Abstract This paper describes a mechanism by which an operating system kernel can determine with certainty that it is safe to execute a binary supplied by an untrusted source. The kernel first defines a safety policy and makes it public. Then, using this policy, an application can provide binaries in a special form called proof-carrying code, or simply PCC. Each PCC binary contains, in addition to the native code, a formal proof that the code obeys the safety policy. The kernel can easily validate the proof without using cryptography and without consulting any external trusted entities. If the validation succeeds, the code is guaranteed to respect the safety policy without relying on run-time checks. The main practical difficulty of PCC is in generating the safety proofs. In order to gain some preliminary experience with this, we have written several network packet filters in hand-tuned DEC Alpha assembly language, and then generated PCC binaries for them using a special prototype assembler. The PCC binaries can be executed with no run-time overhead, beyond a one-time cost of 1 to 3 milliseconds for validating the enclosed proofs. The net result is that our packet filters are formally guaranteed to be safe and are faster than packet filters created using Berkeley Packet Filters, Software Fault Isolation, or safe languages such as Modula-3.

Software agents represent a promising computing paradigm. They are an elegant technology to solve problems that can not be easily solved in other way. The Scientific Community has proved that the use of the software agents approach simplifies the solution of difierent type of traditional computing problems. A proof of this is that several important applications exist based on this technology. It is clear that software agents have so many benefits, but unfortunately, a lack of the appropriate security mechanisms for systems based on them represents a barrier for the widespread use of this paradigm in the industry. The application of the current security mechanisms is not trivial for agent based system developers, since they usually are not security experts and consequently do not count on the appropriate expertise. This paper presents a new protection infrastructure solving the problem known as malicious host in mobile agent systems. This protection infrastructure implements a secure protocol to migrate agents from host to host relying in hardware elements, particularly it is based on the recent advances in Trusted Platforms Modules (TPM) computing. In order to provide an easy way of using the proposed infrastructure we provide it by means of an extension to the Java Agent Development framework (JADE). Finally, the migrating protocol presented has been validated using