Security in Untrusted Code Environments: Missing Pieces of the Puzzle

Security enforcement mechanisms for controlling the execution of untrusted component code have evolved away from the strict sandbox confinement toward more flexible code access security. Although the added flexibility has enabled richer functionality and support for more fine-grained policies, component-based security architectures such as Java and .NET still fail to provide several essential features such as restricted delegation of authority, separation of access control from functionality (Java only) and more flexible security policies. We examine the stack inspection mechanism central to policy enforcement on end systems running Java 2 and the .NET Common Language Runtime. Here we reveal that the mechanism has a number of undesirable implications for developers of code components, and may lead to behavior entirely unexpected to users of mobile code. In the context of the evolving web-based computing environment we discuss a set of open challenges before mobile code security architectures, and suggest approaches to address the emerging needs.