Java Security Archive

In 1995 I was a research scientist at Reliable Software Technologies (later called Cigital) hired to work on a DARPA-sponsored research grant on computer security. Java was released during my first month in the office. Some of us were skeptical of Sun’s claims about Java security, and we set about breaking Java. This archive used to be a curated selection of Java security materials from the mid ’90s.

Somehow I find it disturbing that old materials on the web just disappear. So consider this a museum piece that I keep around for reasons of nostalgia. Non-broken links will almost certainly be out of date.

JAVA SECURITY HOTLIST (archive)

BOOKS

Title	Author(s)	Publisher
Securing Java: Getting Down to Business with Mobile Code	Gary McGraw and Ed Felten	John Wiley and Sons
Java Security: Hostile Applets, Holes, and Antidotes	Gary McGraw and Ed Felten	John Wiley and Sons
Web Security Sourcebook: A Complete Guide to Web Security	Avi Rubin, Daniel Geer, and Marcus Ranum	John Wiley and Sons
E-Commerce Security: Weak Links, Best Defenses	Anup Ghosh	John Wiley and Sons

RESEARCHERS

Secure Internet Programming	The Princeton Team, pre-eminent research group focused on Java Security.
The Java Security Web Site	Splash page for this hotlist. Information on the Java Security book and CD-ROM, article listings, and mailing list.
Java Security at RST	Besides providing this set of links, Dr. Gary McGraw also maintains an RST Java Security page. RST produces a Java coverage tool that is helpful during testing (a key aspect of security).
David Hopwood	David Hopwood, once a student at Oxford and then a Netscape employee, discovered some of Java's flaws that led to attack applets. David is now working on crypto for Java and is a regular contributor to comp.lang.java.security.
Java Security at UC Davis	A list of Java security resources provided by Steven H. Samorodin of the UC Davis Security lab.
Java InSecurity	A page of information put together by Patricia Evans (a grad student at the University of Victoria).
Godmar Back's Java Security Page	A page devoted to Java Security. Includes pointers to talk slides, and a few pointers to related websites.
Spaf's Hotlist, Security in Java	Gene Spafford's Security hotlist entry for Java security. A bit out of date, but the rest of the list is amazing!
Security for Extensible Systems	A research group at the University of Washington interested in extensible systems (like Java) in which code can be added to a running system in almost arbitrary fashion, and it can interact through low latency (but type safe) interfaces with other code.
The Kimera group at the University of Washington	A research group at the University of Washington implementing a new Java security architecture based on factored components for security, performance, and scalability. See their Security Flaws in Java page.
Naval Postgraduate School Languages Group	This group is investigating advanced type systems, especially as related to secure mobile code. The helped organize the DARPA Workshop on Foundations for Secure Mobile Code
Arizona's Sumatra Project	Research on mobile code. See especially the Java Hall of Shame.
Focus on Java: Java Security	The Mining Company has a nice collection of pages about Java. This one has links to a few security sites. Web ads galore...argh.
The JAWS Project	JAWS (Java Applets With Safety) is an ACSys project using theorem-proving technology to analyse safety and security properties of Java applets. Java down under.
Li Gong's Java Security Home Page	A collection of pointers put together by Javasoft's esteemed Java Security Architect. Sparse.
Mobile Code Security Bibliography	This list of publications put together by Philip Fong of SFU includes a section on Java.

FAQs

JavaSoft: Denial of service	What JavaSoft has to say about denial of service attacks.
WWW Security FAQ (Java section)	Some questions about Java Security answered.
Microsoft Web Executable Security Advisor	A set of pages that is to be devoted to Web security issues and alerts. Definite Microsoft spin...use appropriate filters.
Microsoft's Known Issues in Internet Explorer Java Support	The official page for Internet Explorer and Java security problems and patches. The Microsoft point of view.
How the Applet Network Security Policy works	If you wonder how Java might interact with a Proxy server, this is the place to look.
Java Glossary	A comprehensive Java glossary.
Activating Codebase Principals	Sneaky Java trick for bypassing the Netscape code-signing stage in the development cycle.
Java Security Archive	A ton of Java security Q/A from the Javasoft discussion. Beware of spin.
FUDWATCH	This is a great idea that takes aim at some of the vendor FUD. The claims of no security risks whatsoever are a bit overstated though.

PAPERS

Paper	Description
Low Level Security in Java	Frank Yellin's seminal paper on low-level details of Java Security.
Joseph Bank's Java Security paper	One of the first papers to appear on Java Security. Nice introduction to executable content. Excellent paper.
Java Security: From HotJava to Netscape and Beyond	The original IEEE Java Security paper by the Princeton Team. An excellent reference.
Blocking Java Applets at the Firewall	A paper by David Martin (Boston University), S. Rajagopalan (Bellcore), and Aviel Rubin (Bellcore) exploring the idea of using a firewall to protect against hostile applets.
Java Security: Weaknesses and Solutions	An HTML paper by Jean-Paul Billon translated (sort of) from French.
Security Breaches in the JDK 1.1 beta2 security API	Another technical opus by Billon. This one is about serialization and private keys.
The Java Security Reference Model for 1.0.2	This report provides the security reference model for the Java Developer's Kit (JDK) version 1.0.2. The model defines the fundamental security requirements for the Java environment, serves as a basis for a security test plan, and is a first step toward further assurance documentation and analysis. An important piece of work in Java security.
The Security of Static Typing with Dynamic Linking	A paper by Drew Dean of Princeton, To appear in Proceedings of the Fourth ACM Conference on Computer and Communications Security, April 1997.
Work on the Java Type System	A paper by Sophia Drossopoulou and Susan Eisenbach to be presented at the 11th European Conference on Object Oriented Programming, June 1997.
Defensive Java Virtual Machine Version 0.5 alpha Release	A formal model of a subset of the Java Virtual Machine (JVM) built using ACL2, a mathematical logic. Formal analysis is underway. This research is sponsored by JavaSoft and is being carried out by Computational Logic, Inc. (CLI).
A Comparison between Java and ActiveX Security	A paper by David Hopwood presented at the Compsec '97 - the 14th World Conference on Computer Security, Audit and Control.
Extensible Security Architectures for Java	A paper by the Princeton Team (Wallach, Balfanz, Dean, and Felten) about security policies, extensible systems, and the real world.
Java is not type-safe	A paper by ATT researcher Vijay Saraswat explaining why Java is not type safe. Type safety is the cornerstone of Java security.
Experience with Secure Multi-Processing in Java	Princeton Team member Dirk Balfanz teams up with Javasoft's Li Gong discuss how a Java VM might grow up to be multi-user.
Implementing Protection Domains in the Java Development Kit 1.2	By L. Gong and R. Schemers. Published in Proceedings of the Internet Society Symposium on Network and Distributed System Security, San Diego, California, March 1998.
Going Beyond the Sandbox: An Overview of the New Security Architecture in the Java Development Kit 1.2	By L. Gong, M. Mueller, H. Prafullchandra, and R. Schemers. Published in Proceedings of the USENIX Symposium on Internet Technologies and Systems, Monterey, California, December 1997.
A Type System for Java Bytecode Subroutines	Raymie Stata and Martin Abadi discuss type systems for Java
Trust Management on the World Wide Web	A paper by Rohit Khare and Adam Rifkin about managing trust on the web.
Mobile Code Bibliography	An extensive collection of Mobile Code publications. Grep for security to find a number of more relevant papers.
Foresight Computer Security Fact Forum	The Foresight Institute discusses aspects of the Java Security model. This is an interesting set of links. Well-organized.
IEEE Internet Computing Online: Mobile Code Security	McGraw and Felten editted the November-December 1998 issue of IEEE Internet Computing, focusing on mobile code security.
Software Assurance for Security	This short article discusses a methodology for security analysis during the design of a system (as opposed to penetrate and patch). Java could use some of this.

TALKS/ARTICLES

Talk	Description
Java Security Articles (By the Authors and About the Authors)	This page is a collection of articles written by or about the Java Security book. Many are hyperlinked to Web sites. Publications include Byte, JavaWorld, and C!Net. (You can sign up for notification about future articles.)
Lectures and talks promoting the Java Security book	This includes bookstore signings, on-line chats, radio, trade shows and academic lectures by Ed Felten and Gary McGraw.
Java(tm) and JavaSoft Products	JavaSoft's Documentation page. Includes information on getting Java specs.
JavaSoft FORUM on Java Security	A discussion of Java Security issued hoted by JavaSoft and including several prominent security researchers.
Java Security	Chapter 14 of "WWW Beyond the Basics" a Web book by Virginia Tech students. This web-based document by Vijay Sureshkumar offers a concise overview of some security issues and provides a quick introduction to the security model.
Security for Java Programmers: An Introduction	Jay Heiser's 2/97 article from the Java Developers Journal. Introductory.
Java Security Model: Java Protection Domains	A handout from JavaSoft which briefly explains the new security model.
Introduction To Capability Based Security	A Web-based tutorial from Electric Communities.
Object Signing CodeStock Notes	Netscape developer information about signing code (including Java). Also see Netscape Object Signing.
Secure Computing with Java: Now and The Future	A white paper from JavaSoft explaining Java Security. Looks suspiciously like our book in places. Hmm.
Java's security architecture	An overview of the JVM's security model and a look at its built-in safety features.
Security and the class loader architecture	A look at the role played by class loaders in the JVM's overall security model
Security and the class verifier	A look at the role played by the class verifier in the JVM's overall security model
Java security: How to install the security manager and customize your security policy	Learn about the security manager and the Java API, what remains unprotected by the security manager, and security beyond the JVM architecture
Code Signing for Java Applets	A home-grown article by Dan Grisom explaining how to sign Java code. I wrote a couple of articles for developer.com about code signing too. See the Java Security Articles page.
Javaworld's Java Security Books list	An exhaustive list of Java security books (including etherbooks and non-existent titles). We'll give you one guess which one we think is best!
Signing Applets for Internet Explorer and Netscape Navigator	An article by Joseph Bowbeer from June 97 (JDK 1.1 days).
Directions in Java Security: The JDC Interviews JavaSoft Security Guru Li Gong	Cheese, but interesting cheese. You'll have to register as a Java Developer to see this interview.
Building a bigger sandbox	A superficial look at the new code signing model.
Package java.security	The java.security package API summary for JDK 1.2.
Security in JDK 1.2	Sun's on-line tutorial stepping through JDK 1.2 security. The party line.
Trust Based Security for Java	Microsoft's view on Trust-Based security in Java. Pointers to code signing HOWTOs related to Authenticode.
Netscape Object Signing Establishing Trust for Downloaded Software	Netscape's Object Signing model page. All three major vendors have slightly different approaches (though all are based on stack inspection).
The trick to using Java networking applets behind firewalls	A JavaWorld Java tip addressing the firewall problem.
Java 2 security model white paper	Sun's perspective on the new model.
The Evolution of Java Security from IBM	An IBM whitepaper explaining how Java has evolved from JDK 1.0.2 to JDK 1.2 (now called Java 2). The API explanation is dated.

HOSTILE APPLETS

Mark LaDue's Hostile Applets Home Page	A collection of increasingly hostile applets put together by Mark LaDue, a graduate student at Georgia Tech. In our terminology, these are all malicious applets. Georgia Tech kicked Mark off their site, so his page is now hosted by Reliable Software Technologies, though Mark retains complete editorial control over content and RST does not endorse or necessarily agree with his opinions.
The Hostile Mail Applet Page	WARNING: Jim Buzbee's first malicious applet sends mail somewhere unknown, from YOUR machine.
File Scanner	WARNING: Jim Buzbee's malicious applet scans your diskdrive to see if particular files exist.
A tiny (killer App)let	Brought to you by the Naval Postgraduate school. WARNING: This applet will crash your browser.
Netscape Browser/Java Applet Security Bug	Redirect attack take one. This hole has been plugged.
MSIE Java Security Hole	This applet, brought to you by Ben Mesander, colludes with an evil Website to send an HTTP redirect that apparently works only against MSIE. Ben's work was featured in a C!Net news story.
the crapplet	Can't say that I've checked this one out, but it claims to do nasty things. Sounds like a typical DoS.
Two Security Holes	Major Malfunction and Ben Mesander demonstrate a couple of security holes. A more cogent explanation can be found in the article "Is your browser a blabbermouth? Are your ports being scanned?"

COMMERCIAL

Finjan Software	Finjan Software produces two products SurfinShield and SurfinGate. Finjan recently formed a Technical Advisory Board.
MindQ	MindQ offers a CD-ROM about Java Security.
Maximized software	Offers the WebReferee product.
Phaos Technology	SSLAVA secure socket layer API classes.
Digitivity	Technology for more secure mobile code.
Acme.Crypto	FREE crypto classes from Jef Poskanzer.
Java-cryptlib	The FREE Java-cryptlib allows you to write platform independent crypto programs.
JavaTM Cryptography Extension	JavaSoft's JCE is an extension package to the JDK. North American distribution only (export control bites).
Java Cryptography Toolkit	Commercial encryption classes. Free for personal use only.
FlexxGuard	And guess what, big blue does it too! Applet regulation must have a market somewhere.
Security7	Security 7 and a related organization, WithinReach, once collaborated to spread fear, uncertainty, and doubts about hostile mobile code. Among others, we don't condone this approach. (See the Infoworld story on the link between Security7 and WithinReach).
Advanced Computer Research Online	Make the secure4u widget. Yet another hostile code "stopper".
Aphah	Aphah makes an outstanding decompiler. Now that mocha is defunct, this is the place to turn.
International Computer Security Association	The ICSA recently created a Malicious Mobile Code Consortium. This organization is likely to create self-imposed certification criteria for vendors. It remains to be seen what the certification will mean.
4th Pass	4thpass makes an obfuscation tool.
eSafe Technologies	Esafe makes a mobile code sandbox (as if Java doesn't have one already).
JCP	JCP provides cryptographic solutions for e-commerce, including an SSL class library and a crypto development kit.
Server-Based Java Security Products	A CMPnet comparative review of four of the several Java security add-on products on the market.
TrendMicro	Trendmicro makes the Interscan Appletrap product. This whitepaper explains Trendmicro's view of mobile code.
Java Security Vendors: Solutions of Snake Oil	Your hosts try to make some sense of third-party solutions. A preview of contect from Securing Java.

MOSTLY HARMLESS

SunSite@UTK Java Security	Several links to Java Security sites. Includes bug info. Partly useful.
Wei Wang (et al): Java Security	Not a great paper, but it's out there. Written for a class project.
Java Security	Scott Oak's book Java Security. O'Reilly is known for their developer-oriented books. This book fits the bill, as it provides both an API reference guide and a number of code samples. It is almost up-to-date (JDK1.2beta3) and carefully details JDK 1.2 functionality. One caveat, Oaks is an employee of Sun Microsystems and certainly toes the party line. The discussion of security risks an implications reflects this fact. Also missing is any treatment of Java security holes. If you are a developer who wants to learn about the APIs and you don't care too much about the bigger picture, this book is for you.
Symantec spots first Java virus (CNN) JavaApp.Strange Brew(Symantec)	Rumors of this "virus" were greatly exaggerated by Symantec. Alas.

JAVA SECURITY BOOKS

FIRST EDITION (1996)

Preface

The computer security issues surrounding Sun Microsystems, Inc’s Java language are of great enough concern to us that we decided to write a book. Although this book gets somewhat technical in places, we have attempted to make the issues clear enough so that current Java users (including people whose only brush with Java is running the occasional applet while surfing the web) can make sense of the often obscure and mysterious security concerns that Java raises. We do not intend to answer the question as to whether or not you should use Java, nor do we intend to scare anyone away from Java. Instead, our goal is to inform you about the very real risks so that an intelligent policy regarding Java use can be reached.

It is important to emphasize that to be a Java user you do not have to be a Java programmer. In fact, many people are Java users without necessarily knowing it. Anyone who uses a Java-enabled browser like the Netscape Navigator or the Microsoft Internet Explorer to surf the web is at times a Java user. We estimate that around 90% of web users can in this way be classified as Java users. If you are a Java user, the information in this book is entirely relevant. You need to know what the risks are.

The field of computers moves very quickly. One of the tricky aspects of writing a topical book relating to the web (such as this one) is figuring out when to “stop” the action. This process can be likened to taking a picture of a movie. In that sense, this book is a snapshot of Java security. We hope we have succeeded in making this book a useful way to learn about Java security. In addition to material about the current model and its problems, we have included much material about probable future developments.

Chapter 1 provides a quick and cursory introduction to Java. Pointers are provided to more thorough Java texts that cover the in’s and out’s of the entire Java language in more detail. This is, after all, not a book on Java per se, but is instead a book on Java security. The purpose of Chapter 1 is to provide some context for the later discussion of Java’s critical security implications. Near the end of Chapter 1 we introduce the central idea of the book: weighing the benefits of Java use against the risks.

Chapter 2 introduces the existing Java security model in some detail. As a prelude to our discussion, we introduce common security terminology (such as denial of service attack) so that you can better understand some of the jargon associated with computer security, what that jargon actually means in the real world, and how particular attacks can be delivered through Java applets. The three-prongs of Java security defense are explained. These include the Byte-code Verifier, the Applet Class Loader, and the Java Security Manager. We also introduce the idea that Java security fundamentally relies on ensuring type safety. Java seems to have at least a rudimentary security policy, and it is apparent that the designers of Java gave security some thought. Chapter 2 answers the questions: What is Java’s existing security policy? and, How well are the ideas implemented in the current version of Java?

Chapter 3 delves more deeply into the existing Java security model by focusing attention on some of the well-publicized problems that have been discovered. This is where our discussion of hostile applets begins. We introduce some terminology that divides hostile applets into two camps — very dangerous attack applets that involve security breaches and merely annoying malicious applets that are more of a nuisance than anything else. The purpose of Chapter 3 is to discuss attack applets and to elucidate just how secure Java really is at the moment. Java users must be educated about current problems in Java security if they are to make informed decisions regarding Java use. Some problems in the first release (post alpha and beta) of the Java Development Kit have been addressed through patching; others have not. We will discuss both sets of problems in some detail.

Fundamentally less dangerous but still annoying, malicious applets are the topic of Chapter 4. We provide some general examples of malicious applets and describe what exactly they do. Unfortunately there are many unscrupulous individuals on the net who are more than happy to include Java in their list of offensive weapons. Our mission is to make Java users aware of common classes of attacks.

Chapter 5 has two overall goals, both of which are meant to positively impact the Java security situation. The first goal is to suggest some high level antidotes for Java security concerns that are not tied to particular attacks. Experts in computer security have pointed out several global deficiencies in the Java approach to security. Fixing some of these things would certainly improve the model. High level concerns addressed in part one of Chapter 5 include: programming language issues, formal analysis of Java, applet logging, trusted computing bases, and decompilation. Hopefully some of the high-level concerns we raise in Chapter 5 will be fixed in the near future. In the mean time, there are some guidelines for safer Java use that can be applied today. These guidelines make up the second part of Chapter 5. If you only have time to read one section of this book, the guidelines section should be the one.

Finally, we conclude with some hints about what may happen to the Java security model in the future. The JavaSoft division of Sun Microsystems is working hard to improve the existing security situation (which currently has, as we discuss throughout this book, some rather serious flaws). The browser companies, Netscape and Microsoft, are also working to improve Java security since many of Java’s security policies get defined by the browser. Cool things that should improve Java security will likely include: digitally signed applets, an in-depth analysis of the Java security model, and better Class Loaders and Security Managers.

We hope that this book is both informative and useful. Making intelligent decisions regarding the use of Java (especially in business and other mission-critical systems) requires some knowledge of the current risks. Our goal is to present this important material as clearly and objectively as possible. Armed with the knowledge that we present in this book, Java users and site managers can make better Java use policies.

Buy a Copy on Amazon

SECOND EDITION (1999)

Preface

Java has grown by leaps and bounds since its introduction in 1996, and is now among the most popular computing platforms on the planet. Java has evolved and changed so much that at a mere two-years old, our original work, Java Security: Hostile Applets, Holes, and Antidotes, found itself in serious need of revision and expansion. This book is the result of several years of thinking about mobile code and security, and includes many things we have discovered while working on real-world systems with businesses and government agencies. Our goal is to present enough information to help you separate fact from fiction when it comes to mobile code security.

Java has become much more complicated and multifaceted than it was when it was introduced. No longer simply a client-side language for applets, Java can now be found on everything from enterprise application servers to embedded devices like smart cards. We have tried to address security factors from throughout the entire Java range in this book.

We hope this book appeals to geeks and grandmothers alike (not that some grandmothers aren’t geeks). Although it gets technical in places, we hope the messages are clear enough that even the casual Web user comes away with a broader understanding of the security issues surrounding mobile code. We kept four groups in mind as we wrote this book: Web users, developers, system administrators, and business decision-makers. Many of the issues of mobile code security cut across these groups. As Java integrates itself into the foundations of electronic commerce, Java security issues take on more urgency.

Java is only one kind of mobile code among many. Other systems immersed in the same security dilemma include ActiveX, JavaScript, and Word Macros. It is essential not to get the wrong message from this book. Our focus on Java is no accident. We believe Java is the most viable mobile code system created to date. Don’t believe that through our work we imply that other systems are any more secure than Java. Just the opposite is true.

With the introduction of code signing to Java (in JDK 1.1) and its enhancement with access control (in Java 2), securing Java became much harder. Java’s position along the security/functionality tradeoff has moved significantly toward functionality, to the detriment of security. This is good if you want more functionality, which most businesses and developers seem to need, but it is bad if you are charged with managing security risks. Forming an intelligent Java use policy is more important than ever, but doing so is more complicated than it used to be.

The computer field moves so fast that people have begun to refer to Internet time to grapple with its constantly accelerating speed. Three months is a year in Internet time. Java is directly involved in the speed of the field, and has done its share to make things move even more quickly. One tricky aspect of writing a topical book relating to the Web is figuring out when to stop the action. This process can be likened to freeze-framing a picture of a movie. In that sense, this book is a snapshot of Java security. We hope we have succeeded in making it a useful way to learn about Java security.

As we went to press, Sun Microsystems renamed JDK 1.2 and called it Java 2. We have attempted to use correct version numbers throughout and apologize for any confusion.

See the Complete Web Edition (free)

Authors: Dr. Gary McGraw, Cigital and Professor Ed Felten, Princeton University

Publisher: John Wiley and Sons

Java Security Archive

JAVA SECURITY HOTLIST (archive)

BOOKS

RESEARCHERS

FAQs

PAPERS

TALKS/ARTICLES

HOSTILE APPLETS

COMMERCIAL

MOSTLY HARMLESS

JAVA SECURITY BOOKS

FIRST EDITION (1996)

Preface

SECOND EDITION (1999)

Preface

Gary McGraw, Ph.D.

Silver Bullet Podcast

Silver Bullet Podcast

Latest From @cigitalgem