Current models of Internet Computing are highly asymmetric - a host protects itself from malicious mobile Java programs, but there is no way to get assurances about the behavior of a program running remotely. The asymmetry stems from a behavior-based security model: hosts ensure conformance to a given security policy by restricting the actions of programs. In contrast, security models that are based on cryptography (including code signing) are inherently symmetric by design but do not match the open architecture of the Internet and are unsuitable for reasoning about program behavior. We propose a new paradigm that combines the openness of the former with the symmetry of the latter and thereby enables completely new applications in a globally connected world.

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Computer Emergency Response Team (CERT); CERT/CC Annual Report, 2003, http://www.cert.org
	2	George C. Necula, A Scalable Architecture for Proof-Carrying Code, Proceedings of the 5th International Symposium on Functional and Logic Programming, p.21-39, March 07-09, 2001
	3	Ken Ashcraft , Dawson Engler, Using Programmer-Written Compiler Extensions to Catch Security Holes, Proceedings of the 2002 IEEE Symposium on Security and Privacy, p.143, May 12-15, 2002
	4	Ulfar Erlingsson , Fred B. Schneider, IRM Enforcement of Java Stack Inspection, Proceedings of the 2000 IEEE Symposium on Security and Privacy, p.246, May 14-17, 2000
	5	Trusted Computing Group (TCG); TCG PC Specific Implementation Specification; August 2003.
	6	Vivek Haldar, Deepak Chandra, and Michael Franz; Semantic Remote attestation: A Virtual Machine Directed Approach to Trusted Computing; USENIX Virtual Machine Research and Technology Symposium, May 2004.
	7	Vivek Haldar and Michael Franz; Mandatory Access Control at the Object Level in the Java Virtual Machine; Technical Report 04-06, Information and Computer Science, University of California, Irvine.
	8	Tim Lindholm , Frank Yellin, Java Virtual Machine Specification, Addison-Wesley Longman Publishing Co., Inc., Boston, MA, 1999
	9	David Platt, Introducing Microsoft .NET, Third Edition, Microsoft Press, Redmond, WA, 2003
	10	Ross Anderson; Cryptography and Competition Policy-Issues with Trusted Computing; 2nd Annual Workshop on Economics and Information Security, May 2003.
	11	Andrei Sabelfeld, Andrew C. Myers; Language-Based Information-Flow Security; IEEE Journal on Selected areas in Communications, special issue on Formal Methods for Security, 21 (1), January 2003
	12	B. Chen and R. Morris; Certifying program execution with secure processors; USENIX HotOS Workshop, May 2003.
	13	W. A. Arbaugh , D. J. Farber , J. M. Smith, A secure and reliable bootstrap architecture, Proceedings of the 1997 IEEE Symposium on Security and Privacy, p.65, May 04-07, 1997
	14	M. Gasser, A. Goldstein, C. Kaufman, and B. Lampson; The digital distributed system security architecture; 12th NIST-NCSC National Computer Security Conference, pages 305--319, 1989.
	15	Tal Garfinkel , Ben Pfaff , Jim Chow , Mendel Rosenblum , Dan Boneh, Terra: a virtual machine-based platform for trusted computing, Proceedings of the nineteenth ACM symposium on Operating systems principles, October 19-22, 2003, Bolton Landing, NY, USA
	16	T. Garfinkel, M. Rosenblum, and D. Boneh; Flexible OS support and applications for Trusted Computing; 9th Workshop on Hot Topics in Operating Systems (HotOS-VIII), May 2003.
	17	Ahmad-Reza Sadeghi , Christian Stüble, Property-based attestation for computing platforms: caring about properties, not mechanisms, Proceedings of the 2004 workshop on New security paradigms, September 20-23, 2004, Nova Scotia, Canada  [doi>10.1145/1065907.1066038]
	18	Ernie Brickell , Jan Camenisch , Liqun Chen, Direct anonymous attestation, Proceedings of the 11th ACM conference on Computer and communications security, October 25-29, 2004, Washington DC, USA  [doi>10.1145/1030083.1030103]