The Oz-E Project: Design Guidelines for a Secure Multiparadigm Programming Language

Spiessens, Fred; Roy, Peter Van

doi:10.1007/978-3-540-31845-3_3

Cited by 12 publications

(10 citation statements)

References 9 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In this paper, localities (named "membranes") are finer grained than kells in OZ/K, but they are used only for communication control (confinement), and do not constitute units of failure isolation, or of passivation. The kell construct in OZ/K seems in line with the proposed design guidelines for a secure OZ, presented in [31].…”

Section: Related Worksupporting

confidence: 71%

Oz/K

Lienhardt

Schmitt

Stefani

2007

Proceedings of the 6th International Conference on Generative Programming and Component Engineering

View full text Add to dashboard Cite

Programming in an open environment remains challenging because it requires combining modularity, security, concurrency, distribution, and dynamicity. In this paper, we propose an approach to open distributed programming that exploits the notion of locality, which has been used in the past decade as a basis for several distributed process calculi such as Mobile Ambients, Dπ, and Seal. We use the locality concept as a form of component that serves as a unit of modularity, of isolation, and of passivation. Specifically, we introduce in this paper OZ/K, a kernel programming language, that adds to the OZ computation model a notion of locality borrowed from the Kell calculus. We present an operational semantics for the language and several examples to illustrate how OZ/K supports open distributed programming.

show abstract

Section: Related Worksupporting

confidence: 71%

Oz/K

Lienhardt

Schmitt

Stefani

2007

Proceedings of the 6th International Conference on Generative Programming and Component Engineering

View full text Add to dashboard Cite

show abstract

“…Modeling it as a passive subject will be as if it could also store authority, again a very coarse approach. Passive subjects are well fit to model state that is shared between active subjects, but that is not generally useful in capability languages that support some form of concurrency: the practice of (secure) concurrent programming strongly deprecates the use of shared state concurrency [SV05a,VH04,Rei03].…”

Section: Discussionmentioning

confidence: 99%

“…Instead of setting up an access control policy separated from the functionality of a program, the programmer controls capability propagation by carefully controlling what entities will invoke what other entities and what will be the input and output arguments. This is not always a simple task, but a well designed capability secure programming language can help [SV05a].…”

Section: Capability Security and Capability Secure Languagesmentioning

confidence: 99%

“…A confused deputy is a deputy that does not know the difference between its own authority and the authority delegated by the client, so that it can be lured into using its own authority on behalf of a faking client. As explained in [Har89,SV05a], capabilities can easily avoid that vulnerability. Scalability: Since references are necessary anyway, combining them with authority does not in the least affect scalability, even as the authority is managed at the finest grained level.…”

Section: Capability Security and Capability Secure Languagesmentioning

confidence: 99%

“…This is certainly not an easy task. Therefore a real capability secure programming language should have no mechanisms that make this task even harder [SV05a]. But since capabilities are the only mechanism that can actually prevent confused deputy attacks [Har89], the task becomes feasible at last.…”

Section: Capability Security and Capability Secure Languagesmentioning

confidence: 99%

See 2 more Smart Citations

A Practical Formal Model for Safety Analysis in Capability-Based Systems

Spiessens

Roy

2005

Trustworthy Global Computing

Self Cite

View full text Add to dashboard Cite

Abstract. We present a formal system that models programmable abstractions for access control. Composite abstractions and patterns of arbitrary complexity are modeled as a configuration of communicating subjects. The subjects in the model can express behavior that corresponds to how information and authority are propagated in capability systems. The formalism is designed to be useful for analyzing how information and authority are confined in arbitrary configurations, but it will also be useful in the reverse sense, to calculate the necessary restrictions in a subject's behavior when a global confinement policy is given. We introduce a subclass of these systems we call "saturated", that can provide safe and tractable approximations for the safety properties in arbitrary configurations of collaborating entities.

show abstract