Hostile Java Applets

David Evans, University of Virginia


Java Security Overview

Low-Level Code Safety

High-Level Code Safety

Low-Level Code Safety Mechanisms

Bytecode Verification

Run-Time Checks

High-Level Code Safety Mechanisms



Enforcing Policies

Malicious Behavior

Exploiting Weak Policies

Consuming Resources


Circumventing Policies

Violating Low-Level Code Safety

Policy Association

Security Checking




Cross References



Java was introduced in 1995 as both a high-level programming language and an intermediate language, Java Virtual Machine language (JVML, sometimes called Java byte codes), and execution platform, the Java Virtual Machine (Java VM), designed for secure execution of programs from untrusted sources in Web browsers (Gosling, 1995). These small programs that are intended to execute within larger applications are known as applets. Java runs on a wide range of platforms scaling from the Java Card smart card environment (Chen, 2000) to the Java 2 Enterprise Edition (J2EE) for large component-based enterprise applications (Singh, Stearns, Johnson, & the Enterprise Team, 2002). This chapter focuses on the Java 2 Platform, Standard Edition (J2SE), which is the most common platform for desktop applications and servers, including Web browsers. Most of the security issues are the same across all Java platforms, however. Because of the limited functionality of the Java Card environment, ...

Get Handbook of Information Security: Threats, Vulnerabilities, Prevention, Detection, and Management, Volume 3 now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.