Automatic verification of finite-state concurrent systems using temporal logic specifications
ACM Transactions on Programming Languages and Systems (TOPLAS)
Computer-aided verification of coordinating processes: the automata-theoretic approach
Computer-aided verification of coordinating processes: the automata-theoretic approach
IEEE Transactions on Software Engineering - Special issue on formal methods in software practice
Proceedings of the 24th ACM SIGPLAN-SIGACT symposium on Principles of programming languages
The design and implementation of a certifying compiler
PLDI '98 Proceedings of the ACM SIGPLAN 1998 conference on Programming language design and implementation
Inside Java 2 platform security architecture, API design, and implementation
Inside Java 2 platform security architecture, API design, and implementation
Justifying proofs using memo tables
Proceedings of the 2nd ACM SIGPLAN international conference on Principles and practice of declarative programming
ACM Transactions on Information and System Security (TISSEC)
Communication and Concurrency
Logic Programming and Model Checking
PLILP '98/ALP '98 Proceedings of the 10th International Symposium on Principles of Declarative Programming
Efficient Model Checking Using Tabled Resolution
CAV '97 Proceedings of the 9th International Conference on Computer Aided Verification
XMC: A Logic-Programming-Based Verification Toolset
CAV '00 Proceedings of the 12th International Conference on Computer Aided Verification
User Authentication and Authorization in the Java(tm) Platform
ACSAC '99 Proceedings of the 15th Annual Computer Security Applications Conference
A Fast Automaton-Based Method for Detecting Anomalous Program Behaviors
SP '01 Proceedings of the 2001 IEEE Symposium on Security and Privacy
Intrusion Detection via Static Analysis
SP '01 Proceedings of the 2001 IEEE Symposium on Security and Privacy
Synthesizing fast intrusion prevention/detection systems from high-level specifications
SSYM'99 Proceedings of the 8th conference on USENIX Security Symposium - Volume 8
Intrusion detection using sequences of system calls
Journal of Computer Security
Lifting Temporal Proofs through Abstractions
VMCAI 2003 Proceedings of the 4th International Conference on Verification, Model Checking, and Abstract Interpretation
Empowering mobile code using expressive security policies
Proceedings of the 2002 workshop on New security paradigms
Proceedings of the 2002 workshop on New security paradigms
An Approach for Secure Software Installation
LISA '02 Proceedings of the 16th USENIX conference on System administration
Interactive and Probabilistic Proof of Mobile Code Safety
Automated Software Engineering
A framework for testing security mechanisms for program-based attacks
SESS '05 Proceedings of the 2005 workshop on Software engineering for secure systems—building trustworthy applications
NSPW '05 Proceedings of the 2005 workshop on New security paradigms
A compact aspect-based security monitor for J2ME applications
CompSysTech '07 Proceedings of the 2007 international conference on Computer systems and technologies
SOMA: mutual approval for included content in web pages
Proceedings of the 15th ACM conference on Computer and communications security
A Property-Dependent Agent Transfer Protocol
Trust '09 Proceedings of the 2nd International Conference on Trusted Computing
Design of effective anti-malware system for mobile industrial devices based on windows CE
ICACT'09 Proceedings of the 11th international conference on Advanced Communication Technology - Volume 3
Experiences with embedding MPL security monitors into Java programs
CompSysTech '09 Proceedings of the International Conference on Computer Systems and Technologies and Workshop for PhD Students in Computing
Securing code in services oriented architecture
ICWE'07 Proceedings of the 7th international conference on Web engineering
Some ideas on virtualized system security, and monitors
DPM'10/SETOP'10 Proceedings of the 5th international Workshop on data privacy management, and 3rd international conference on Autonomous spontaneous security
A survey of security issue in multi-agent systems
Artificial Intelligence Review
W3Bcrypt: encryption as a stylesheet
ACNS'06 Proceedings of the 4th international conference on Applied Cryptography and Network Security
Security-by-contract: toward a semantics for digital signatures on mobile code
EuroPKI'07 Proceedings of the 4th European conference on Public Key Infrastructure: theory and practice
Dependability in dynamic, evolving and heterogeneous systems: the connect approach
Proceedings of the 2nd International Workshop on Software Engineering for Resilient Systems
| Hi-index | 0.00 |
A new approach for ensuring the security of mobile code is proposed. Our approach enables a mobile-code consumer to understand and formally reason about what a piece of mobile code can do; check if the actions of the code are compatible with his/her security policies; and, if so, execute the code. The compatibility-checking process is automated, but if there are conflicts, consumers have the opportunity to refine their policies, taking into account the functionality provided by the mobile code. Finally, when the code is executed, our framework uses runtime-monitoring techniques to ensure that the code does not violate the consumer's (refined) policies.At the heart of our method, which we call model-carrying code (MCC), is the idea that a piece of mobile code comes equipped with an expressive yet concise model of the code's (security-relevant) behavior. The generation of such models can be automated. MCC enjoys several advantages over current approaches to mobile-code security. It protects consumers of mobile code from malicious or faulty code without unduly restricting the code's functionality. Also, it is applicable to the vast majority of code that exists today, which is written in C or C++. This contrasts with previous approaches such as Java 2 security and proof-carrying code, which are either language-specific or are limited to type-safe languages. Finally, MCC can be combined with existing techniques such as cryptographic signing and proof-carrying code to yield additional benefits.