D. Malkhi and M. K. Reiter. Secure execution of java applets using a remote playground. Software Engineering, 26(12), 2000.  Home/Search   Document Details and Download   Summary   Related Articles   Check

....heap is not accounted for. Figure 1.1 depicts the basic structure of both ad hoc layers and superimposed systems. An alternative approach to separating di#erent applications is to give each one its own virtual machine and run each virtual machine in a di#erent process on an underlying OS [47, 56], as shown in Figure 1.2. Most operating systems can limit a process s heap size or CPU consumption. Such mechanisms could be used to directly limit an entire VM s resource consumption, but they depend on underlying operating system support. Depending on the operating system has multiple ....

Malkhi, D., Reiter, M. K., and Rubin, A. D. Secure execution of Java applets using a remote playground. In Proceedings of the 1998.

....with an explicit processlike abstraction for Java tasks, provides a separate heap for each task. The multitasking virtual machine (MVM) 17] and systems by Bernadat et al. 7] and van Doorn [46] similarly use separate heaps or memory spaces to facilitate accounting for memory. Some systems [35, 42] even go so far as to run the JVMs in separate Unix processes on separate machines. These systems accurately account for memory a task keeps live. However, inter task communications and memory sharing are severely restricted, limiting the usefulness of the language. In addition, these systems are ....

D. Malkhi, M. Reiter, and A. Rubin. Secure execution of Java applets using a remote playground. In Proceedings of the 1998.

....system classes from being manipulated into violating security [80, 41, 33, 34] but efforts to control resource exhaustion have lagged behind. A simple infinite loop will still freeze the latest web browsers. The most successful systems to date either run the JVMs in separate processes or machines [55, 73], surrendering any performance benefits from running the JVM together with its host application, or create a processlike abstraction inside the JVM [7, 77, 43, 8, 20] These process abstractions either complicate memory sharing among codelets or make it completely impossible. This thesis explores ....

....to separate protection domains, so individual codelets have to be run in separate JVM processes. At a more extreme level, one can take advantage of the separation afforded by running the codelets on different machines entirely. Several systems use these mechanisms to provide language security [55, 73]. Inside the Run Time System We can also implement transactional rollback as a customization to the language run time system. With the language run time system s semantic understanding of the language s data structures, we can provide transactional rollback at the granularity of these data ....

D. Malkhi, M. Reiter, and A. Rubin. Secure execution of Java applets using a remote playground. In Proceedings of the 1998.

....to separate protection domains, so individual codelets have to be run in separate JVM processes. At a more extreme level, one can take advantage of the separation afforded by running the codelets on different machines entirely. Several systems use these mechanisms to provide language security [24, 34]. 2.2.2. Inside the run time system. We can also implement transactional rollback as a customization to the language run time system. With the language run time system s semantic understanding of the language s data structures, we can provide transactional rollback at the granularity of these ....

D. Malkhi, M. Reiter, and A. Rubin. Secure execution of Java applets using a remote playground. In Proceedings of the 1998.

....any sensitive system service, but the sandbox model turned out to be compromised even with small implementation errors [5] These observations were followed by some efforts to try and prevent untrusted applets from getting into a local machine. Malkhi et al. proposed the concept of a playground [17] for executing untrusted mobile code on a remote protected domain(machine) while using the user s browser as an I O terminal. The Secure Internet Programming group at Princeton proposed a Java Filter [2] for preventing untrusted applets from entering the user s computer; a user could download ....

Dahlia Malkhi, Michael Reiter, and Avi Rubin. Secure Execution of Java Applets using a Remote Playground.

....as sandboxes [23] a restricted environment in which, effectively, each instruction is monitored and checked before being executed. If access to resources is violated, execution halts. The sandbox model is quite restrictive, and has been extended since its initial introduction (see, for example, [6, 11]) Regenerating agents from blueprints may considerably help in protecting a host against malicious code. Normally, blueprints do not contain code descriptions, but refer only to interfaces and components that should be locally available to an agent factory. The code contained in these components ....

D. Malkhi and M. Reiter. Secure execution of Java applets using a remote playground. IEEE Transactions on Software Engineering, 26(12):1197--1209, December 2000.

....this paper, and can be found in [13] Another issue is to protect servers against malicious dynamic documents, which could be used to run unauthorized code on remote platforms. This problem will be solved with classical techniques such as executing remote code in a sandbox or a remote playground [8]. 3 System Architecture Figure 1 shows Globule s architecture. It provides several distinct features: negotiating with remote servers for resource allocation and resource management, document replication and consistency, and automatic client redirection. 3.1 Delegated Resource Management When ....

Malkhi, D., Reiter, M.: Secure Execution of Java Applets using a Remote Playground. IEEE Transactions on Software Engineering 26 (2000) 1197--1209

....classes from being manipulated into violating security [30, 31, 18, 13, 14] but efforts to control resource exhaustion have lagged behind. A simple infinite loop will still freeze the latest Web browsers. The most successful systems to date either run the JVMs in separate processes or machines [23, 26], surrendering any performance benefits from running the JVM together with its host application, or create a process like abstraction inside the JVM [4, 28, 20, 5] These process abstractions either complicate memory sharing or make it completely impossible. This paper describes a new language ....

D. Malkhi, M. Reiter, and A. Rubin. Secure execution of Java applets using a remote playground. In Proceedings of the 1998 IEEE Symposium on Security and Privacy, pages 40--51, Oakland, California, May 1998.

....spent on behalf of a given application: for example, CPU time spent while garbage collecting a process s heap. An alternative approach to separate different applications is to give each one its own virtual machine, and run each virtual machine in a different process on an un derlying OS [25, 29]. For instance, most operating systems can limit a process s heap size or CPU consumption. Such mechanisms could be used to directly limit an entire VM s resource consumption, but they depend on underlying operating system support. Designing JVMs to support multiple processes is a superior ....

D. Malkhi, M. K. Reiter, and A. D. Rubin. Secure Execution of Java Applets using a Remote Playground. In Proc. of the 1998 IEEE Symposium on Security and Privacy, pages 40--51, Oakland, CA, May 1998.

....views are available to define lowlevel system configurations such as the XML parser used. 6. RELATED WORK Java s security model is well documented [4, 5, 6] and many approaches exist to extend or replace this basic model in terms of new security features and capabilities. For example, [15] describes an approach which uses protected domains, so called playgrounds, to protect machines and resources from mobile code. A playground is a dedicated machine on which the mobile code is executed, with its input and output re directed to the user s machine. This creates the illusion that the ....

D. Malkhi, M. K. Reiter, and A. D. Rubin. Secure Execution of Java Applets using a Remote Playground. In Proceedings of the IEEE Symposium on Security and Privacy, Los Alamitos, California, May 1998.

....because there is no control over what data individual applications can store on the shared heap. In addition, the shared heap is not garbage collected. One approach to resource control is to dedicate an entire machine to the execution of client code. For instance, AT T s Java Playground [34] and Digitivity s CAGE Applet Management System [17] define special Java applet execution models that require applets to run on dedicated, specially protected hosts. This execution model imposes extremely rigid limits on mobile code, by quarantining applets on isolated hosts. As a result, richer ....

D. Malkhi, M. K. Reiter, and A. D. Rubin. Secure execution of Java applets using a remote playground. In Proc. of the 1998 IEEE Symposium on Security and Privacy, pages 40--51, Oakland, CA, May 1998.

....they do so, to ensure that they are not executed at the local machine [MRR97] ffl Playground architecture. This clever technique, preventing most security problems, is based on a change in the architecture: besides the browser and the web, a proxy and a sacrificial playground machine are added [MRR98]. The playground architecture distinguishes Java classes that prescribe graphics actions from those prescribing all other actions; the former are loaded on the client machine, while the latter are loaded on the sacrificial playground machine that uses the graphics server in the browser as an I O ....

D.Malkhi, M.K.Reiter, A.D.Rubin. Secure Execution of Java Applets Using a Remote Playground, Procs. IEEE Computer Society Symp. on Security and Privacy, pages 40-51, 1998.

....model for executing untrusted applets in a restricted execution environment. This sandbox model was supposed to prohibit untrusted applets from using any sensitive system services, but failed to do even with small implementation errors [3] Malkhi, et al. proposed a concept of playground(sandbox) [8] for executing untrusted mobile code on a remote protected domain(machine) called playground. Prior to execution the applet is transformed to use the downloading user s web browser as a graphics terminal for its input and output. The way in which the applet is transformed is class level ....

Dahlia Malkhi, Michael Reiter, and Avi Rubin. Secure Execution of Java Applets using a Remote Playground. In Proceedings of the 1998 IEEE Symposium on Security and Privacy, May 1998.

....An X application can set its display to a remote machine and maintain a synchronized display with event feedbacks, if the remote machine allows display permissions for other hosts. However directly using X Windows is not possible because not all client hosts support it. Digitivity [5] and AT T [1] have proposed similar solutions that decouple user interface and application logic in a way independent of client machines operating system. The central idea in both solutions is to execute Java methods related to creation and rendering of AWT objects through a dummy graphics server applet ....

....server applet running in the client browser. IBM [9] also proposes remote AWT classes but the motivation for the work is for providing a powerful Java compute server that can serve client hosts with displays. The solution proposed by [5] based on limited publicized information, is similar to [1] except that the protocol for communication between the applet running in the client browser and the applet executing on a playground machine, is proprietary. 1] uses Java Remote Method Invocation (RMI) for similar communication. Spout does not parse and change the bytecode of a downloaded ....

[Article contains additional citation context not shown here]

Dahlia Malkhi, Michael K. Reiter, Aviel Rubin; Secure Execution of Java Applets using a Remote Playground; IEEE Symposium of Security and Privacy, May 1998

....defeats the greatest advantage of safe language based systems: flexible sharing. Hardware supported Approaches Two groups have independently developed a Java applet execution model that requires the applets to run on dedicated, specially protected and isolated hosts: AT T s Java Playground [18] and Digitivity s Cage Applet ManagementSystem [8] However, this model is severely flawed: it imposes inherent limits on the functionality achievable from mobile code, essentially limiting execution to the restrictive Java applet model (a model useful for little more than dancing pigs ) ....

D. Malkhi, M. K. Reiter, and A. D. Rubin. Secure Execution of Java Applets using a Remote Playground. In Proc. of the 1998 IEEE Symp. on Research in Security and Privacy, pages 40--51, Oakland, CA, May 1998.

....in Java. It does not support resource controls in general, but it does support registration of resources so that they can reclaimed upon process termination. One approach to resource control is to dedicate an entire machine to the execution of client code. For instance, AT T s Java Playground [34] and Digitivity s CAGE Applet Management System [16] define special Java applet execution models that require applets to run on dedicated, specially protected hosts. This execution model imposes extremely rigid limits on mobile code, by quarantining applets on isolated hosts. As a result, richer ....

D. Malkhi, M. K. Reiter, and A. D. Rubin. Secure execution of Java applets using a remote playground. In Proc. of the 1998 IEEE Symp. on Security and Privacy, pp. 40--51, Oakland, CA, May 1998.

....use proprietary techniques so the mechanisms they use are not known. This approach is fundamentally limited by the halting problem [1] which states that there is no general purpose algorithm that can determine the behavior of an arbitrary program. Another approach is taken by Malkhi et.al. [7] (developed independently and marketed by 7. Modified applet [load graphics server] change applet tags] 4. Modified page 1. Request for page 8. I O [change I O] Browser Proxy 6. Applet 3. Page [load applet] WEB 5. Request for applet 2. Request for page Playground Figure 2: The playground ....

D. Malkhi, M. K. Reiter, and A. D. Rubin. Secure execution of java applets using a remote playground. Proceedings of the 1998 IEEE Computer Society Symposium on Research in Security and Privacy, pages 40--51, May 1998.

No context found.

D. Malkhi and M. K. Reiter. Secure execution of java applets using a remote playground. Software Engineering, 26(12), 2000.

No context found.

D. Malkhi and M. K. Reiter. Secure execution of java applets using a remote playground. Software Engineering, 26(12), 2000.

No context found.

Dahlia Malkhi, Michael Reiter, and Avi Rubin. Secure execution of Java applets using a remote playground. In Proceedings of the 1998 IEEE Symposium on Security and Privacy, pages 40--51, Oakland, California, May 1998.

No context found.

D. Malkhi, M. K. Reiter, and A. D. Rubin. Secure execution of Java applets using a remote playground. In Proc. of the 1998.

No context found.

D. Malkhi and M. K. Reiter. Secure execution of java applets using a remote playground. Software Engineering, 26(12), 2000.

No context found.

D. Malkhi, M. K. Reiter, and A. D. Rubin. Secure execution of Java applets using a remote playground. In Proc. of the 1998.

No context found.

D. Malkhi, M. K. Reiter, and A. D. Rubin. Secure Execution of Java Applets using a Remote Playground. In Proceedings of the IEEE Symposium on Security and Privacy, pages 40--51, Oakland, California, May 1998.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC