|
When several programs ("processes" or "applets") want to communicate
but do not trust each other fully, they must use some basic protection
mechanism. Traditionally this has been virtual memory hardware and
memory protection, but now with the popularity of Java there is widespread
interest in using programming-language type checking as the protection
mechanism.
Having a protection mechanism does guarantee not a secure system - you
can always take a Pentium with virtual memory hardware, and run DOS on it.
What is needed for a secure system?
This is (very much) work in progress, but we believe that the problem
should be addressed on several levels.
- Type safety
- Design of programming-language type systems
- Proofs of type-system soundness
- Validation of type-checking implementations
- Achieving type safety without compromising efficiency
- Modular programming
- Separating interfaces from implementations in programs
- Layering of libraries and module groups
- Thinning of interfaces at security boundaries
- Achieving modularity without compromising efficiency
- Security policies
- Design of security policies
- Criteria for evaluating policies
- Implementation of security policies
Currently, we have analyzed
several security architectures in the context of the Java
environment and we are also more closely investigating the stack inspection security
mechanisms used in many current Java virtual machines.
|
