Java Exploits

Java has a wonderful security model that almost perfectly balances usability with security. To pull off this delicate balancing act took a lot of smart people, a lot of code, and a complex set of checks. And for the most part it works! Unfortunately, as any security expert will tell you, complexity -- and Java’s security model is complex -- increases the chances that something will break. Java’s sandbox has been violated several times and even applets, which do not violate any of the rules, can introduce annoying denial of service attacks.

Paid to Hack

There are thousands of hackers interested in exploiting malicious mobile code. Entire groups, like Germany’s Computer Chaos Club, use a professional, team approach to hacking Java. Everyone wants to be the first to “prove how unsecure Java is.” Fortunately, there are a few dozen highly skilled professional groups working to find the latest exploit before malicious hackers can.

Probably the most famous group analyzing Java is Princeton University’s Safe Internet Programming Team (SIP) (http://www.cs.princeton.edu/sip). Using support garnered from both public and private entities, SIP is the premier research group studying mobile code systems. They have a serious bent toward Java, but are the group to talk to about any malicious code exploits. Included in the team are several other university groups, graduate students dedicated to debugging Java, and JavaSoft’s own security team.

History of Java exploits

Java was released ...

Get Malicious Mobile Code now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.