Footnotes

...calls

In Unix, a system-call crosses domains between user and kernel processes. In Java, a method call between applet and system classes also crosses domains because system classes have additional privileges.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

...programs

We omitted internationalization examples and JDK 1.1 applets.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

...see

GUI event manipulation may seem harmless, but observing GUI events could allow an attacker to see passwords or other sensitive information while they are typed. Generated GUI events would allow an attacker to create keystrokes to execute dangerous commands.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

...principal

Principal and target, as used in this paper, are the same as subject and object, as used in the security literature, but are more clear for discussing security in object-oriented systems.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

...it

Because a signature can be stripped or replaced by a third-party, there is no strong way for a signature to guarantee authorship.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

...JavaSoft [14]

The Java Electronic Commerce Framework (JECF) uses a capability-style interface, extending the signed applet support in JDK 1.1. More information about JavaSoft's security architecture plans can be found in Gong [16].

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

...it

For example, the combination to open a safe represents a capability. The safe has no way to verify if the combination has been stolen; any person entering the correct combination can open the door. The security of the safe depends upon the combination not being leaked by an authorized holder.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

...mechanism

This approach is sometimes incorrectly referred to as ``capability-based security'' in some marketing literature.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

...default

Netscape's stack introspection is currently only used in their Web browser, so compatibility with existing Java applications is not an issue.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

...signature

Actually, a sequence of signatures is allowed, but the present implementation recognizes only the first one.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

...``OK''.

While the sandbox model puts up a warning strip on windows opened by untrusted code, windows opened by JavaScript have no such warning.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

Dan Wallach
7/26/1997