Quote: a language for remotely-loaded code should have a safe type system, garbage-collection, and carefully managed system calls

Quote: bytecode verifier that type is statically defined and always initialized; the Gosling property [»agesO6_1998]

Quote: bytecode verifier allows a variable to retain its type across subroutine calls; requires liveness analysis [»agesO6_1998]

Quote: SafeTSA is compact, type-safe mobile code based on static single assignment; safe by construction with referential integrity, type separation, and type check elimination [»ammeW6_2001]

Quote: one-pass verification of bytecode that is annotated with type certificates at jump targets [»kleiG11_2001]

Quote: a bytecode verifier must show that all possible execution paths have the same virtual machine configuration; complicates type checking

Quote: a language for remotely-loaded code should have a safe type system, garbage-collection, and carefully managed system calls

Quote: remotely-loaded code should limit access to the file system, CPU, network, graphics display, and internal state [»deanD5_1996]

Quote: with Java, new code starts untrusted, becomes verified, then transformed into machine code by a trusted compiler [»allmE7_2004]

Quote: safety check of untrusted machine code by typestate analysis; allows manipulation of host data structures; checks array bounds, address alignment, initialization, null pointers, stack manipulation [»xuZ6_2000]

Quote: prototype safety check for SPARC code; practical; found error in page-replacement; identified array out-of-bounds [»xuZ6_2000]

Quote: verify the integrity of an embedded device by computing partial hash of its contents; problem of man in the middle attack [»spinD2_2000]

Quote: with a remote boot protocol can have high confidence in the integrity of a system despite a hostile environment and network [»lomaM1_1995]

Quote: remotely-loaded code may have security flaws. For example, Java has many security flaws such as covert channels and lacking a formal security policy [»deanD5_1996]

Quote: a Java applet can busy-wait, allocate unbounded amounts of memory, or lock critical pieces of the browser [»deanD5_1996]

Quote: use natural interfaces instead of security dialogs, e.g., 'Paste to Applet'. Keep the user in control [»deanD5_1996]

Quote: a teleconferencing applet needs the same access rights as a bugged phone; need a unforgeable capability and an explicit "push to talk" [»deanD5_1996]

Quote: applets should request capabilities when first loaded with a digital signature to thwart spoofing attacks; otherwise users will disable security checks [»deanD5_1996]

Quote: an untrusted applet can use a trusted dialog box to gain access to files and other system resources [»deanD5_1996]

Quote: SPIN uses externalized references for user-level access to in-kernal data structures; i.e., index into a per-application table [»bersBN12_1995]

Quote: SPIN depends only on Modula-3's interfaces, type safety, and automatic memory management; no dangling pointers or array overflow [»bersBN12_1995]

Quote: maintain a distributed system with a global registry of software modules; unique identifier for name, version, security interface, and performance parameters; modules exchange ids [»fedaA3_1997]

Quote: code signing does not make sense; is a signer trusted? are signed components safe? in what degree is it safe? where is the evidence stored? [»schnB_2000]

Quote: storing the evidence of an attack on the computer under attack is mostly useless