References

1

R. Anand, N. Islam, T. Jaeger, and J. R. Rao. A flexible security model for using Internet content. IEEE Software, 1997.

2

J. P. Anderson. Computer security technology planning study. Technical Report ESD-TR-73-51, James P. Anderson and Co., Fort Washington, PA, USA, 1972.

3

A. Berman, V. Bourassa, and E. Selberg. TRON: Process-specific file protection for the UNIX operating system. In Proceedings of the 1995 USENIX Winter Technical Conference, pages 165-175, 1995.

4

N. S. Borenstein. Email with a mind of its own: The Safe-Tcl language for enabled mail. In ULPAA '94, pages 389-402, 1994.

5

A. Dan, A. Mohindra, R. Ramaswami, and D. Sitaram. ChakraVyuha: A sandbox operating system for the controlled execution of alien code. Technical Report 20742, IBM T. J. Watson Research Center, 1997.

6

C. Friberg and A. Held. Support for discretionary role-based access control in acl-oriented operating systems. In Proceedings of the Second ACM Role-Based Access Control Workshop, November 1997.

7

F. S. Gallo. Penguin: Java done right. The Perl Journal, 1(2):10-12, 1996.

8

I. Goldberg, D. Wagner, R. Thomas, and E. Brewer. A secure environment for untrusted helper applications. In Proceedings of the 6th USENIX Security Symposium, pages 1-14, July 1996.

9

L. Gong. A secure identity-based capability system. In IEEE Symposium on Security and Privacy, pages 56-63, 1989.

10

L. Gong. New security architectural directions for Java. In IEEE COMPCON '97, February 1997.

11

R. Grimm and B. Bershad. Security for extensible systems. In Proceedings of the Sixth Workshop on Hot Topics in Operating Systems, pages 62-66, May 1997.

12

T. Jaeger, F. Giraud, N. Islam, and J. Liedtke. A role-based access control model for protection domain derivation and management. In Proceedings of the Second ACM Role-Based Access Control Workshop, November 1997.

13

T. Jaeger, N. Islam, R. Anand, A. Prakash, and J. Liedtke. Flexible control of downloaded executable content. Technical Report RC 20886, IBM T. J. Watson Research Center, 1997.

14

T. Jaeger and A. Prakash. Support for the file system security requirements of computational e-mail systems. In Proceedings of the 2nd ACM Conference on Computer and Communications Security, pages 1-9, 1994.

15

T. Jaeger, A. Rubin, and A. Prakash. Building systems that flexibly control downloaded executable content. In Proceedings of the 6th USENIX Security Symposium, pages 131-148, July 1996.

16

P. A. Karger. Improving Security and Performance for Capability Systems. PhD thesis, University of Cambridge, 1988.

17

B. Lampson. Protection. ACM Operating Systems Review, 8(1):18-24, January 1974.

18

J. Liedtke. Improving IPC by kernel design. In Proceedings of the 14th Symposium on Operating Systems Principles, pages 175-187, 1993.

19

D. Mazieres and M. F. Kaashoek. Secure applications need flexible operating systems. In Proceedings of the Sixth Workshop on Hot Topics in Operating Systems, pages 56-61, May 1997.

20

P. G. Neumann, R. S. Boyer, R. J. Feiertag, K. N. Levitt, and L. Robinson. A provably secure operating system: The system, its applications, and proofs. Technical Report CSL-116, SRI International, 1990.

21

J. Ousterhout, J. Levy, and B. Welch. The Safe-Tcl security model, 1997. Available at https://www.sunlabs.com/ ouster/safeTcl.html.

22

D. D. Redell. Naming and Protection in Extensible Operating Systems. PhD thesis, University of California, Berkeley, 1974. Published as Project MAC TR-140, Massachusetts Institute of Technology.

23

J. H. Saltzer and M. D. Schroeder. The protection of information in computer systems. Proceedings of the IEEE, 63(9):1278-1308, September 1975.

24

G. van Rossum. Grail - The browser for the rest of us (draft), 1996. Available at https://monty.cnri.reston.va.us/grail/.

25

D. Wallach, D. Balfanz, D. Dean, and E. W. Felten. Extensible security architectures for java. Technical Report 546-97, Princeton University, 1997.

26

D. Wallach, D. Balfanz, D. Dean, and E. W. Felten. Extensible security architectures for java. In Proceedings of the 16th Symposium on Operating Systems Principles, 1997.

27

E. Wobber, M. Abadi, M. Burrows, and B. Lampson. Authentication in the Taos operating system. ACM Transactions on Computer Systems, 12(1):3-32, February 1994.

28

W. Wulf, E. Cohen, W. Corwin, A. Jones, R. Levin, C. Pierson, and F. Pollack. HYDRA: The kernel of a multiprocessor operating system. Communications of the ACM, 17(6):337-345, June 1974.