Team for Research in
Ubiquitous Secure Technology

Citation
Adrian Mettler, David Wagner, Tyler Close. "Joe-E: A Security-Oriented Subset of Java". Network and Distributed Systems Symposium, Internet Society, 2010.

Abstract
We present Joe-E, a language designed to support the development of secure software systems. Joe-E is a subset of Java that makes it easier to architect and implement programs with strong security properties that can be checked during a security review. It enables programmers to apply the principle of least privilege to their programs; implement application-specific reference monitors that cannot be bypassed; introduce and use domain-specific security abstractions; safely execute and interact with untrusted code; and build secure, extensible systems. Joe-E demonstrates how it is possible to achieve the strong security properties of an object-capability language while retaining the features and feel of a mainstream object-oriented language. Additionally, we present ways in which Java’s static type safety complements object-capability analysis and permits additional security properties to be verified statically, compared with previous object-capability languages which rely on runtime checks. In this paper, we describe the design and implementation of Joe-E and its advantages for security and auditability over standard Java. We demonstrate how Joe-E can be used to develop systems with novel security properties that would be difficult or impossible to ensure otherwise, including a web application platform that provides transparent, transactional object persistence and can safely host multiple mutually-distrustful applications in a single JVM.

Electronic downloads

• http://www.cs.berkeley.edu/~daw/papers/joe-e-ndss10.pdf. (Copyright held by the Internet Society. Made available by the author for personal non-commercial use only.)

• HTML

  Adrian Mettler, David Wagner, Tyler Close. <a
  href="http://www.truststc.org/pubs/652.html"
  >Joe-E: A Security-Oriented Subset of Java</a>,
  Network and Distributed Systems Symposium, Internet Society,
  2010.

• Plain text

  Adrian Mettler, David Wagner, Tyler Close. "Joe-E: A
  Security-Oriented Subset of Java". Network and
  Distributed Systems Symposium, Internet Society, 2010.

• BibTeX

  @inproceedings{MettlerWagnerClose10_JoeESecurityOrientedSubsetOfJava,
      author = {Adrian Mettler and David Wagner and Tyler Close},
      title = {Joe-E: A Security-Oriented Subset of Java},
      booktitle = {Network and Distributed Systems Symposium},
      organization = {Internet Society},
      year = {2010},
      abstract = {We present Joe-E, a language designed to support
                the development of secure software systems. Joe-E
                is a subset of Java that makes it easier to
                architect and implement programs with strong
                security properties that can be checked during a
                security review. It enables programmers to apply
                the principle of least privilege to their
                programs; implement application-specific reference
                monitors that cannot be bypassed; introduce and
                use domain-specific security abstractions; safely
                execute and interact with untrusted code; and
                build secure, extensible systems. Joe-E
                demonstrates how it is possible to achieve the
                strong security properties of an object-capability
                language while retaining the features and feel of
                a mainstream object-oriented language.
                Additionally, we present ways in which Java’s
                static type safety complements object-capability
                analysis and permits additional security
                properties to be verified statically, compared
                with previous object-capability languages which
                rely on runtime checks. In this paper, we describe
                the design and implementation of Joe-E and its
                advantages for security and auditability over
                standard Java. We demonstrate how Joe-E can be
                used to develop systems with novel security
                properties that would be difficult or impossible
                to ensure otherwise, including a web application
                platform that provides transparent, transactional
                object persistence and can safely host multiple
                mutually-distrustful applications in a single JVM. },
      URL = {http://www.truststc.org/pubs/652.html}
  }
  

Posted by Adrian Mettler on 19 Feb 2010.
For additional information, see the Publications FAQ or contact webmaster at www truststc org.