Current standard security practices do not provide substantial assurance that the end-to-end behavior of a computing system satisfies important security policies such as confidentiality. An end-to-end confidentiality policy might assert that secret input data cannot be inferred by an attacker through the attacker's observations of system output; this policy regulates information flow.

The introduction of Java applets has taken the World Wide Web by storm. Information servers can customize the presentation of their content with server-supplied code which executes inside the Web browser. We examine the Java language and both the HotJava and Netscape browsers which support it, and find a significant number of flaws which compromise their security. These flaws arise for several reasons, including implementation errors, unintended interactions between browser features, differences between the Java language and bytecode semantics, and weaknesses in the design of the language and the bytecode format. On a deeper level, these flaws arise because of weaknesses in the design methodology used in creating Java and the browsers. In addition to the flaws, we discuss the underlying tension between the openness desired by Web application writers and the security needs of their users, and we suggest how both might be accommodated. 1.

The Sanctuary project at UCSD is building a secure infrastructure for mobile agents, and examining

Designing a suitable mechanism to confine commonly used applications is challenging as such a mechanism needs to satisfy conflicting requirements. The trade-off is between configurability and ease of use. In this paper, we present the design, implementation and evaluation of MAPbox, a general-purpose confinement mechanism that retains the ease of use of specialized sandboxes such as Janus and SBOX while providing significantly more configurability. The key idea is to group application behaviors into classes based on the expected functionality and the resources required to achieve that functionality. Classification of behaviors provides a set of behavior labels (class names) that can be used to concisely communicate the expected functionality of programs between the provider and the users. This is similar to the MIME-types used to concisely describe the expected format of data files. Classification of application behaviors also allows class-specific sandboxes to be built and instantiat...

In this paper, we present a history-based access-control mechanism that is suitable for mediating accesses from mobile code. The key idea behind history-based access-control is to maintain a selective history of the access requests made by individual programs and to use this history to improve the differentiation between safe and potentially dangerous requests. What a program is allowed to do depends on its own behavior and identity in addition to currently used discriminators like the location it was loaded from or the identity of its author/provider. History-based access-control has the potential to significantly expand the set of programs that can be executed without compromising security or ease of use. We describe the design and implementation of Deeds, a history-based access-control mechanism for Java. Accesscontrol policies for Deeds are written in Java, and can be updated while the programs whose accesses are being mediated are still executing.

The growing use of mobile code in downloaded programs such as applets and servlets has increased interest in robust mechanisms for ensuring privacy and secrecy. Common security mechanisms such as sandboxing and access control are either too restrictive or too weak---they prevent applications from sharing data usefully, or allow private information to leak. For example, security mechanisms in Java prevent many useful applications while still permitting Trojan horse applets to leak private information. This thesis describes the decentralized label model, a new model of information flow control that protects private data while allowing applications to share data. Unlike previous approaches to privacy protection based on information flow, this label model is decentralized: it allows cooperative computation by mutually distrusting principals, without mediation by highly trusted agents. Cooperative computation is possible because individual principals can declassify their own data without infringing on other principals' privacy. The decentralized label model permits programs using it to be checked statically, which is important for the precise detection of information leaks. This thesis also

This paper describes the security architecture of Ajanta

Systems that support mobile agents are increasingly being used on the global Internet. Security concerns dealing with the protection of the execution environment from malicious agents are extensively being tackled. We concentrate on the reverse problem, namely how a mobile agent can beprotectedfrom malicious behaviour of the execution environment, which is largely ignored. We will

This paper gives an overview of Ajanta, a Java-based system for mobile-agent programming. We outline the Ajanta architecture, and discuss the basic elements that comprise an agent-based application. Ajanta's programming environment is defined in terms of a set of primitive operations for agent creation, dispatch, migration and remote control. Agents can access server resources using a proxy-based access control mechanism. We describe a scheme for agent migration based on the composition of some basic migration patterns which incorporate exception handling mechanisms. Finally, we present two agent based distributed applications implemented using the Ajanta system. One is a middleware which supports file sharing over the Internet and the other is a distributed calendar manager.

The introduction of Java applets has taken the World Wide Web by storm. Java allows web creators to embellish their content with arbitrary programs which execute in the web browser, whether for simple animations or complex front-ends to other services. We examined the Java language and the Sun HotJava, Netscape Navigator, and Microsoft Internet Explorer browsers which support it, and found a significant number of flaws which compromise their security. These flaws arise for several reasons, including implementation errors, unintended interactions between browser features, differences between the Java language and bytecode semantics, and weaknesses in the design of the language and the bytecode format. On a deeper level, these flaws arise because of weaknesses in the design methodology used in creating Java and the browsers. In addition to the flaws, we discuss the underlying tension between the openness desired by web application writers and the security needs of their users, and we sug...