[e-lang] Joe-E paper available
David Wagner
daw at cs.berkeley.edu
Sat Jan 9 00:54:01 PST 2010
I wanted to let you all know about a new paper on Joe-E, from Adrian
Mettler, Tyler Close, and I. The paper describes the Joe-E language,
how it was designed to facilitate secure programming, and the ways in
which Joe-E has supported the security goals of the Waterken server.
See below for the URL.
We've benefitted from contributions and insights from many folks on this
mailing list; thank you, everyone, and happy reading!
Adrian Mettler, David Wagner, and Tyler Close. "Joe-E: A
Security-Oriented Subset of Java". To appear at ISOC NDSS 2010.
http://www.cs.berkeley.edu/~daw/papers/joe-e-ndss10.pdf
Abstract:
We present Joe-E, a language designed to support the development
of secure software systems. Joe-E is a subset of Java that makes
it easier to architect and implement programs with strong security
properties that can be checked during a security review. It enables
programmers to apply the principle of least privilege to their programs;
implement application-specific reference monitors that cannot be bypassed;
introduce and use domain-specific security abstractions; safely execute
and interact with untrusted code; and build secure, extensible systems.
Joe-E demonstrates how it is possible to achieve the strong security
properties of an object-capability language while retaining the features
and feel of a mainstream object-oriented language. Additionally,
we present ways in which Java's static type safety complements
object-capability analysis and permits additional security properties
to be verified statically, compared with previous object-capability
languages which rely on runtime checks. In this paper, we describe the
design and implementation of Joe-E and its advantages for security and
auditability over standard Java. We demonstrate how Joe-E can be used to
develop systems with novel security properties that would be difficult
or impossible to ensure otherwise, including a web application platform
that provides transparent, transactional object persistence and can
safely host multiple mutually-distrustful applications in a single JVM.
More information about the e-lang
mailing list