USENIX Conference Policies
The Safe-Tcl Security Model
Jacob Y. Levy and Laurent Demailly, Sun Microsystems Laboratories; John K. Ousterhout and Brent B. Welch, Scriptics Inc.
Safe-Tcl is a mechanism for controlling the execution of programs written in the Tcl scripting language. It allows untrusted scripts (applets) to be executed while preventing damage to the environment or leakage of private information. Safe-Tcl uses a padded cell approach: each applet is isolated in a safe interpreter where it cannot interact directly with the rest of the application. The execution environment of an applet is controlled by a trusted script running in a master interpreter. Safe-Tcl supports applets using multiple security policies within an application. These policies determine what an applet can do, based on the degree to which the applet is trusted. Safe-Tcl separates security management into well-defined phases that are geared towards the party responsible for each aspect of security.
author = {Jacob Y. Levy and Laurent Demailly and John Ousterhout and Brent Welch},
title = {The {Safe-Tcl} Security Model},
booktitle = {1998 USENIX Annual Technical Conference (USENIX ATC 98)},
year = {1998},
address = {New Orleans, LA},
url = {https://www.usenix.org/conference/1998-usenix-annual-technical-conference/safe-tcl-security-model},
publisher = {USENIX Association},
month = jun
}