|
- Authors
- Drew Dean
- Edward W. Felten
- Dan S. Wallach
- Abstract
-
The introduction of Java applets has taken the World Wide Web by
storm. Information servers can customize the presentation of their
content with server-supplied code which executes inside the Web
browser. We examine the Java language and both the HotJava and
Netscape browsers which support it, and find a significant
number of flaws which compromise their security. These flaws arise for
several reasons, including implementation errors, unintended
interactions between browser features, differences between the Java
language and bytecode semantics, and weaknesses in the design of the
language and the bytecode format. On a deeper level, these flaws arise
because of weaknesses in the design methodology used in creating Java
and the browsers. In addition to the flaws, we discuss the underlying
tension between the openness desired by Web application writers and the
security needs of their users, and we suggest how both might be
accommodated.
- Published
- 1996 IEEE Symposium on Security and Privacy
(Oakland, California), May 1996.
- Text
- PostScript (144 KB)
gzip'd PostScript (50 KB)
PDF (Adobe Acrobat 2.1) (156 KB)
- Slides
- Bell Labs Talk, 5 April 1996, 35 slides, one per page.
- PostScript (518 KB)
gzip'd PostScript (50 KB)
PDF (Adobe Acrobat 2.1) (338 KB)
- Bell Labs Talk, 5 April 1996, 35 slides, two per page.
- PostScript (370 KB)
gzip'd PostScript (44 KB)
PDF (Adobe Acrobat 2.1) (199 KB)
- IEEE Symposium on Security and Privacy, 6-8 May 1996,
14 slides, one per page.
- PostScript (556 KB)
gzip'd PostScript (275 KB)
PDF (Adobe Acrobat 2.1) (65 KB)
- "Java Policies", 6 slides, one per page
- PostScript (37 KB)
gzip'd PostScript (6 KB)
PDF (Adobe Acrobat 2.1) (37 KB)
- See Also
- Java Security: Web
Browers and Beyond. Drew Dean, Edward W. Felten,
Dan S. Wallach, and Dirk Balfanz. Internet Beseiged:
Countering Cyberspace Scofflaws, Dorothy E. Denning
and Peter J. Denning, eds. ACM Press (New York, New York),
October 1997.
- Security Flaws in the HotJava Web Browser. Drew Dean and Dan S. Wallach, Technical Report 501-95, Department of Computer Science, Princeton University, November 1995.
|
