Runtime Environment Security Models

The tremendous new potential offered by distributed computing, inside and outside the home and business, also carries with it the necessity to exercise certain security safeguards. As distributed, mobile, and executable content moves among devices, the opportunity for security breaches increases dramatically. Also, as device-todevice e-Commerce services become more automated [11], new types of security threats are emerging. With these drastic changes in computing models comes a greater need for robust application security. For example, “executable content” is the idea of sending code to a remote compute engine to be executed. In addition to flexibility and expressiveness, executable content brings new potential problems. A program received from a remote source must be regarded as nontrusted to some degree, and its access to certain resources must be restricted. However, this new execution model is not bound by the limitations of the operating system because the runtime environment enforces the security policies based on the code’s origin. Both the Java Runtime Environment (JRE) and .NET Framework Common Language Runtime (CLR) security models have the following common security features: language typesafety, bytecode verification, runtime type checking, name space separation via class loading, and fine-grained access control. This paper compares the JRE and the CLR evolutionary security mechanisms. The paper also compares the two models to the Clark-Wilson security model, a formal, application-level model used to ensure the integrity of commercial data. The Clark-Wilson model is a formal presentation of the security policy enforced by a system, and it is useful for testing a policy for completeness and ∗ Other brands and names are the property of their respective owners. consistency. It also helps describe what specific mechanisms are necessary to implement a security policy. Besides exploring the nature and scope of the sandboxbased JRE and CLR security models and comparing them to the Clark-Wilson integrity model, this paper also provides some insight into the future of runtime security.