Java Security: From HotJava to Netscape and Beyond. A classic paper on the security of Java.
b85f385f8193474766ce1356143a6c567256b54db47b595733709d3f9289c71c
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
<!-- This document is automatically generated. Instead, edit
pub/secure96.xhtml and type "make". -->
<html> <head>
<title>Secure Internet Programming: Java Security: From HotJava to Netscape and Beyond</title>
</head>
<body bgcolor="#fee7c8" VLINK="#731105" LINK="#b45216" TEXT="#TEXT#">
<font face="helvetica,geneva,arial">
<table width="100%" cellpadding=0 cellspacing=0 border=0>
<tr><td rowspan=2 bgcolor="#ffffff" valign=top align=left>
<table cellpadding=5 border=0>
<tr><td colspan=2 align=center>
<a href="/sip/"><img border=0 src="/sip/images/sip-logo-small.gif" width=100 height=41 alt="Secure Internet Programming"></a>
</td></tr>
<tr><td>
<img src="/sip/images/orange.gif" WIDTH=14 HEIGHT=14 ALT="*">
</td><td><a href="/sip/History.html">History</a></td></tr>
<tr><td>
<img src="/sip/images/orange.gif" WIDTH=14 HEIGHT=14 ALT="*">
</td><td><a href="/sip/People.html">People</a></td></tr>
<tr><td>
<img src="/sip/images/orange.gif" WIDTH=14 HEIGHT=14 ALT="*">
</td><td><a href="/sip/Partners.html">Partners</a></td></tr>
<tr><td>
<img src="/sip/images/orange.gif" WIDTH=14 HEIGHT=14 ALT="*">
</td><td><a href="/sip/Research.html">Research</a></td></tr>
<tr><td>
<img src="/sip/images/orange.gif" WIDTH=14 HEIGHT=14 ALT="*">
</td><td><a href="/sip/Publications.html">Publications</a></td></tr>
<tr><td>
<img src="/sip/images/orange.gif" WIDTH=14 HEIGHT=14 ALT="*">
</td><td><a href="/sip/java-faq.html">FAQ</a></td></tr>
<tr><td>
<img src="/sip/images/orange.gif" WIDTH=14 HEIGHT=14 ALT="*">
</td><td><a href="/sip/Links.html">Links</a></td></tr>
</table>
</td>
<td valign=bottom align=center bgcolor="#ffffff" width="100%">
<font size="+3"><b>Java Security: From HotJava to Netscape and Beyond</b></font>
</td></tr>
<tr><td valign=top align=left>
<table width="100%" border=0 cellspacing=8>
<tr><td>
<img src="/sip/images/blank.gif" width=1 height=300 alt="">
</td>
<td valign=top align=left>
<dl>
<p>
<dt><font size="+1">Authors</font>
<dd><a href="http://www.cs.princeton.edu/~ddean">Drew Dean</a>
<dd><a href="http://www.cs.princeton.edu/~felten">Edward W. Felten</a>
<dd><a href="http://www.cs.princeton.edu/~dwallach">Dan S. Wallach</a>
<p>
<dt><font size="+1">Abstract</font>
<dd>
The introduction of Java applets has taken the World Wide Web by
storm. Information servers can customize the presentation of their
content with server-supplied code which executes inside the Web
browser. We examine the Java language and both the HotJava and
Netscape browsers which support it, and find a significant
number of flaws which compromise their security. These flaws arise for
several reasons, including implementation errors, unintended
interactions between browser features, differences between the Java
language and bytecode semantics, and weaknesses in the design of the
language and the bytecode format. On a deeper level, these flaws arise
because of weaknesses in the design methodology used in creating Java
and the browsers. In addition to the flaws, we discuss the underlying
tension between the openness desired by Web application writers and the
security needs of their users, and we suggest how both might be
accommodated.
<p>
<dt><font size="+1">Published</font>
<dd>1996 IEEE Symposium on Security and Privacy
(Oakland, California), May 1996.
<p>
<dt><font size="+1">Text</font>
<dd><A HREF="preprint.ps">PostScript</A> (144 KB)
<br><A HREF="preprint.ps.gz">gzip'd PostScript</A> (50 KB)
<br><A HREF="oakland-paper-96.pdf">PDF (Adobe Acrobat 2.1)</a> (156 KB)
<dt><font size="+1">Slides</font>
<dl>
<dt><b>Bell Labs Talk, 5 April 1996</b>, 35 slides, one per page.
<dd><a href="bell-labs-talk.ps">PostScript</a> (518 KB)
<br><a href="bell-labs-talk.ps.gz">gzip'd PostScript</a> (50 KB)
<br><a href="bell-labs-talk.pdf">PDF (Adobe Acrobat 2.1)</a> (338 KB)
<dt><b>Bell Labs Talk, 5 April 1996</b>, 35 slides, two per page.
<dd><a href="bell-labs-talk-2up.ps">PostScript</a> (370 KB)
<br><a href="bell-labs-talk-2up.ps.gz">gzip'd PostScript</a> (44 KB)
<br><a href="bell-labs-talk-2up.pdf">PDF (Adobe Acrobat 2.1)</a> (199 KB)
<dt><b>IEEE Symposium on Security and Privacy, 6-8 May 1996</b>,
14 slides, one per page.
<dd><a href="oakland-slides-96.ps">PostScript</a> (556 KB)
<br><a href="oakland-slides-96.ps.gz">gzip'd PostScript</a> (275 KB)
<br><a href="oakland-slides-96.pdf">PDF (Adobe Acrobat 2.1)</a> (65 KB)
<dt><b>"Java Policies"</b>, 6 slides, one per page
<dd><a href="policy-slides.ps">PostScript</a> (37 KB)
<br><a href="policy-slides.ps.gz">gzip'd PostScript</a> (6 KB)
<br><a href="policy-slides.pdf">PDF (Adobe Acrobat 2.1)</a> (37 KB)
</dl>
<p>
<dt><font size="+1">See Also</font>
<dd> <A HREF="internet-beseiged.html">Java Security: Web
Browers and Beyond</a>. Drew Dean, Edward W. Felten,
Dan S. Wallach, and Dirk Balfanz. <i>Internet Beseiged:
Countering Cyberspace Scofflaws</i>, Dorothy E. Denning
and Peter J. Denning, eds. ACM Press (New York, New York),
October 1997.
<dd><a href="http://ncstrl.cs.princeton.edu/Dienst/UI/2.0/Describe/ncstrl.princeton%2fTR-501-95">Security Flaws in the HotJava Web Browser</a>. Drew Dean and Dan S. Wallach, Technical Report 501-95, Department of Computer Science, Princeton University, November 1995.
</dl>
</td></tr></table>
<table width="100%" border=0 cellspacing=8>
<tr><td>
<hr>
<center>
<a href="http://www.princeton.edu/">Princeton University</a>
<br>
<a href="http://www.cs.princeton.edu/">Department of Computer Science</a>
<br>
Contact: <a href="mailto:sip@cs.princeton.edu"><i>sip@cs.princeton.edu</i></a>
</center>
</td></tr></table>
</td></tr></table>
</font>
</body> </html>