The ability to send mobile code from one machine to another is one of the most important enabling technologies of the Internet age. Mobile code, especially forms of mobile code that are target machine-independent, greatly alleviate many previously existing problems of software distribution, version control, and maintenance. Mobile code also provides the means for entirely new approaches, such as "executable content" within documents.
Unfortunately, using mobile code is fraught with risks. If an adversary succeeds in deceiving us into executing a malicious program supplied by him or her, this may have catastrophic consequences and may lead to loss of confidentiality, loss of information integrity, loss of the information itself, or a combination of these outcomes. Hence, we must at all costs avoid executing programs that can potentially cause such harm.
The first line of defense against such incidents is to shield all computer systems, all communications among them, as well as all of the information itself against intruders using physical and logical access controls.
A second line of defense is to use cryptographic authentication mechanisms to detect mobile code that hasn't originated with a known and trusted code provider or that has been tampered with in transit.
This research concerns itself with a third line of defense that is independent of and complimentary to the first two: Assume that an intruder has successfully managed to penetrate our system (breaking defense #1) and is able to present us with a mobile program that falsely authenticates itself as being uncompromised and originating from a trusted party (breaking defense #2), how do we nevertheless prevent it from causing any damage?
To answer this question, we are working on a representation for target-machine independent mobile programs that can provably encode only legal programs. Hence, there is no way an adversary can substitute a malicious program that can corrupt its host computer system: Every well-formed mobile program that is expressible in our encoding is guaranteed to map back to a source program that is deemed legal in the original source context, and mobile programs that are not well-formed can be rejected trivially. Further, our encoding not only guarantees referential integrity and type-safety within a single distribution module, but it also enforces these properties across compilation-unit boundaries.
A problem of previous approaches to mobile-code security has been that the additional provisions for security lead to a loss of efficiency, often to the extent of making an otherwise virtuous security scheme unusable for all but "toy" programs. This research strives to deviate from the common approach of studying security in isolation, and instead attempts to integrate it with other aspects of mobile-code quality. Some additional qualities to consider are the mobile code format's encoding density (an important factor for transfer over wireless networks) and the ease with which high-quality native code can be generated by a just-in-time compiler at the eventual target site.
Referent: Prof. Dr. Michael Franz,
Department of Information and Computer Science
University of California at Irvine
USA
Zeitpunkt: Freitag, 12. Mai 2000, 14 Uhr c. t.
Ort: HS 3 der Universität Klagenfurt
Prof. Michael Franz leads a research group of 12 Ph.D. students and one post-doctoral researcher at the University of California, Irvine. His research is grouped into the three main threads of dynamic optimization ("accelerate a
program while it is already running"), mobile program representations ("alternatives to the Java Virtual Machine"), and component-oriented languages and software systems ("paradigms beyond object-oriented programming"). Franz received a Dr. sc. techn. degree in computer science and a Dipl. Informatik-Ing. degree, both from the Swiss Federal Institute of Technology, ETH Zurich.