Secure Internet Programming - menu
Secure Internet Programming
Home
Projects
People
Publications
Support
Seminar
History
FAQ
Princeton University
Department of Computer Science

sip@cs.princeton.edu

Java Security: From HotJava to Netscape and Beyond

Authors
Drew Dean
Edward W. Felten
Dan S. Wallach

Abstract
The introduction of Java applets has taken the World Wide Web by storm. Information servers can customize the presentation of their content with server-supplied code which executes inside the Web browser. We examine the Java language and both the HotJava and Netscape browsers which support it, and find a significant number of flaws which compromise their security. These flaws arise for several reasons, including implementation errors, unintended interactions between browser features, differences between the Java language and bytecode semantics, and weaknesses in the design of the language and the bytecode format. On a deeper level, these flaws arise because of weaknesses in the design methodology used in creating Java and the browsers. In addition to the flaws, we discuss the underlying tension between the openness desired by Web application writers and the security needs of their users, and we suggest how both might be accommodated.

Published
1996 IEEE Symposium on Security and Privacy (Oakland, California), May 1996.

Text
PostScript (144 KB)
gzip'd PostScript (50 KB)
PDF (Adobe Acrobat 2.1) (156 KB)
Slides
Bell Labs Talk, 5 April 1996, 35 slides, one per page.
PostScript (518 KB)
gzip'd PostScript (50 KB)
PDF (Adobe Acrobat 2.1) (338 KB)
Bell Labs Talk, 5 April 1996, 35 slides, two per page.
PostScript (370 KB)
gzip'd PostScript (44 KB)
PDF (Adobe Acrobat 2.1) (199 KB)
IEEE Symposium on Security and Privacy, 6-8 May 1996, 14 slides, one per page.
PostScript (556 KB)
gzip'd PostScript (275 KB)
PDF (Adobe Acrobat 2.1) (65 KB)
"Java Policies", 6 slides, one per page
PostScript (37 KB)
gzip'd PostScript (6 KB)
PDF (Adobe Acrobat 2.1) (37 KB)

See Also
Java Security: Web Browers and Beyond. Drew Dean, Edward W. Felten, Dan S. Wallach, and Dirk Balfanz. Internet Beseiged: Countering Cyberspace Scofflaws, Dorothy E. Denning and Peter J. Denning, eds. ACM Press (New York, New York), October 1997.
Security Flaws in the HotJava Web Browser. Drew Dean and Dan S. Wallach, Technical Report 501-95, Department of Computer Science, Princeton University, November 1995.