Secure Internet Programming - menu
Secure Internet Programming
Princeton University
Department of Computer Science

Java Security: Web Browsers and Beyond

Drew Dean
Edward W. Felten
Dan S. Wallach
Dirk Balfanz

The introduction of Java applets has taken the World Wide Web by storm. Java allows web creators to embellish their content with arbitrary programs which execute in the web browser, whether for simple animations or complex front-ends to other services. We examined the Java language and the Sun HotJava, Netscape Navigator, and Microsoft Internet Explorer browsers which support it, and found a significant number of flaws which compromise their security. These flaws arise for several reasons, including implementation errors, unintended interactions between browser features, differences between the Java language and bytecode semantics, and weaknesses in the design of the language and the bytecode format. On a deeper level, these flaws arise because of weaknesses in the design methodology used in creating Java and the browsers. In addition to the flaws, we discuss the underlying tension between the openness desired by web application writers and the security needs of their users, and we suggest how both might be accommodated.

Internet Beseiged: Countering Cyberspace Scofflaws, Dorothy E. Denning and Peter J. Denning, eds. ACM Press (New York, New York), October 1997, pp. 241-269.

See Also
Java Security: Web Browsers and Beyond. Drew Dean, Edward W. Felten, Dan S. Wallach, and Dirk Balfanz, Technical Report 566-97, Department of Computer Science, Princeton University, February 1997.
Java Security: From HotJava to Netscape and Beyond. Drew Dean, Edward W. Felten, and Dan S. Wallach. Proceedings of 1996 IEEE Symposium on Security and Privacy (Oakland, California), May 1996.
Security Flaws in the HotJava Web Browser. Drew Dean and Dan S. Wallach, Technical Report 501-95, Department of Computer Science, Princeton University, November 1995.