References

1

ANDERSON, T. E., LEVY, H. M., BERSHAD, B. N., AND LAZOWSKA, E. D.
The interaction of architecture and operating system design.
In Proceedings of the Fourth ACM Symposium on Architectural Support for Programming Languages and Operating Systems (1991).

2

BADGER, L., STERNE, D. F., SHERMAN, D. L., WALKER, K. M., AND HAGHIGHAT, S. A.
Practical domain and type enforcement for UNIX.
In Proceedings of the 1995 IEEE Symposium on Security and Privacy (1995), pp. 66-77.

3

BERSHAD, B. N., SAVAGE, S., PARDYAK, P., SIRER, E. G., FIUCZYNSKI, M., BECKER, D., EGGERS, S., AND CHAMBERS, C.
Extensibility, safety, and performance in the SPIN operating system.
In Proceedings of 15th ACM Symposium on Operating Systems Principles (Dec. 1995), pp. 251-266.

4

BERSTIS, V., TRUXAL, C. D., AND RANWEILER, J. G.
System/38 addressing and authorization.
In IBM System/38 Technical Developments, 2nd ed. IBM, July 1980, pp. 51-54.

5

BIRRELL, A., NELSON, G., OWICKI, S., AND WOBBER, E.
Network objects.
In Proceedings of 13th ACM Symposium on Operating Systems Principles (Dec. 1993), pp. 217-230.

6

BORENSTEIN, N. S.
Email with a mind of its own: The Safe-Tcl language for enabled mail.
In IFIP International Working Conference on Upper Layer Protocols, Architectures and Applications (1994).

7

CLARK, D., AND WILSON, D.
A comparison of commercial and military computer security policies.
In Proceedings of the 1987 IEEE Symposium on Security and Privacy (Oakland, CA, May 1987).

8

DEAN, D., FELTEN, E. W., AND WALLACH, D. S.
Java security: From HotJava to Netscape and beyond.
In Proceedings of the 1996 IEEE Symposium on Security and Privacy (Oakland, CA, May 1996), pp. 190-200.

9

DROSSOPOULOU, S., AND EISENBACH, S.
Java is type safe -- probably.
In Proceedings of the Eleventh European Conference on Object-Oriented Programming (June 1997).

10

ELECTRIC COMMUNITIES.
The Electric Communities Trust Manager and Its Use to Secure Java, Sept. 1996.
http://www.communities.com/company/papers/trust/.

11

FABRY, R. S.
Capability-based addressing.
Communications of the ACM 17, 7 (July 1974), 403-411.

12

FLANAGAN, D.
JavaScript: The Definitive Guide, 2nd ed.
O'Reilly & Associates, Inc., Jan. 1997.

13

FREIER, A. O., KARLTON, P., AND KOCHER, P. C.
The SSL Protocol: Version 3.0, Mar. 1996.
Internet draft, ftp://ietf.cnri.reston.va.us/internet-drafts/draft-freier-ssl-version3-01.txt.

14

GOLDSTEIN, T.
The Gateway Security Model in the Java Electronic Commerce Framework.
JavaSoft, Nov. 1996.
http://www.javasoft.com/products/commerce/jecf_gateway.ps.

15

GONG, L.
A secure identity-based capability system.
In Proceedings of the 1989 IEEE Symposium on Security and Privacy (Oakland, CA, May 1989), pp. 56-63.

16

GONG, L.
New security architectural directions for Java.
In Proceedings of IEEE COMPCON '97 (Feb. 1997).

17

GONG, L.
personal communication, 1997.

18

GOSLING, J., JOY, B., AND STEELE, G.
The Java Language Specification.
Addison-Wesley, 1996.

19

HARDY, N.
KeyKOS architecture.
ACM Operating Systems Review 19, 4 (Oct. 1985), 8-25.

20

HU, W.
DCE Security Programming.
O'Reilly & Associates, Inc., July 1995.

21

JAEGER, T., RUBIN, A. D., AND PRAKASH, A.
Building systems that flexibly control downloaded executable content.
In Sixth USENIX Security Symposium Proceedings (San Jose, CA, July 1996), pp. 131-148.

22

JONES, A. K., AND LISKOV, B. H.
A language extension for controlling access to shared data.
IEEE Transactions on Software Engineering SE-2, 4 (Dec. 1976), 277-285.

23

KAIN, R. Y., AND LANDWEHR, C. E.
On access checking in capability-based systems.
IEEE Transactions on Software Engineering SE-13, 2 (Feb. 1987), 202-207.

24

KARGER, P. A., AND HERBERT, A. J.
An augmented capability architecture to support lattice security and traceability of access.
In Proceedings of the 1984 IEEE Symposium on Security and Privacy (Oakland, CA, May 1984), pp. 2-12.

25

LAMPSON, B. W.
Protection.
In Proceedings of the Fifth Princeton Symposium on Information Sciences and Systems (Princeton University, Mar. 1971), pp. 437-443.
Reprinted in Operating Systems Review, 8(1):18-24, Jan. 1974.

26

LAMPSON, B. W.
A note on the confinement problem.
Communications of the ACM 16, 10 (Oct. 1973), 613-615.

27

LEVY, H. M.
Capability-Based Computer Systems.
Digital Press, 1984.

28

LINDHOLM, T., AND YELLIN, F.
The Java Virtual Machine Specification.
Addison-Wesley, 1996.

29

MCGRAW, G., AND FELTEN, E. W.
Java Security: Hostile Applets, Holes, and Antidotes.
John Wiley and Sons, 1996.

30

MICROSOFT CORPORATION.
Proposal for Authenticating Code Via the Internet, Apr. 1996.
http://www.microsoft.com/security/tech/authcode/authcode-f.htm.

31

MILNER, R., AND TOFTE, M.
Commentary on Standard ML.
MIT Press, Cambridge, MA, 1991.

32

NATIONAL COMPUTER SECURITY CENTER.
Department of Defense Trusted Computer System Evaluation Criteria (The Orange Book).
1985.

33

NECULA, G. C., AND LEE, P.
Safe kernel extensions without run-time checking.
In Proceedings of the Second Symposium on Operating Systems Design and Implementation (OSDI '96) (Seattle, WA, Oct. 1996), pp. 229-243.

34

NEUMANN, P. G., BOYER, R. S., FEIERTAG, R. J., LEVITT, K. N., AND ROBINSON, L.
A provably secure operating system: The system, its applications, and proofs.
Tech. Rep. CSL-116, 2nd Ed., SRI International, May 1980.

35

OBJECT MANAGEMENT GROUP.
Common Secure Interoperability, July 1996.
OMG Document Number: orbos/96-06-20.

36

OUSTERHOUT, J. K.
Why aren't operating systems getting faster as fast as hardware?
In Proceedings of Summer 1990 USENIX Conference (June 1990), pp. 247-256.

37

PIKE, R., PRESOTTO, D., THOMPSON, K., AND TRICKEY, H.
Plan 9 from Bell Labs.
In Proceedings of the Summer 1990 UKUUG Conference (London, July 1990), pp. 1-9.

38

REES, J. A.
A security kernel based on the lambda-calculus.
Tech. Rep. A.I. Memo No. 1564, Massachusetts Institute of Technology, Artificial Intelligence Laboratory, Mar. 1996.

39

SALTZER, J. H., AND SCHROEDER, M. D.
The protection of information in computer systems.
Proceedings of the IEEE 63, 9 (Sept. 1975), 1278-1308.

40

SCHMITT, B.
Shockwave Studio: Designing Multimedia for the Web.
O'Reilly & Associates, Inc., Mar. 1997.

41

SCHROEDER, M. D., AND SALTZER, J. H.
A hardware architecture for implementing protection rings.
Communications of the ACM 15, 3 (Mar. 1972), 157-170.

42

SELTZER, M. I., ENDO, Y., SMALL, C., AND SMITH, K. A.
Dealing with disaster: Surviving misbehaved kernel extensions.
In Proceedings of the Second Symposium on Operating Systems Design and Implementation (OSDI '96) (Oct. 1996), pp. 213-227.

43

SIEGEL, J., Ed.
CORBA Fundamentals and Programming.
John Wiley and Sons, 1996.

44

TANENBAUM, A. S., MULLENDER, S. J., AND VAN RENESSE, R.
Using sparse capabilities in a distributed operating system.
In 6th International Conference on Distributed Computing Systems (Cambridge, MA, May 1986), pp. 558-563.

45

VAN DOORN, L., ABADI, M., BURROWS, M., AND WOBBER, E.
Secure network objects.
In Proceedings of the 1996 IEEE Symposium on Security and Privacy (Oakland, CA, May 1996).

46

WAHBE, R., LUCCO, S., ANDERSON, T. E., AND GRAHAM, S.
Efficient software-based fault isolation.
In Proceedings of the Fourteenth Symposium on Operating System Principles (1993).

47

WOBBER, E., ABADI, M., BURROWS, M., AND LAMPSON, B.
Authentication in the Taos operating system.
ACM Transactions on Computer Systems 12, 1 (Feb. 1994), 3-32.