p rmissions e required
o v errule additiv e ones A complete description of JSEF
to e a compan y applications w ork whic h can b e fur
poilcy seman tics is giv en in Section after all concepts
ther adapted b y the users This deai is comparable to the
ha v e b een presen ted
umask concept for setting default e access p ermissions in
the UNIX op erating system whic h c an also b e adapted b y
4.2 Policy Exceptions
users Global subtractiv e p rmissions e on the
Policy Exc eptions are another xtension e t o a J v a securit y
hand represen t global restrictions whic h are enforced au
arc hitecture w hic h s i applied in conjunction with the wild
tomatically and cannot b e circum v en ted b y the users
cards and v a p olicy mo del Wildcards mak e
net w orkide securit y settings P ermissions are either as
it easy to dee a p ermission to access a set of resources
signed directly to groups or inherited from a group paren t
but the a J v a p olicy mo el d lac ks a p ossibilit y to also express
group Inheriting this con text means to collect all the
an eptor tics F or example i f a p e rmission is to
p ermissions and restrictions of all paren t roups g F or
be grna ted o t ll a es in a directory xcept e or f few all p o
ple Charly ro B wn can b e mem b r e of an arbitrary n um ber
ten tially n umerous o ther es w ould ha v e b e explicitly
of suc h roups g and is gran ted all the p ermissions deed in
listed in the dditiv a e p ermissions P olicy exceptions solv e
them Figure sho ws the deition of a ubtractiv s e global
this F or example p olicy exceptions allo w C B wn to
p olicy hierarc h y and dees negativ e p for the
gran t ll a p ermissions for all resources ut b prohibit access to
A dmin Develop nd User groups
his home directory see Figure
Ha in tro d uced the notion of a g lobal subtractiv e p ol
icy he t question of whether b oth p olicy exceptions and sub
xml version
tractiv e p ermissions are necessary to ac hiev e an
DOCTYPE localPolicy SYSTEM ocalPolicytd
ocalPolicy u serNameCharly Brown lastChanged
tics can b e a nsw ered When using a global subtractiv e
p ermission to forbid an action t he user can nev er o v errule
olicyItem signedByCK
Using a global p olicy exception on the other hand
ermission classjavaecurityllPermission w ould giv e the user the p ossibilit y to gran t the excluded
p ermission lo cally Th us although the same seman tics can
be ac ed the dirence lies in the fact whether the user
olicyException signedByCK
is allo w ed to gran t the excluded p ermission lo cally o r not
ermission classjavaoilePermission
Lo cal p o licy exceptions do not dir c onsiderably from lo cal
ermissionName nameome
subtractiv e p ermissions he t main b e ne is to dee dir
ctions nameread write execute
en t qualities of excluded p e rmissions for a semiutomatic
negotiation comp onen t see S ection
4.4 Policy Semantics
T o formally describ e the seman tics of JSEF p olicy con
Figure Charly wn p olicy deition a cepts a sligh tly mo did v ersion of the A Sp e c
p o licy exception i ation L anguage SL is used ASL is a logical lan
guage to dee access con trol p olicies and supp orts the def
As Figure and Figure indicate the ame s eman s tics c an inition of users groups authorizations and the p olicy ac
be ca hiev ed with either subtractiv e p ermissions or p o licy ex cording to whic h access con trol decisions are to b e m ade In
ceptions The question w hether b oth concepts are necessary con trast to A SL original sp eciation w eha v e o n notion
uthorization using Bro
ro harly
seman exc
Ja of
other the
the for
and Bro
secu systemide istrator
far ted
wbacxml version
dercando s c o j L L L
DOCTYPE globalPolicy SYSTEM lobalPolicytd
lobalPolicy lastChanged changedBysysadmin
A do rule dees h p rmissions e of a sub ject and a
roup groupNameAdmin
co de source a re applied b y esolving r p oten tial concts The
roup groupNameDeveloper parentGroupAdmin
follo wing rule dees that a sub ject s is gran ted a p ositiv e
or egativ n e p ermission to p erform action a on ob ject
ermission classjavaoilePermission
ermissionName nameystem
o for a co de source c if tand side ev aluates to true
ctions nameread write execute delete
do s c o j L L L
roup groupNameUser parentGroupDeveloper
4.4.1 Definition of Permissions and Exceptions
In JSEF p ermissions a nd exceptions do not dep end on an y
ermission classjavaetocketPermission
ermissionName name
conditions b ut are directly assigned to sub jects as deed
ctions nameaccept connect listen resolve
b y the follo wing t w o rules
cando s c o j
ermission classjavaetocketPermission
except s c o j
ermissionName namewwwunom
ctions nameaccept connect listen resolve
F or example in Figure an additiv e p a n
exception are deed in the lo cal p olicy These deitions
can be directly ed on cando and rules b y
inserting the v alues giv en in the ure in to the ab o v e r ules
4.4.2 Derivation of Permissions
Figure Subtractiv e global p olicy for the A dmin
Deriv ation of p ermissions in JSEF is deed as follo
Develop er nd User groups
dercando s c o a cando s c o a
of roles since in JSEF authorizations cannot b e activ ated or
except s c o a
deactiv ated during run time and w e add the co de source of
dercando u c o a dercando g c o a in u g
a class as new criterion In the ollo f wing o is used for an
dercando g a dercando g o in g

ob ject a g iv en p rmission e applies to a for an action to b e
p rformed e on an ob ject c for the co de source of the execut
The st rule sp ecis the deriv ation of a p ermission f rom
ing co de nda s for a sub j ect requesting a p ermission Sub
the et s of sp ecid p ermissions and exceptions A p ermis
jects can either b e users u or groups g if a rule applies
sion can only b e eriv d ed if the p ermission is deed
to b oth users and groups s is used Hence a p ermission is
and no p olicy exception n ullis the p ermission In Figure
represen ted s a a tup e l s of a sub ject a co de source
for example the p ermission to access the home directory s i
an ob ject and an action In the f ollo wing rules all l iterals
n ullid b ya corresp onding p olicy exception The second
L p ositiv e and negativ e redicates p on t he righ tand
rule states that a user u has to b e mem ber of group g
side m ust ev aluate to true to yield the leftand side of the
deriv e a p ermission from the group the third rule
rule The in s literal used in the follo wing deitions

ys that groups in the group h ierarc h y inherit the p ermis
dees that sub ect j s is a m em b r e of s ub ject group

sions of their paren t groups Figure for example dees

that the User group is a subgroup f o the Develop er group
The mo d id c ando exc c ando and do literals are
th us i nherits all its p e rmissions
deed as follo ws ased on
A c ando rule dees the p ermissions for a s ub ject either
4.4.3 Conflict Resolution
a user or a group and a co de source follo
The ollo f wing rules describ e ho w JSEF resolv es concts in
dees that a sub ect j s has a p ositiv e or negativ e
the case of c oncting additiv e and subtractiv e p
p rmission e for a co de source c to p rform e a ction a on ob ject
or if no p ermission c an b e deriv ed
o if the igh r tand side ev aluates to rue t
cando s c o j L L L
do s a dercando s a in s

An exc rule dees the p olicy exceptions for a sub ject
do s a dercando s a

ither a user or a group and a c o d e s ource The follo w
in s dercando s a

ing rule for a sub j ect s and a co de source c dees a p ol
in s

icy exception whic h excludes a p ositiv e or negativ e
do s a dercando s o a s

p rmission e for action a on ob ject o from the p olicy if the
righ tand side ev aluates to true st rule states that denials tak e precedence If a
subtractiv e p ermission can b e deriv ed it is enforced
except s c o j L L L
means that if a subtractiv e p ermission is deed either in
A der c ando eriv ed cando rule dees w a sub ject the global or the lo cal p olicy the action is forbidden If
inherits p ermissions from another sub ect j for a giv en co de
system administrator forbids an action in he t global p olicy
source A s ub ject s inherits a p ositiv e or negativ e no user can o v erride this setting b y a lo cal p olicy en try en
p rmission e to p e rform action a on ob ject o for co e d source forcemen t of systemide restrictions The second rule sa
c if the r igh tand side ev aluates to true that an additiv e p ermission is to b e gran ted if and only if
the ho



rule wing The
der ept


except to mapp
and ermission

righ the
the additiv e p ermission and no subtractiv e p ermission can need not b e ab orted due to missing p ermissions and the au
be deriv ed This means that a user can apply a lo cally tomatic p olicy up date frees he t user from man ually adapting
deed additiv e p ermission only corresp onding sub the p olicy settings
tractiv e p ermission is deed On the other hand a system
4.6 Java vs. JSEF in a simple Scenario
administrator can globally gran t a p rmission e b y eing d it
Considering the scenario presen ted at the b eginning of
in the global p olicy Still he t user can o v errule this global
additiv e p ermission with a o l cal subtractiv eone Finally t this section the J a v a securit y o m del allo ws an application
to b e started and access all resources T o p rev en t
can o ccur that neither an additiv e nor a s ubtractiv e p ermis
sion can b e deriv ed In this case the t hird rule dees he t Charly wn can launc h the application with a securit y
default e d cision whic hdoesnot angr t the p e rmission manger installed It will ab ort the application when the st
Ha ving formally deed seman tics of JSEF p olicy access to a resource is attempted whic hw as not explicitly
deitions the b ene ha ving b oth subtractiv e p rmis e p ermitted Charly Bro wn then w ould ha v e to man ually add
sions see Section and p o licy exceptions ee Section requested p e rmission his p olicy e and restart the
b comes e clear Excluding rivileges p using p licy o exceptions application This tedious task has to b e rep eated un til all
in a g lobal p olicy deition allo ws users t o ndividually i gran t required p ermissions ha v e bene Charly Bro wn
the excluded settings a g lobally forbidden action ho w ev er p olicy deition
cannot b e o v erruled b y the user Using JSEF instead w ould enhance system securit y
an y application immediately w ould b e sub ject to securit y re
strictions Additionally JSEF w ould supp ort Charly Bro wn
4.5 Interactive Policy Negotiation
in adapting his p olicy settings us the demo application
Once a user p olicy has b een c onstructed b y merging the
m ust only b e started once and whenev er a ecurit s y violation
lo cal and global poicyl settings a class be executed
o curs c Charly Bro wn can decide ho w to ro p ceed b y clic
Since JSEF includes concepts t hat extend the standard Ja v a
a button F urthermore a systemide securit y p olicy could
securit y p olicy a sp ecialized JSEF securit y m anager is used
be enforced whic h system administrators could
to monitor a class during run time As men tioned in Sec
the most vital resources against undesired accesses
tion a ecurit s y violation in a J v a ecurit s y mo del normally
results in a n bnormal a termination of the Ja v a virtual ma
c hine If this o ccurs a user w ould ha v etoman ually adapt
hiser securit y settings and restart the a pplication This JSEF is fully implemen a nd a v ailable under the terms
has o t b e ep r eated un til all p rmissions e required b y an ap of the GNU General Public License from h ttpwwnfosys
plication h a v ebeen angr ted In JSEF an n teractiv e p olicy wienctsef where also exhaustiv e do cumen tation can
negotiation comp onen t can tak e c are of this A securit yvoi be found The implemen tation consists of the complete
lation in t he con text of JSEF is due o t one of three reasons JSEF run time en vironmen t and a set of to
access to a resource w as forbidden b y a global p olicy describ ed n i Section to op te
setting forbidden b ya lo cal policy setting or not nance of JSEF ncluding a con e help facilit y
forbidden neither gran ted b y a global nor b y a lo cal
5.1 JSEF – Java Integration
setting efault decision In the st case a user cannot
o v errule the ecurit s y decision since ystemide s subtractiv e In Ja v a default securit y arc hitecture ev ery
settings cannot b e inenced b y he t user o h w ev er access access a system esource r results in a c all to a c hec k m etho d
to a r esource i s f orbidden lo cally or m erely the appropriate of the ecurit s y manager whic hrela ys the ecision d to the ac
additiv e p ermission is not presen t n i the p olicy settings p ol con troller ee ection S Since JSEF extends the Ja v a
icy negotiation s i s tarted The user can dynamically p u ate d securit y mo del the pro cess of handling access requests ad h
the p olicy settings for example gran t missing p ermissions to b e extended as sho wn in Figure a d etailed description
or adapt the p olicy exceptions to mak e he t execution of a is en in
lo cally forbidden action p ossible A c hange in the p olicy Whenev er a c k etho m d o f JSEF securit y manager s i
means hat t ccording a c hanges m ust b e applied to all classes in v ok ed b yan yof the Ja v a core classes it asks Ja v a a
on the call tac s k hicw hcurren tly do n ot allo w the requested con troller to c hec k t he appropriate p ermission If the access
action F urthermore the user can decide whether the p olicy con troller ds a class on the stac k whic h is not gran ted
adaption shall apply nly o nce o during the un r of appropriate p ermission an con trol exception
application or shall b e p ermanen tly added to the ser u p ol raised to the JSEF securit y m anager whic h in turn starts the
icy settings In terms of the language seman tics presen ted in teractiv e p olicy negotiation see ection S if the denial is
in Section t w o situations ha v e be distinguished If not caused b y a global subtractiv e p ermission whic h c
the u ser adds a missing p ermission the appropriate cando be o v erruled
rule for an additiv e a ction is added to the user p olicy If a k ey issue in JSEF securit y mo del implemen tation
lo cally forbidden ction a is allo w ed the cando ule r with the is ho w t he access on c troller applies JSEF enhanced p o licy
corresp onding subtractiv e a ction has t o b e emo r v ed orn tics the stac k e algorithm As depicted
case ildcards w are u sed n i he t subtractiv e p ermission new in Figure the access con troller queries the protection do
except rule as h to b e added mains of all classes on the call stac k w hether they gran t the
Although t he curren t i mplemen tation of JSEF questions requested access means that the p ermission collec
the u ser h o wton proeedc y other decision making pro cess tion stored in the protection domain of the class is c hec k ed
could b e used i nstead e automatically den y all requests
whether it implies the requested p e rmission In the case of
to em ulate v a default beha vior case of missing JSEF this is a sp ecialized JSEFPermissionCollection ob
p rmissions e ject that kno ws ho w to with JSEF p olicy concepts
The adv an tages of this concept that an application This p e rmission ollection c ob ject is asso ciated with the pro
the in Ja

ction insp in seman
annot to
is access the the time
to attempt
sensitiv text
main and eration ort supp
as ols graphical

protect in
to added
to the
user this

no ifJSEFSecurityManager AccessController Object on Stack ProtectionDomain JSEFPolicy
*[for all objects
on the Stack]
[implies() = false]
[denied by
global policy]
*[for all acesses denied by local policy]
[user denies]
Figure Pro cessing of an access request in JSEF ML sequence diagram
tection d omain o f t he class w hen t he class is b eing deed Since in the pro cess of p olicy negotiation the curren t p ol
b y a sp ecial JSEF class loader Figure ws the ex icy is only w ened but nev er made more restrictiv e
tended implies metho d of t he JSEFPermissionCollection problem applies only to additiv e p ermissions and p o licy ex
class Its t ask is t o d ecide whether a requested p ermission ceptions as discussed in the description of the seman tics of
is included in of p e rmissions stored in protec the p olicy negotiation pro cess ab o v e
tion domain based policy seman tics in tro duced in
5.2 JSEF Tools
JSEF ors three graphical to ols to manage securit ypoil
public boolean impliesermission p
cies and its conuration and op eration t he Policy T o ol the
if p is globally forbidden
Se cur e Applic ation L auncher and the Conur ation T o ol
is NOT c ontained in a global subtractive exception
return false globally forbidden
All to ols include a con textensitiv e help facilit y based on

Ja v aHelp
if p is locally forbidden
Policy T o ol sho wn in Figure an c manage all p ol
is NOT c ontained in a local subtractive exception
return false locally forbidden
icy r elated ettings s suc h as the deition of group p olicies

lo cal and global p olicy settings and ic n knames ic
if p is globally allowed
w the user to assign simple string names to Distinguished
is NOT c ontained in global additive exception
return true globally allowed
Names whic h are used to iden tify certiates but are hard

to b r e
if p is locally allowed
is NOT c ontained in local additive exception
return true locally allowed

neither f orbidden nor allowed means not allowed
return false

Figure The extended implies metho d of the
JSEFPermissionCollection class
Ev ery JSEFPermissionCollection ob jects stores a et s of
global additiv e global subtractiv e lo cal additiv e and lo cal
subtractiv e p ermissions Th us he t implies metho d as h to
c hec keca h of t hese our f sets to determine whether a giv en
p rmission e is implied according to the p olicy rules in Sec
One m a j or constrain t concerns the n i teractiv e p olicy ne
gotiation v a stac k insp ection algorithm has a sp ecial Figure JSEF P olicy T ool
feature c alled privile ge dmo This mo de allo ws classes on
the stac k to execute according to their p ermissions with It vides comfortable w a ys to edit the p olicy settings
out b eing restricted b y ess l privileged classes see for a con text men us and supp ort for cop y and paste of p olicy sub
detailed description Since J SEF cannot ure out whic h trees and t he con tained settings Figure sho ws an example
classes o n the stac k r un in privileged mo de he necessary in view of a global subtractiv e p olicy onuration c including
formation is priv ate to het AccessController class and can the hierarc h y o f groups the p ermissions and the de
not b e ccessed a without mo diations of the J VM missing ed p olicy exceptions
privileges re a added to all lasses c on the stac k nstead i of only Se cur e Applic ation L auncher AL sho wn in Fig
those alled c b y a privileged class Th us p ermissions are p o ure is the main fron tnd of JSEF and allo ws to
ten tially g ran ted t o ore m classes than absolutely necessary execute classes inside the JSEF en vironmen t
user the


the on
its set the
this eak shoin terms of new securit y features and capabilities F or ex
ample describ es n a approac h w hic h ses u protected do
mains soalled ygrounds to protect mac hines and re
sources from mobile co de Apla yground is a dedicated ma
c hine on whic h the mobile co de is executed with its input
and output eirected r o t t he user mac hine This creates
the illusion hat t the mobile co de is executed on the user
computer w hile it is actually run on the pla yground mac hine
whic hisph ysically separated from the user mac hine and
us the mobile co de has n o access o t t he user resources
The Jernel g o es ev en further b y r
Ja v a securit y arc hitecture with a c apabilit yased sys
tem that supp orts m ultiple co op rating e protection domains
inside a ingle s Ja v a virtual mac hine While Ja v a protection
domains are closer to the notion o f a user Jernel dees
them more lik e pro esses c whic h considerably c hanges the
Figure JSEF Secure Application Launc her
securit yseman tics Via protection domains Jernel sepa
rates ob j ects in to lo cal ones and capabilit y ob jects whic h are
shared among domains It vides capabilit yased com
SAL do e s not require t he class whic h i s t o b e started to
m unication c hannels and supp orts r ev o ation c of capabilities
full requiremen ts suc has ha ving a main metho d
securit y mo del for aglets uses concepts closely
Instead it utilizes Ja v a Rection API examines the giv en
related JSEF but targets the sp needs of mobile
class and allo ws the user o t c ho ose an y of i ts static metho ds
agen ts Aglets mobile agen ts whic h execute in a cer
public constructors r o a com bination of these as a tart
tain con text on an y a glet w are host they visit The aglet
metho d Lik e P olicy T o ol SAL ors an easyose
securit y mo del dees he t concept of principals to separate
GUI Since b oth constructors and metho ds t re
securit y equiremen r o wner the man ufacturer
quire p arameters SAL allo ws the ser u to s p ecify v alues for
and the con text master of an aglet principals dee
those p arameters SAL n i tegrated task manager pro vides
la y ers of securit y n i whic h securit y settings can b e reed
a eedbac f k f o all the tasks that c urren tly use JSEF
but not o v erruled If an aglet matc hes sev eral p olicy dei
The Conur ation T o ol sho wn in Figure pro vides a G UI
tions a onsensus v oting r ule com bines t he p olicy settings
whic halol ws the u ser to conure JSEF itself
Since aglets are mobile agen ts the rivileges p whic h dee ac
cess to lo cal resources are augmen ted ith w privileges deing
in terglet beah vior and allo w ances Allo w ances are privi
leges ncapsulating e system resources s uc h as memory usage
and CPU time whose implemen tation and enforcemen t re
quire ncompatible mo d iations to he t Ja v a ma
c Similar to JSEF users ma y be group ed in named
groups and share a set of p rmissions e P olicy
ma ybecom bined with simple b o olean op erators whic hsup
p orts comp osite rivileges p and negation of privileges F ur
thermore blac kists exist to isallo d w suspicious aglets and
con texts JSEF subtractiv e p ermissions and p licy o excep
tions be expressed in the aglet mo del b y use of
boolean op erators The diren t principals imp osing p ol
icy estrictions r on an aglet relate t o o l al c and global p olicies
Figure JSEF Conuration T ool
in JSEF While the aglet securit y m o el d extends the Ja v a se
curit y mo el d to pro vide in terglet p e rmissions JSEF only
The m ost mp i ortan t setting is the o r t o onuration c whic h
builds on the p ermissions deed b yJa v a In con trast
dees where the global p olicy and the user deitions can
aglet mo JSEF facilitates to structure
b e found This conuration m ust b e s ecured sp ecially to
hierarc hically whic h supp orts simpler and less errorrone
ensure that it can only b e c hanged b y an administrator administration of s ecurit y p roes
user ata d iew v pro vides the user managemen t fron tnd of
An in teresting conceptual approac h to xtend e Ja v a se
JSEF sers U can b e added or remo v ed and their privileges curit y f eatures and simplify deition of securit y is
and he t lo cation of their lo cal p olicy deitions can b e de
presen edit n This approac h uggests s a constrain tlan
ed The privileges a user include whether the user
guage whic halol ws the user to sp ecify securit y constrain
is allo w c hange the v arious conuration settings and
whic h are a om c bination of sub jectased ob jectased and
whether t he user ma y lter a the o l cal or global p licy o settings
historyased p olicy statemen ts Historyased constrain
Additional conuration views are a v ailable t o dee lo w
are a p o w erful concept and supp ort the deition of p o licy
lev el system conurations uc s h a s the XML p arser used
rules o v er time F or example it ouldc b e sp ecid that an
applet can only mak e write accesses to a e Additionally
rules can sp ecify conditional constrain ts suc h asifapieec
of mobile co de wishes to access a protected e it no longer
Ja v a securit y mo del is w ello cumen ted and
can mak ea net w ork connection Constrain ts can b e com
man y pproac a hes exist to extend or replace this basic mo del

to ed

groups user del the
the can

the of ts the
migh the
eci to
ecial sp
stan the eplacing
plabined with simple ogical l op erators and can dee b oth ad sp eciation of forbidden accesses ubtractiv e p olicy and
ditiv e a nd subtractiv e p ermissions imilar to JSEF P olicy p olicy exceptions JSEF hierarc hical groups pro vide a con
exceptions are not an explicit concept but can be deed to aggregate users to groups structure these
implicitly No grouping mec hanisms and hierarc hies exist groups in to a h h y and assign ecurit s y proes to them
whic h mak es it diult to assign la y ered securit y proes The concept of global and lo cal p olicies in JSEF enables the
to users The deition of constrain ts is cum b ersome since of net w orkide securit y p olicies that dee a se
an Sxpression t yp e anguage l is used and no graphical to ol curit y corset for users while still wing them to freely
psuptior sa v ailable This approac h has b een applied to and adjust their conurations inside these mandatory ecurit s y
tested only with JDK Ho w ev er w e lan p t o further in standards Th us users can tailor their lo cal p olicy o t w
v estigate the ddition a f o a constrain t l anguage as suggested
their needs but cannot b reak the systemide p olicy
in to JSEF to further xtend e it In the standard Ja v a s ecurit ymolde a forbidden access
In con trast these approac hes JSEF do es not tro t ypically terminates the execution whereas JSEF ors the
duce incompatible Ja v a securit y features Instead it uses p ossibilit y to n egotiate securit yatrun in
the e xisting a J v a securit yacr hitecture b ut enhances its us forbidden accesses and the user r a sp ecial securit y con trol
abilit yn tro duces higherev el abstractions and hierarc hical comp onen t can negotiate with the relev an tJa v acode batou
p olicies and ors new w a ys of conuration as describ ed i n the requested p ermissions This can a v oid tedious trialnd
the previous ections s It simplis the deition and main te error cycles to d o ut ab out the actual p ermissions required
nance o f ecurit s y p olicies at the s ystem and at the user lev els b y a piece of mobile co de
Suc h impliation s facilitates to prev t the in tro duction of JSEF all asso ciated to full do cumen tation are
securit y holes and th us impro v a system o v erall secu a v ailable under the of the GNU General Public Li
rit yc haracteristics None f o he t ab o v e approac hes supp orts cense from h ttpwwnfosysu wienctsef
n teractiv e time securit y negotiation a nd ors simple
w a ys to dee systemide r ev en net w orkide securit y
p olicies as JSEF lso A t o ol s upp rt o for securit y tenance
E Bertino S Ja jo dia and P amarati S Supp orting
is v ery l imited or do es not exist at ll a
m ultiple access con trol p olicies in database systems In
The i dea f o o v erruling authorizations is also presen i n
Pr o c e e dings of the IEEE Symp on R ese ar
where a m ultip licy o access on c trol system for databases
Se curity and Privacy Oakland Califorinia pages
is discussed Users and g roups c an b e assigned p ositiv e and

Ma y h ttpssem udu
negativ e authorizations whic h c an either b e strong or w eak
publicationsklnd samaratis
Authorizations can be o v erridden b y more sp eci autho
G Coulouris J Dollimore and T Kindb erg
rizations ccording to their p osition the group mem
Distribute d systems c onc epts and esign d hapter
b rship e graph In JSEF a user nherits i all ev en conct
pages In ternational Computer Science Series
ing p ermissions and concts are resolv afterw In
Addison esley Reading Mass and London d
strong uthorizations a alw a ys o v errule w eak ones and the
edition edition
set of s trong authorizations m ust b e c onsisten t i no con
S F ritzinger and M Mueller Ja v a securit y Sun
ct among strong authorizations ma y exist Conct reso
Microsystems ncorp I orated W hite P ap er
lution rules only apply to concts among w eak authoriza
h ttpa v aunomecurit yhitepap erxt
tions The m ain dirence to JSEF p licy o mo del is that in
JSEF global p ermissions are not necessarily stronger than L Gong Secure Ja v a C lassloading IEEE Internet
lo cal ones e a subtractiv e p e rmission is allo w ed Computing No v em b recem e b er
to o v errule a global additiv e one while a global subtractiv e
L Gong M Mueller H P rafullc handra and
p rmission e can nev er b e o v erruled b y a lo cal additiv e one
R Sc hemers Going b y e ond t he sandb o x an o v erview
The trength s f o a p ermission in JSEF is th us dep nden e ton
of the new securit y features i n t he Ja v a Dev elopmen t
b oth the cop s e lobal or lo cal and the t yp e dditiv eor
Kit In o c e e dings of the U SENIX Symp osium on
subtractiv e of the p ermission
Internet T e chnolo gies and S ystems Monter ey
California De c emb er U SENIX Asso ciation

L Gong and R Sc hemers Implemen ting protection
The J a v a Secure xecution E F ramew ork SEF resen p ted
domains in the Ja v a Dev elopmen t Kit In
in this pap er is built on top of Ja v a standard securit yarc hi
Pr o c e e dings of the Internet o S ciety Symp on
tecture and extends it with p o w erful features n i a compatible
Network and Distribute d ystems S Se curity San Die go
w a y It uses a h ybrid p olicy mo del whic h s upp orts additiv e
and subtractiv e p rmissions e with a denialak erecedence
S Gritzalis and D Spinellis ddressing A threats and
rule to resolv e concts JSEF p olicy seman tics is formally
securit y issues n i w orld wide w eb tec hnology In
deed in an ASLased notation It pro vides a securit y
Pr o c e e dings of CMS d I
framew ork w hic h simplis the main tenance of securit ypor
International J oint Working Confer enc eon
es and pro vides graphical to ol supp ort or f securit y admin
Communic ations and Multime dia Se curity A thens
istration Better main tenance supp ort ma y impro v eo v erall
Gr e e c e pages Septem b er
system securit y since it helps to prev en tsolpp y conura
M Hauswirth Internetc ale Push ystems S for
tions r o t he in tro uction d of securit y holes b y e rroneous con
Information Distribution r chite ctur e Comp onents
and Communic ation PhD thesis D istributed Systems
While in standard v a only p ermitted accesses can be
Group T ec hnical Univ y of ienna V Octob er
deed whic h can blo w p u onurations c and mak es
cum b e rsome to main tain JSEF additionally supp orts M Hauswirth and M Jaza y eri A omp C onen tadn

cal lo
ards ed

in ch osium
terms es
and ols en

tercepts JSEF time
in to

freely in ceptComm unication o M del for Push Systems In In Pr o c e e dings of the IEEE Symp osium on Se
Pr o c e e dings of the ESECSE J oint h and Privacy L os A lamitos California a y
Eur op e an Softwar e ngine E ering Confer enc e SEC
G w and E F Ja v a securit y and t yp e
and h A CM SIGSOFT International Symp osium on
safet y Byte Jan uary
the F oundations of Softwar e E ngine ering SE
G w and E W F elten Java se curity hostile
T oulouse F r anc e Septemb er ages p
applets h oles and ntidotes a John Wiley New Y ork
Septem b e r h ttpwwnfosysu wienct

Stap o ohap ersushIssues
G w and E W F elten curing Java getting
M Hauswirth C Kerer and R Kurmano wytsc h
to b w m c o de John Wiley we
Minstr el Client Se curity F r amework h ttp
Y ork
wwwnfosysu wiencti n strelecei v erSF
N V Meh ta and K R Sollins Expanding and
C Ha wblitzel CC C hang G Cza jk o wski D Hu
Extending the Securit yF eatures of Ja v a In
and T v on Eic k en Implemen ting m ultiple protection
Pr o c e e dings of the h SENIX U Se curity Symp
domains i n Ja v a In Pr o c e e dings of the USENIX
San A ntonio T exas anuary J USENIX
A nnual T e chnic al Confer enc e New rle O ans
Asso ciation
L ouisiana June USENIX Asso ciation
A Rubin and D E Geer obile M Co de Securit y
S Ja jo dia P amarati S and V S Subrahmanian A
IEEE Internet Computing
Logical anguage L f or Expressing Authorizations In
No v b erecem ber
Pr o c e e dings of the IEEE Symp osium on Se curity
Sun Microsystems Incorp orated Se cur ec omputing
and Privacy May Oakland CA
with Java now nd a the f utur e Septem b er
G Karjoth D B Lange and M O shima A Securit y
White P ap er h ttp
Mo del or f Aglets IEEE Internet Computing
ja v aunomark etingollateralecurit y tml
F Y ellin Lo wlev el yin aJ v a In Pr o c e e dings of
h ttpomputerrgn ternetcabs tm
the F ourth International World ide W Web
C Kerer A exible and extensible s ecurit y framew ork
Confer enc e Boston Massachusetts USA De c emb er
for J a v a o c de Master thesis Distributed Systems
olume of World ide W Web Journal
Group T ec hnical Univ ersit y of Vienna Austria
Oeilly Asso ciates Incorp orated No v em b er
Octob er
h ttpwworgubonferencesWW
D Malkhi M K Reiter and A D Rubin Secure
P ap ersh tml
Execution of Ja v a pplets A using a Remote
Pla yground



obile ith usiness down
Se McGra
elten McGra