Users and developers love mobile code, but it raises serious security concerns. Software distribution over the Internet has been common for years, but the risks are greatly amplified with Web plug-ins and applets by virtue of their ubiquity and seamless integration. Users are often not even aware of mobile code's presence. Mobile code systems must have correspondingly stronger security to compensate for the increased exposure to potentially hostile code.
This paper considers the problem of securely supporting mobile code on real-world systems. Unlike traditional operating systems, Web browsers must rely on software mechanisms for basic memory safety, both for portability and performance. Currently, there is no standard for constructing secure services above basic memory safety primitives. We explain three different strategies and their implementations in Java: several vendors [14,10] have built capability systems, Netscape and Microsoft have extensions to Java's stack introspection, and we designed an add-on to Microsoft Internet Explorer which hides or replaces Java classes. We analyze these systems in terms of established security criteria and conclude with a discussion of appropriate environments in which to deploy each strategy.