Tutorial Downloads .com

Home

Java Security: From HotJava to Netscape and Beyond

This Java tutorial covers the details of Java Security: From HotJava to Netscape and Beyond. The introduction of Java applets has taken theWorldWide Web by storm. Information servers can customize the presentation of their content with server-supplied code which executes inside the Web browser. We examine the Java language and both the HotJava and Netscape browsers which support it, and find a significant number of flaws which compromise their security.

Java Security: From HotJava to Netscape and Beyond
Abstract
The introduction of Java applets has taken theWorldWide Web by storm. Information servers can customize the presentation of their content with server-supplied code which executes inside the Web browser. We examine the Java language and both the HotJava and Netscape browsers which support it, and find a significant number of flaws which compromise their security. These flaws arise for several reasons, including implementation errors, unintended interactions between browser features, differences between the Java language and bytecode semantics, and weaknesses in the design of the language and the bytecode format. On a deeper level, these flaws arise because of weaknesses in the design methodology used in creating Java and the browsers. In addition to the flaws, we discuss the underlying tension between the openness desired by Web application writers and the security needs of their users, and we suggest how both might be accommodated.
1. Introduction
The continuing growth and popularity of the Internet has led to a flurry of developments for the World Wide Web. Many content providers have expressed frustration with the inability to express their ideas in HTML. For example, before support for tables was common, many pages simply used digitized pictures of tables. As quickly as new HTML tags are added, there will be demand for more. In addition, many content providers wish to integrate interactive features such as chat systems and animations.
2. Java Semantics
Java is similar in many ways to C++[31]. Both provide support for object-oriented programming, share many keywords and other syntactic elements, and can be used to develop standalone applications. Java diverges from C++ in the following ways: it is type-safe, supports only single inheritance (although it decouples subtyping from inheritance), and has language support for concurrency. Java supplies each class and object with a lock, and provides the synchronized keyword so each class (or instance of a class, as appropriate) can operate as a Mesa-style monitor[21].
2.1. Java Security Mechanisms
In HotJava, all of the access controls were done on an adhoc basis which was clearly insufficient. The beta release of JDK introduced the SecurityManager class, meant to be a reference monitor[20]. The SecurityManager defines and implements a security policy, centralizing all access control decisions. Netscape also uses this architecture. When the Java runtime system starts up, there is no security manager installed.
3. Taxonomy of Java Bugs
We now present a taxonomy of Java bugs, past and present. Dividing the bugs into classes is useful because it helps us understand how and why they arose, and it alerts us to aspects of the system that may harbor future bugs.
3.1. Denial of Service Attacks
Java has few provisions to thwart denial of service attacks. The obvious attacks are busy-waiting to consume CPU cycles and allocating memory until the system runs out, starving other threads and system processes. Additionally, an applet can acquire locks on critical pieces of the browser to cripple it.
3.2. Two vs. Three Party Attacks
It is useful to distinguish between two different kinds of attack, which we shall call two-partyand three-party. Atwoparty attack requires that theWeb server the applet resides on participate in the attack.
3.3. Covert Channels
Various covert channels exist in both HotJava and Netscape, allowing applets to have two-way communication with arbitrary third parties on the Internet.
3.4. Information Available to Applets
If a rogue applet can establish a channel to any Internet host, the next issue is what the applet can learn about the user’s environment to send over the channel.
3.5. Implementation Errors
Some bugs arise from fairly localized errors in the implementation of the browser or the Java subsystem.
3.6. Inter-Applet Security
Since applets can persist after the Web browser leaves the page which contains them, it becomes important to separate applets from each other.
3.7. Java Language and Bytecode Differences
Unfortunately, the Java language and the bytecode it compiles to are not as secure as they could be. There are significant differences between the semantics of the Java language and the semantics of the bytecode.
3.8. Java Language and Bytecode Weaknesses
We believe the the Java language and bytecode definitions are weaker than they should be from a security viewpoint. The language has neither a formal semantics nor a formal description of its type system.
4. Security Analysis
We found a number of interesting problems in both Hot- Java, an alpha release, and Netscape 2.0, a released product. More instructive than the particular bugs we and others have found is an analysis of their possible causes.
4.1. Policy
The present documents on Netscape[29] and HotJava do not formally define a security policy.
4.2. Enforcement
The Java SecurityManager is intended to be a reference monitor[20]. A reference monitor has three important properties:
4.3. Integrity
The architecture of HotJava is inherently more prone than that of Netscape to accidentally reveal internal state to an applet because the HotJava browser’s state is kept in Java variables and classes.
4.4. Accountability
The fourth fundamental requirement in the Orange Book is accountability: “Audit information must be selectively kept and protected so that actions affecting security can be traced to the responsible party.”[27] The Java system does not define any auditing capability.
5. Flexible Security for Applets
A major problem in defining a security policy for Java applets is making the policy flexible enough to not unduly limit applets, while still preserving the user’s integrity and privacy.
5.1. Networking
The Java runtime library must support all the protocols in current use today, including HTTP (the Web), FTP (file transfer), Gopher, SMTP (email), NNTP (Usenet news), and Finger (user information).
5.2. Distributed Applications
Other applications that would be desirable to implement as applets include audio/video conferencing, real-time multi-player games, and vast distributed computations like factoring.
5.3. User Interface
The security user interface is critical for helping the average user choose and live with a security policy. In HotJava, an applet may attempt any file or network operation.
6. Conclusion
Java is an interesting new programming language designed to support the safe execution of applets on Web pages.
7. Acknowledgments
We wish to thank Andrew Appel, Paul Karger and the referees for reading this paper and making many helpful suggestions.

 Read more about Java Security: From HotJava to Netscape and Beyond


Resource: http://www.cs.princeton.edu/sip/pub/oakland-paper-96.pdf
Posted By : Cyntia
On date : 07.24.08

Most used JAVA Tutorials

JAVA Tutorials ( Ebooks , PDF's )
Java Code Conventions Java and C++ A critical comparison Generics in the Java Programming Language Writing Robust Java Code
Brewing Java: A Tutorial
Part 1 is a brief introduction to what Java is, why it's cool and what you need to use it. Part 2 is a tutorial introduction to Java that just covers what you need to know to start programming command line applications in Java. This is an introduction to the basic syntax of the language. It skims over many details and completely omits little used features like bit-shift operators. This section is fairly complete. Part 3 covers the basics of writing applets in Java. Part 4 introduces you to objects and classes.
JAVA Interview Questions & Answers
What is a transient variable, Why do threads block on I/O, How are Observer and Observable used, What is synchronization and why is it important, Can a lock be acquired on a class, What is the Collections API,What is the List interface, What is the Vector class, What is an Iterator interface, What is the difference between yielding and sleeping, What are wrapper classes, What is the difference between preemptive scheduling and time slicing, What is clipping, What class is the top of the AWT event hierarchy, What is the purpose of the wait(), notify(), and notifyAll() methods ... etc... etc...
Struts interview Questions and answers | FAQs
Interview questions and answers of Struts
The java.util.concurrent package Collections
The java.util.concurrent package includes a number of additions to the Java Collections Framework.
JAVA PDF Tutorials, Code Conventions, Writing Robust Java Code
Java Code Conventions,Java and C++ A critical comparison,Generics in the Java Programming Language,Writing Robust Java Code
JFreeChart Introduction
JFreeChart is a free 100% Java chart library that makes it easy for developers to display professional quality charts in their applications. JFreeChart's extensive feature set includes:
SCJP Sun Certified Programmer for Java 6 Exam 310-065 - Tutorial book
With hundreds of practice questions and hands-on exercises, SCJP Sun Certified Programmer for Java 6 Study Guide covers what you need to know--and shows you how to prepare--for this challenging exam.
NetBeans, Java, and JFreeChart | PDF study material
This set of “papers” consists of an introduction to JFreeChart and NetBeans as an IDE for Java programming. I attempt herein to ease the learning burden, a little, compared to the misery that I had to suffer through. We are using JDK 1.5.0_03, NetBeans 4.1 (for future work, we've gone over to 5.0), and jfreechart-1.0.0-rc1. I hope its not necessary to mention that all of these programs are free, in the public domain, and can be downloaded and installed on modern PCs.
JSF and Struts Classic Reference Manual | Pdf study material
The following chapters describe how to deal with classic/old style of JSF and Struts development. We recommend users to use JBoss Seam [http://www.redhat.com/developers/jbds/Getting_Started/GetStartSeamGen.html] to simplify development, but until then you can read about classical JSF and Struts usage here.We are going to show you how to create a simple JSF application using the JBoss Developer Studio plug-in for Eclipse.
Effective Java (2nd Edition) - Java Book
Are you looking for a deeper understanding of the Java™ programming language so that you can write code that is clearer, more correct, more robust, and more reusable? Look no further! Effective Java™, Second Edition, brings together seventy-eight indispensable programmer’s rules of thumb: working, best-practice solutions for the programming challenges you encounter every day.
Java Interface User Guide (JAVA PDF)
This Java tutorial covers the details of Java Interface User Guide.An Introduction to the Java Interface The Datalogics Java Interface provides a Java-language wrapper to the Adobe PDF Library to facilitate the rapid creation of PDF documents via Java calls. The Adobe PDF Library is C-based, not Java-sourced, but as it is usable by any application type which supports calls to a C-based library, the Datalogics Java Interface has been created.
Java Technology - What java does? - How java works
Java technology is both a programming language and a platform. In the Java programming language, all source code is first written in plain text files ending with the .java extension. Those source files are then compiled into .class files by the javac compiler. A .class file does not contain code that is native to your processor; it instead contains bytecodes - the machine language of the Java Virtual Machine1 (Java VM). The java launcher tool then runs your application with an instance of the Java Virtual Machine.
BASIC CONCEPTS LESSON-1 JAVA OVERVIEW (JAVA PDF)
This Java tutorial covers the details of BASIC CONCEPTS LESSON-1 JAVA OVERVIEW (JAVA PDF).Before you can start writing Java programs, you need acquire and set up some kind of Java programming software.
Executor Interfaces in JAVA
The java.util.concurrent package defines three executor interfaces: Executor, a simple interface that supports launching new tasks. ExecutorService, a subinterface of Executor, which adds features that help manage the lifecycle, both of the individual tasks and of the executor itself.

Latest added JAVA Tutorials

TDD and Acceptance TDD for Java Developers tutorial book
Learn hands-on to test drive Java code How to avoid common TDD adoption pitfalls Acceptance test driven development and the Fit framework How to test Java EE components-Servlets, JSPs, and Spring Controllers
Java Concurrency in Practice - Book
Threads are a fundamental part of the Java platform. As multicore processors become the norm, using concurrency effectively becomes essential for building high-performance applications. Java SE 5 and 6 are a huge step forward for the development of concurrent applications, with improvements to the Java Virtual Machine to support high-performance, highly scalable concurrent classes and a rich set of new concurrency building blocks. In Java Concurrency in Practice, the creators of these new facilities explain not only how they work and how to use them, but also the motivation and design patterns behind them.
SCJP Sun Certified Programmer for Java 6 Exam 310-065 - Tutorial book
With hundreds of practice questions and hands-on exercises, SCJP Sun Certified Programmer for Java 6 Study Guide covers what you need to know--and shows you how to prepare--for this challenging exam.
Head First Design Patterns - Java tutorial Book
At any given moment, somewhere in the world someone struggles with the same software design problems you have. You know you don't want to reinvent the wheel (or worse, a flat tire), so you look to Design Patterns--the lessons learned by those who've faced the same problems. With Design Patterns, you get to take advantage of the best practices and experience of others, so that you can spend your time on... something else. Something more challenging. Something more complex. Something more fun.
Effective Java (2nd Edition) - Java Book
Are you looking for a deeper understanding of the Java™ programming language so that you can write code that is clearer, more correct, more robust, and more reusable? Look no further! Effective Java™, Second Edition, brings together seventy-eight indispensable programmer’s rules of thumb: working, best-practice solutions for the programming challenges you encounter every day.
Head First Java, 2nd Edition - Java Book
It has taken four years, but with Head First Java the introductory Java book category has finally come of age. This is an excellent book, far more capable than any of the scores of Java-for-novices books that have come before it. Kathy Sierra and Bert Bates deserve rich kudos--and big sales--for developing this book's new way of teaching the Java programming language, because any reader with even a little bit of discipline will come away with true understanding of how the language works. Perhaps best of all, this is no protracted "Hello, World" introductory guide. Readers get substantial exposure to object-oriented design and implementation, serialization, neatwork programming, threads, and Remote Method Invocation (RMI).
Learn how to load, validate and submit forms in Ext JS
This tutorial focuses on the topic of 'Processing Forms'. The journey will include client-side and server-side ?eld validation, form loading, submission, ?eld customization, and layout techniques that will make it a breeze to build great-looking and friendly forms.
Useful Apache Maven Plugins
This tutorial discusses some of the Maven plugins, both from Apache Maven and Codehaus Mojo project which are of great help to Maven builds.
while - Java Term
Details about the Java term while
volatile - Java Term
Details about the Java term volatile