Soft boundaries for statically enforceable protection domains

As safe languages, such as Java, find themselves leveraged to run larger, multi-task applications, many of the security concerns historically solved by hardware enforced protection domains are again sneaking their way into code. Previous schemes to enforce protection domains within the Java language have accepted run-time overhead and severe limitations on sharing semantics as a reasonable cost to achieve security. This thesis proposes soft boundaries to attain the benefits of separation without additional run-time overhead and without compromising the Java semantics. Soft boundaries use static analysis to assist the programmer in isolating components, protecting both a program's data and its control flow. Soft boundaries can be deployed either independently or in conjunction with previous separation schemes to further bolster separation

A First-Class Approach to Genericity

This paper describes how to add first-class generic types--- including mixins---to strongly-typed OO languages with nominal subtyping such as Java and C#. A generic type system is "first-class" if generic types can appear in any context where conventional types can appear. In this context, a mixin is simply a generic class that extends one of its type parameters, e.g., a class C<T> that extends T. Although mixins of this form are widely used in C++ (via templates), they are clumsy and error-prone because C++ treats mixins as macros, forcing each mixin instantiation to be separately compiled and type-checked. The abstraction embodied in a mixin is never separately analyzed

Mixins in Generic Java are Sound

This technical report presents a type soundness proof for Core MixGen, a small formal language designed for studying the addition of first-class genericity to Java. Core MixGen captures the most intricate aspects of the MixGen programming language, an e#cient extension of Java, proposed by Allen, Bannet, and Cartwright, that adds first class genericity while maintaining full compatibility with the existing JVM [4]. We begin by reviewing the semantics of Core MixGen, and proceed by establishing several key lemmas. Finally, we conclude by establishing preservation and progress theorems. To our knowledge, this proof is the first type soundness result for a precisely typed, object-oriented programming language with mixins

A First-Class Approach to Java Genericity

We describe MixGen, a generalization of Generic Java in which all generic types are first-class: they can be used in any context where a conventional Java type can appear. The most interesting consequence of this generalization is the fact that the language includes hygienic mixins, class extensions that have been abstracted with respect to their superclass. These abstractions are hygienic in that they avoid “accidental method overriding ” when a mixin is applied to a specific superclass. MixGen is based on the NextGen formulation of Generic Java in which generic classes carry run-time parametric type information. In this paper, present an operational semantics for a core subset of MixGen, we prove type soundness for this core, and we describe how MixGen can be implemented on top of the existing Java Virtual Machine (version 1.4). In doing so, we provide the first practical formulation of mixins to support precise parametric type checking.

Hack-a-Vote: Demonstrating Security Issues with Electronic Voting Systems

A representative democracy depends on a universally trusted voting system for the election of representatives; voters need to believe that their votes count, and all parties need to be convinced that the winner and loser of the election were declared legitimately. Direct recording electronic (DRE)voting systems are increasingly being deployed to fill this role. Unfortunately, doubts have been raised as to the trustworthiness of these systems. This article presents a research voting system and associated class project which was used to demonstrate several classes of bugs that might occur in such a voting system unbeknownst to voters, with the difficulty of detecting these bugs through auditing. The intent of this project is to justify the mistrust sometimes placed in DRE voting systems that lack a voter-verifiable audit trail