14 Java Security
14.2 Security Issues
14.2.3 Java Security Model
Java's security allows a user to download and run applets from the Web or an
intranet without undue risk to the user's machine. The applet's actions are
restricted to its "sandbox", an area of the web browser dedicated to that
applet. The applet can do anything within the sandbox, but cannot read or
write or alter an data outside of it. The sandbox ensures that even if a user
downloads a malicious applet, it cannot damage the local machine.
The sandbox is made up of the following components operating together.
[ Fritzinger ]
- Java Language Features: Java has a lot of language features
which protect the integrity of the system. The language prevents pointer
abuse and illegal casts.
- Class Loader: It is the first link in the security chain. It fetches
executable code from the network and enforces the name space hierarchy.
- Bytecode Verifier: The verifier checks that the applet conforms to
the Java language guarantees and that there are violations like stack
overflows, name space violations, illegal data type casts, etc.
- Security Manager: It enforces the boundary of the sandbox. Whenever an applet performs an action which is a potential violation, the security
manager decides whether it is approved or not.
The next few sections present some security breaches that have been
found since Java's release. It should be noted that very few of them are
due to language weaknesses.
The main weakness with the Java language is that it has neither a formal
semantics nor a formal description of its type system although the security
relies on the soundness of the type system.
All the security holes mentioned are because of implementation errors,
unexpected interaction of browser features, differences between Java semantics
and bytecode semantics.
Each of the aforementioned Java security mechanisms
are discussed in later sections
in detail.
![[PREV]](../images/Nav/Prev.gif)
![[NEXT]](../images/Nav/Next.gif)
![[UP]](../images/Nav/Up.gif)
![[HOME]](../images/Nav/Home.gif)
Copyright © 1996 Virginia Polytechnic Institute & State University
All Rights Reserved
Vijay Sureshkumar
<vijay@csgrad.cs.vt.edu>
Last modified: Sun Oct 20 21:52:09 1996