WWW: Beyond the Basics

14. Java Security

by Vijay Sureshkumar

ABSTRACT

The Java programming language allows Java compatible Web browsers to download code fragments dynamically and then to execute those code fragments locally. These code fragments are called applets. Information servers can customize the presentation of their content with server supplied code. But this increased power for Web applications is also a potential security problem.

The Java security model and flaws arising from implementation errors, loopholes in the security model and unintended interaction between browser features are examined in this chapter. The language features for security, the low level security mechanisms through compile time checking, the ClassLoader and the SecurityManager are described. The different types of attacks on security; namely denial of service attacks , second party and third party attacks , annoyance attacks and disclosure attacks are presented. Some simple examples of hostile applets are shown to illustrate some of these attacks.

The chapter concludes with some future directions that Java security model and implementation might take to make it a more secure environment to accomadate the openness desired by Web application writers and the security needs of their users.

CHAPTER CONTENT

  1. Introduction
  2. Security Issues
    1. The Cost of Security
    2. Common Security Problems
    3. Java Security Model
  3. Security Threats
    1. Denial of Service Attacks
    2. Trojan Horses
    3. Covert Channels
    4. DNS Weaknesses
  4. Java Security Features
    1. Language Features
    2. Memory Allocation and Layout
    3. ClassLoader
    4. Bytecode Verification
    5. SecurityManager
  5. Extending Java Security
    1. Man in the Middle
    2. Java Security API
  6. Summary

    References

[PREV][NEXT][UP][HOME][VT CS]

Copyright © 1996 Virginia Polytechnic Institute & State University
All Rights Reserved

Vijay Sureshkumar <vijay@csgrad.cs.vt.edu>
Last modified: Sun Sep 22 21:16:15 1996