I just wanted to let you and everyone know that this is an *awesome* paper. Besides explaining Joe-E itself, it is perhaps the clearest and most powerful statement to date of the benefits provided by object-capability languages. I will be recommending this paper widely.<br>
<br><br><div class="gmail_quote">On Sat, Jan 9, 2010 at 12:54 AM, David Wagner <span dir="ltr"><<a href="mailto:daw@cs.berkeley.edu">daw@cs.berkeley.edu</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
I wanted to let you all know about a new paper on Joe-E, from Adrian<br>
Mettler, Tyler Close, and I. The paper describes the Joe-E language,<br>
how it was designed to facilitate secure programming, and the ways in<br>
which Joe-E has supported the security goals of the Waterken server.<br>
See below for the URL.<br>
<br>
We've benefitted from contributions and insights from many folks on this<br>
mailing list; thank you, everyone, and happy reading!<br>
<br>
<br>
Adrian Mettler, David Wagner, and Tyler Close. "Joe-E: A<br>
Security-Oriented Subset of Java". To appear at ISOC NDSS 2010.<br>
<a href="http://www.cs.berkeley.edu/%7Edaw/papers/joe-e-ndss10.pdf" target="_blank">http://www.cs.berkeley.edu/~daw/papers/joe-e-ndss10.pdf</a><br>
<br>
Abstract:<br>
We present Joe-E, a language designed to support the development<br>
of secure software systems. Joe-E is a subset of Java that makes<br>
it easier to architect and implement programs with strong security<br>
properties that can be checked during a security review. It enables<br>
programmers to apply the principle of least privilege to their programs;<br>
implement application-specific reference monitors that cannot be bypassed;<br>
introduce and use domain-specific security abstractions; safely execute<br>
and interact with untrusted code; and build secure, extensible systems.<br>
Joe-E demonstrates how it is possible to achieve the strong security<br>
properties of an object-capability language while retaining the features<br>
and feel of a mainstream object-oriented language. Additionally,<br>
we present ways in which Java's static type safety complements<br>
object-capability analysis and permits additional security properties<br>
to be verified statically, compared with previous object-capability<br>
languages which rely on runtime checks. In this paper, we describe the<br>
design and implementation of Joe-E and its advantages for security and<br>
auditability over standard Java. We demonstrate how Joe-E can be used to<br>
develop systems with novel security properties that would be difficult<br>
or impossible to ensure otherwise, including a web application platform<br>
that provides transparent, transactional object persistence and can<br>
safely host multiple mutually-distrustful applications in a single JVM.<br>
<br>
_______________________________________________<br>
e-lang mailing list<br>
<a href="mailto:e-lang@mail.eros-os.org">e-lang@mail.eros-os.org</a><br>
<a href="http://www.eros-os.org/mailman/listinfo/e-lang" target="_blank">http://www.eros-os.org/mailman/listinfo/e-lang</a><br>
</blockquote></div><br><br clear="all"><br>-- <br>Text by me above is hereby placed in the public domain<br><br> Cheers,<br> --MarkM<br><br>