The Oz-E Project: Design Guidelines for a Secure Multiparadigm Programming Language

  • Fred Spiessens
  • Peter Van Roy
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3389)


The design and implementation of a capability secure multi-paradigm language should be guided from its conception by proven principles of secure language design. In this position paper we present the Oz-E project, aimed at building an Oz-like secure language, named in tribute of E [MMF00] and its designers and users who contributed greatly to the ideas presented here.

We synthesize the principles for secure language design from the experiences with the capability-secure languages E and the W7-kernel for Scheme 48 [Ree96]. These principles will be used as primary guidelines during the project. We propose a layered structure for Oz-E and discuss some important security concerns, without aiming for completeness at this early stage.


Design Guideline Covert Channel Secure Programming Abstract Syntax Tree Attack Node 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. [Arm03]
    Armstrong, J.: Making Reliable Distributed Systems in the Presence of Software Errors. PhD thesis, Royal Institute of Technology (KTH), Stockholm (December 2003)Google Scholar
  2. [AWWV96]
    Armstrong, J., Williams, M., Wikström, C., Virding, R.: Concurrent Programming in Erlang. Prentice-Hall, Englewood Cliffs (1996)Google Scholar
  3. [BKB04]
    Banna, Z.E., Klintskog, E., Brand, P.: Report on security services in distribution subsystem. Technical Report PEPITO Project Deliverable D4.4 (EU contract IST-2001-33234), K.T.H., Stockholm (January 2004)Google Scholar
  4. [CF91]
    Cartwright, R., Fagan, M.: Soft typing. In: Proceedings of the SIGPLAN 1991 Conference on Programming Language Design and Implementation, pp. 278–292 (1991)Google Scholar
  5. [GHJV94]
    Gamma, E., Helm, R., Johnson, R., Vlissides, J.: Design Patterns: Elements of Reusable Object-Oriented Software. Addison Wesley, Massachusetts (1994)Google Scholar
  6. [Har89]
    Hardy, N.: The confused deputy. ACM SIGOPS Oper. Syst. Rev. 22(4), 36–38 (1989), CrossRefMathSciNetGoogle Scholar
  7. [HBS73]
    Hewitt, C., Bishop, P., Steiger, R.: A universal modular ACTOR formalism for artificial intelligence. In: 3rd International Joint Conference on Artificial Intelligence (IJCAI), August 1973, pp. 235–245 (1973)Google Scholar
  8. [Hew77]
    Hewitt, C.: Viewing control structures as patterns of passing messages. Journal of Artificial Intelligence 8(3), 323–364 (1977)CrossRefGoogle Scholar
  9. [KEB03]
    Klintskog, E., Banna, Z.E., Brand, P.: A generic middleware for intra-language transparent distribution. Technical Report T2003:01, Swedish Institute of Computer Science (June 2003)Google Scholar
  10. [MMF00]
    Miller, M.S., Morningstar, C., Frantz, B.: Capability-based financial instruments. In: Frankel, Y. (ed.) FC 2000. LNCS, vol. 1962, pp. 349–378. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  11. [Mor73]
    Morris, J.H.: Protection in programming languages. Communications of the ACM 16(1), 15–21 (1973)zbMATHCrossRefGoogle Scholar
  12. [MS03]
    Miller, M.S., Shapiro, J.: Paradigm regained: Abstraction mechanisms for access control. In: Saraswat, V.A. (ed.) ASIAN 2003. LNCS, vol. 2896, pp. 224–242. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  13. [MSC+01]
    Miller, M., Stiegler, M., Close, T., Frantz, B., Yee, K.-P., Morningstar, C., Shapiro, J., Hardy, N., Tribble, E.D., Barnes, D., Bornstien, D., Wilcox-O’Hearn, B., Stanley, T., Reid, K., Darius Bacon, E.: Open source distributed capabilities (2001) Available at,
  14. [MTS05]
    Miller, M.S., Tulloh, B., Shapiro, J.S.: The structure of authority: Why security is not a separable concern. In: Van Roy, P. (ed.) MOZ 2004. LNCS, vol. 3389, pp. 2–20. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  15. [Ree96]
    Rees, J.A.: A security kernel based on the lambda-calculus. Technical report. MIT (1996)Google Scholar
  16. [Rei04]
    Reid, K.: [e-lang] Proposal: Auditors without unshadowable names (August 2004) Mail posted at e-lang mailing list, Available at,
  17. [SM02]
    Stiegler, M., Miller, M.S.: A capability based client: The darpabrowser. Technical Report Focused Research Topic 5 / BAA-00-06-SNK, Combex, Inc.,(June 2002) Avalalbe at,
  18. [SMRS04]
    Spiessens, F., Miller, M., Roy, P.V., Shapiro, J.: Authority Reduction in Protection Systems (2004) available at,
  19. [Sti]
    Stiegler, M.: The SkyNet virus: Why it is unstoppable; how to stop it.Talk available at,
  20. [Sti00]
    Stiegler, M.: The E Language in a Walnut (2000), Draft available at,
  21. [VH04]
    Van Roy, P., Haridi, S.: Concepts, Techniques, and Models of Computer Programming. MIT Press, Cambridge (2004)Google Scholar
  22. [Yee02]
    Yee, K.-P.: User interaction design for secure systems. In: 4th International Conference on Information and Communications Security (ICICS 2002). UC Berkeley Technical Report CSD-02-1184 (2002)Google Scholar
  23. [YM00]
    Yee, K.-P., Miller, M.S.: Auditors: An extensible, dynamic code verification mechanism (2000) Available at,

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Fred Spiessens
    • 1
  • Peter Van Roy
    • 1
  1. 1.Université catholique de LouvainLouvain-la-NeuveBelgium

Personalised recommendations