JavaSeal is a secure mobile agent kernel that provides a small set of abstractions for constructing agent applications. This paper describes the design of these abstractions and their implementation. We address the limitations of the Java security model that had to be overcome, and then present a medium-sized e-commerce application that runs over JavaSeal. 1

Software-based protection has become a viable alternative to hardware-based protection in systems based on languages such as Java, but the absence of hardware mechanisms for protection has been coupled with an absence of a user/kernel boundary. We show why such a "red line" must be present in order for a Java virtual machine to be as effective and as reliable as an operating system. We discuss how the red line can be implemented using software mechanisms, and explain the ones we use in the Java system that we are building. 1. Introduction A paper that appeared at a previous HotOS [4] stated that "protection is a software issue." This statement is incomplete; we would reword it as "Protection is a software issue, but it is not the only software issue." In particular, issues such as resource control, communication, and termination need to be dealt with in software if hardware protection mechanisms are not present. To date, systems that replace hardware mechanisms with software mechanism...

Software systems are becoming heterogeneous: instead of a small number of large programs from well-established sources, a user's desktop may now consist of many smaller components that interact in intricate ways. Some components will be downloaded from the network from sources that are only partially trusted. A user would like to know that a number of security properties hold, e.g. that personal data is not leaked to the net, but it is typically infeasible to verify that such components are well-behaved. Instead, they must be executed in a secure environment, or wrapper, that provides fine-grain control of the allowable interactions between them, and between components and other system resources. In this paper we study such wrappers, focusing on how they can be expressed in a way that enables their security properties to be stated and proved rigorously. We introduce a model programming language, the box-pi calculus, that supports composition of software components and the enforcement of security policies. Several example wrappers are expressed using the calculus; we explore the delicate security properties they guarantee.

Preventing abusive resource consumption is indispensable for all kinds of systems that execute untrusted mobile code, such as mobile object systems, extensible web servers, and web browsers. To implement the required defense mechanisms, some support for resource control must be available: accounting and limiting the usage of physical resources like CPU and memory, and of logical resources like threads. Java is the predominant implementation language for the kind of systems envisaged here, even though resource control is a missing feature on standard Java platforms. This paper describes the model and implementation mechanisms underlying the new resource-aware version of the J-SEAL2 mobile object kernel. Our fundamental objective is to achieve complete portability, and our approach is therefore based on Java bytecode transformations. Whereas resource control may be targeted towards the provision of quality of service or of usage-based billing, the focus of this paper is on security, and more specifically on prevention of denial-of-service attacks originating from hostile or poorly implemented mobile code. Keywords Bytecode rewriting, Java, micro-kernels, mobile object systems, resource control, security 1.

The MrEd virtual machine serves both as the implementation platform for the DrScheme programming environment, and as the underlying Scheme engine for executing expressions and programs entered into DrScheme's read-eval-print loop. We describe the key elements of the MrEd virtual machine for building a programming environment, and we step through the implementation of a miniature version of DrScheme in MrEd. More generally, we show how MrEd defines a high-level operating system for graphical programs. 1 MrEd: A Scheme Machine The DrScheme programming environment [10] provides students and programmers with a user-friendly environment for developing Scheme programs. To make programming accessible and attractive to novices, DrScheme provides a thoroughly graphical environment and runs under several major windowing systems (Windows, MacOS, and Unix/X). More than 60 universities and high schools currently employ DrScheme in their computing curriculum, and new schools adopt DrScheme every s...

J-SEAL2 is a secure, portable, and efficient execution environment for mobile agents. The core of the system is a micro-kernel fulfilling the same functions as a traditional operating system kernel: protection, communication, domain termination, and resource control. This paper describes the key concepts of the J-SEAL2 micro-kernel and how they are implemented in pure Java.

Programs are often structured around the idea that different pieces of code comprise distinct principals, each with a view of its environment. Typical examples include the modules of a large program, a host and its clients, or a collection of interactive agents. In this paper, we formalize this notion of principal in the programming language itself. The result is a language in which intuitive statements such as, "the client must call open to obtain a file handle," can be phrased and proven formally. We add principals to variants of the simply-typed - calculus and show how we can track the code corresponding to each principal throughout evaluation. This multiagent calculus yields syntactic proofs of some type abstraction properties that traditionally require semantic arguments. 1 Introduction Programmers often have a notion of principal in mind when designing the structure of a program. Examples of such principals include modules of a large system, a host and its clients, and, in th...

1 Introduction The notion of moving code across the network to the most appropriate host forexecution has become commonplace. Most often code is moved for efficiency, but sometimes it is for privacy, for fault-tolerance, or simply for convenience. Themajor concern when moving code is security: the integrity of the host to which it is moved is at risk, as well as the integrity of the computation performed bythe moved code itself. A number of techniques have been used to place protection boundaries be-tween so-called "untrusted code " moved to a host and the remainder of the software running on that host. Traditional operating systems use virtual mem-ory to enforce protection between processes. A process cannot directly read and write other processes ' memory, and communication between processes requirestraps to the kernel. By limiting the traps an untrusted process can invoke, it can be isolated to varying degrees from other processes on the host. However,there's little point in sending a computation to a host if it cannot interact with other computations there; inter-process communication must be possible.

An important goal of an operating system is to make computing and communication resources available in a fair and efficient way to the applications that will run on top of it. To achieve this result, the operating system implements a number of policies for allocating resources to, and sharing resources among applications, and it implements safety mechanisms to guard against misbehaving applications. However, for most of these allocation and sharing tasks, no single optimal policy exists. Different applications may prefer different operating system policies to achieve their goals in the best possible way. A customizable or adaptable operating system is an operating system that allows for flexible modification of important system policies. Over the past decade, a wide range of approaches for achieving customizability has been explored in the operating systems research community. In this survey, an overview of these approaches, structured around a taxonomy, is presented.

In this paper, we present Famke. It is a library for Clean that enables the creation and management of independent distributed processes (written in Clean) on a network of computers. The main feature of Famke is that values of any type, i.e. data and code, can be communicated between independent processes in a type safe way. Famke uses Clean's dynamic types and its dynamic linker to extend running applications with new code (plug-ins) that, if its type matches the types used in the application, are guaranteed to fit. Clean no longer o#ers any support for concurrent evaluation, but fortunately, we can realize threads, signalling and exception handling by using first class continuations without the need for additional run-time support. We have made an interactive shell on top of Famke with which the user can manipulate processes interactively.