Confirmed users
162
edits
Security:Bibliography: Difference between revisions
hello, it's not wikipedia, there's no need to get every second word linked
m (→People: wikify) |
(hello, it's not wikipedia, there's no need to get every second word linked) |
||
| Line 11: | Line 11: | ||
=== People === | === People === | ||
[http://www.ics.uci.edu/~franz/ Michael Franz], who is at UC Irvine, spoke at [http://www.research.ibm.com/vee04/talks.html an IBM virtual machine conference] (as of | [http://www.ics.uci.edu/~franz/ Michael Franz], who is at UC Irvine, spoke at [http://www.research.ibm.com/vee04/talks.html an IBM virtual machine conference] (as of 3 August 2006) two years ago where I spoke on Firefox and Mozilla's VM needs. He was kind enough to stop by Mozilla in early March of this year and speak on his past and current work. See links [http://www.ics.uci.edu/%7Efranz/Site/research.html] to his publications. | ||
Michael's focus on virtual machines and compilers points the way toward real browser as well as OS security, transcending the current mode among browser implementors of hacking and patching memory-unsafe C++ code. The most-trusted computing base must not be megalines of code -- it should be the compiler, VM, and security module, at tens or at most hundreds of KSLOCs. | Michael's focus on virtual machines and compilers points the way toward real browser as well as OS security, transcending the current mode among browser implementors of hacking and patching memory-unsafe C++ code. The most-trusted computing base must not be megalines of code -- it should be the compiler, VM, and security module, at tens or at most hundreds of KSLOCs. | ||
| Line 17: | Line 17: | ||
[http://www.cs.cornell.edu/andru/ Andrew Myers], my old pal from SGI days, is a prof at Cornell who has done wonderful work in this area, going back to his thesis at MIT, [http://www.cs.cornell.edu/andru/release/tr783.ps.gz JFlow]. See links [http://www.cs.cornell.edu/andru/pubs-topic.html] to his publications. His slides from this year's PLDI nicely summarize the problem-space we face: [http://www.cs.cornell.edu/andru/pldi06-tutorial Expressing and Enforcing Security with Programming Languages]. | [http://www.cs.cornell.edu/andru/ Andrew Myers], my old pal from SGI days, is a prof at Cornell who has done wonderful work in this area, going back to his thesis at MIT, [http://www.cs.cornell.edu/andru/release/tr783.ps.gz JFlow]. See links [http://www.cs.cornell.edu/andru/pubs-topic.html] to his publications. His slides from this year's PLDI nicely summarize the problem-space we face: [http://www.cs.cornell.edu/andru/pldi06-tutorial Expressing and Enforcing Security with Programming Languages]. | ||
Vincent Simonet and the fine folks at INRIA behind | Vincent Simonet and the fine folks at INRIA behind OCaml have given the world [http://cristal.inria.fr/~simonet/soft/flowcaml/ FlowCaml], OCaml with an information flow type system. | ||
Since JS and the other browser-hosted programming languages are not statically typed, FlowCaml may not seem useful, but with | Since JS and the other browser-hosted programming languages are not statically typed, FlowCaml may not seem useful, but with JS2 (ECMAScript Edition 4), we will have type annotations and the option of a static type checker. The JS2 type system won't support Hindley-Milner type inference, but we anticipate using both types and static checking in Mozilla code, and we should aspire to realize both optimization and security wins from the new type system. | ||
=== Papers === | === Papers === | ||
[Under construction, see links above] | [Under construction, see links above] | ||