Previous article

Next article

Securing Java with Local Policies

Massimo Bartoletti, Dipartimento di Matematica e Informatica, Università degli Studi di Cagliari, Italy
Gabriele Costa, Istituto di Informatica e Telematica, Consiglio Nazionale delle Ricerche, Italy
Pierpaolo Degano, Dipartimento di Informatica, Università di Pisa, Italy
Fabio Martinelli, Istituto di Informatica e Telematica, Consiglio Nazionale delle Ricerche, Italy
Roberto Zunino, Dipartimento di Ingegneria e Scienza dell'Informazione, Università degli Studi di Trento, Italy


PDF Icon
PDF Version


We propose an extension to the security model of Java, that allows for specifying, analysing and enforcing history-based usage policies. Policies are defined by usage automata, that recognize the forbidden execution histories. Programmers can sandbox an untrusted piece of code with a policy, which is enforced at run-time through its local scope. A static analysis allows for optimizing the execution monitor: only the
policies not guaranteed to be always obeyed will be enforced at run-time.

Note: Due to the typographical sophistication of this article, no HTML version is available. Please use the PDF version.

About the authors


Massimo Bartoletti received the PhD degree in Computer Science from the University of Pisa in 2005, and he is now researcher at the Computer Science Department of the University of Cagliari, Italy. His current research interests are language-based security and security issues in service-oriented computing. Other research interests include control ow analysis and type systems for functional and object-oriented languages. He can be reached at


Pierpaolo Degano has been full professor of Computer Science since 1990 and, since 1993, he has been at the Department of Computer Science, University of Pisa, being head from 1993 to 1996; since 2006 he is the chairman of the Ph.D. programme in Computer Science; from 1999 to 2003 he chaired the Italian Association of Professors of Computer Science. Pierpaolo Degano served as program chair of many international conferences and as guest editor of many international journals; he served as member of the steering Committees of TAPSOFT, ETAPS, EATCS, and co-founded the IFIP TC1 WG 1.7 on Theoretical Foundations of Security Analysis and Design; since 2005 he is member of the Board of Directors of the Microsoft Research { University of Trento Center for Computational and Systems Biology. His main areas of interest have been, or are, security of concurrent and mobile systems, computational systems biology, semantics and concurrency, methods and tools for program verification and evaluation, and programming tools. He can be reached at

  Gabriele Costa is a Ph.D. student in Computer Science at University of Pisa and a researcher of the security group of the National Research Council (CNR). His research interests include foundational and practical aspects of programming language security. He can be reached at

  Fabio Martinelli (M.Sc. 1994, Ph.D. 1999) is a senior researcher of IIT-CNR, Pisa, where he is the scientific coordinator of the security group. His main research interests involve security and privacy in distributed and mobile systems and foundations of security and trust. He serves as PC-chair/organizer in several international conferences/workshops. He is the co-initiator of the International Workshop series on Formal Aspects in Security and Trust (FAST). He is serving as scientific co-director of the international research school on Foundations of Security Analysis and Design (FOSAD) since 2004 edition. He chairs the WG on security and trust management (STM) of the European Research Consortium in Informatics and Mathematics (ERCIM). He usually manages R&D projects on information and communication security and he is involved in several FP6/7 EU projects. He can be reached at


Roberto Zunino (M.Sc. 2002, Ph.D. 2006) is assistant professor at the Department of Information Engineering and Computer Science of the University of Trento, Italy. His current research topics include computer security, crypto-protocol verification techiniques, and bioinformatics. Other research interests include language-based security and type systems. He can be reached at

Massimo Bartoletti, Gabriele Costa, Pierpaolo Degano, Fabio Martinelli, and Roberto Zunino: "Securing Jaba with Local Policies", in Journal of Object Technology, vol. 8, no. 4, Special Issue:Workhop FTfJP and IWACO at ECOOP 08, June 2009, pp. 5-32

Previous article

Next article