Java Security Hotlist Logo
Java Security Hotlist Categories

Books | Researchers | FAQs
Papers | Talks/Articles | Hostile Applets
Commercial | Mostly Harmless

Complete Listing

Return to Hotlist | Return to Java Security...

Search the text of the pages on this hotlist.


Securing Java: Getting Down to Business with Mobile Code
Gary McGraw and Ed Felten
John Wiley and Sons
Java Security: Hostile Applets, Holes, and Antidotes
Gary McGraw and Ed Felten
John Wiley and Sons
Web Security Sourcebook: A Complete Guide to Web Security
Avi Rubin, Daniel Geer, and Marcus Ranum
John Wiley and Sons
E-Commerce Security: Weak Links, Best Defenses
Anup Ghosh
John Wiley and Sons

Secure Internet Programming The Princeton Team, pre-eminent research group focused on Java Security.
The Java Security Web Site Splash page for this hotlist. Information on the Java Security book and CD-ROM, article listings, and mailing list.
Java Security at RST Besides providing this set of links, Dr. Gary McGraw also maintains an RST Java Security page. RST produces a Java coverage tool that is helpful during testing (a key aspect of security).
David Hopwood David Hopwood, once a student at Oxford and then a Netscape employee, discovered some of Java's flaws that led to attack applets. David is now working on crypto for Java and is a regular contributor to
Java Security at UC Davis A list of Java security resources provided by Steven H. Samorodin of the UC Davis Security lab.
Java InSecurity A page of information put together by Patricia Evans (a grad student at the University of Victoria).
Godmar Back's Java Security Page A page devoted to Java Security. Includes pointers to talk slides, and a few pointers to related websites.
Spaf's Hotlist, Security in Java Gene Spafford's Security hotlist entry for Java security. A bit out of date, but the rest of the list is amazing!
Security for Extensible Systems A research group at the University of Washington interested in extensible systems (like Java) in which code can be added to a running system in almost arbitrary fashion, and it can interact through low latency (but type safe) interfaces with other code.
The Kimera group at the University of Washington A research group at the University of Washington implementing a new Java security architecture based on factored components for security, performance, and scalability.
See their Security Flaws in Java page.
Naval Postgraduate School Languages Group This group is investigating advanced type systems, especially as related to secure mobile code. The helped organize the DARPA Workshop on Foundations for Secure Mobile Code
Arizona's Sumatra Project Research on mobile code. See especially the Java Hall of Shame.
Focus on Java: Java Security The Mining Company has a nice collection of pages about Java. This one has links to a few security sites. Web ads galore...argh.
The JAWS Project JAWS (Java Applets With Safety) is an ACSys project using theorem-proving technology to analyse safety and security properties of Java applets. Java down under.
Li Gong's Java Security Home Page A collection of pointers put together by Javasoft's esteemed Java Security Architect. Sparse.

Frequently Asked Questions - Applet Security JavaSoft's Java Security FAQ. Pointers to all known bugs. What applets can't do.
JavaSoft: Denial of service What JavaSoft has to say about denial of service attacks.
WWW Security FAQ (Java section) Some questions about Java Security answered.
Microsoft Web Executable Security Advisor A set of pages that is to be devoted to Web security issues and alerts. Definite Microsoft spin...use appropriate filters.
Microsoft's Known Issues in Internet Explorer Java Support The official page for Internet Explorer and Java security problems and patches. The Microsoft point of view.
How the Applet Network Security Policy works If you wonder how Java might interact with a Proxy server, this is the place to look.
Java Glossary A comprehensive Java glossary.
Activating Codebase Principals Sneaky Java trick for bypassing the Netscape code-signing stage in the development cycle.
Java Security Archive A ton of Java security Q/A from the Javasoft discussion. Beware of spin.
FUDWATCH This is a great idea that takes aim at some of the vendor FUD. The claims of no security risks whatsoever are a bit overstated though.

Low Level Security in Java Frank Yellin's seminal paper on low-level details of Java Security.
Joseph Bank's Java Security paper One of the first papers to appear on Java Security. Nice introduction to executable content. Excellent paper.
Java Security: From HotJava to Netscape and Beyond The original IEEE Java Security paper by the Princeton Team. An excellent reference.
Blocking Java Applets at the Firewall A paper by David Martin (Boston University), S. Rajagopalan (Bellcore), and Aviel Rubin (Bellcore) exploring the idea of using a firewall to protect against hostile applets.
Java Security: Weaknesses and Solutions An HTML paper by Jean-Paul Billon translated (sort of) from French.
Security Breaches in the JDK 1.1 beta2 security API Another technical opus by Billon. This one is about serialization and private keys.
The Java Security Reference Model for 1.0.2 This report provides the security reference model for the Java Developer's Kit (JDK) version 1.0.2. The model defines the fundamental security requirements for the Java environment, serves as a basis for a security test plan, and is a first step toward further assurance documentation and analysis. An important piece of work in Java security.
The Security of Static Typing with Dynamic Linking A paper by Drew Dean of Princeton, To appear in Proceedings of the Fourth ACM Conference on Computer and Communications Security, April 1997.
Work on the Java Type System A paper by Sophia Drossopoulou and Susan Eisenbach to be presented at the 11th European Conference on Object Oriented Programming, June 1997.
Defensive Java Virtual Machine Version 0.5 alpha Release A formal model of a subset of the Java Virtual Machine (JVM) built using ACL2, a mathematical logic. Formal analysis is underway. This research is sponsored by JavaSoft and is being carried out by Computational Logic, Inc. (CLI).
A Comparison between Java and ActiveX Security A paper by David Hopwood presented at the Compsec '97 - the 14th World Conference on Computer Security, Audit and Control.
Extensible Security Architectures for Java A paper by the Princeton Team (Wallach, Balfanz, Dean, and Felten) about security policies, extensible systems, and the real world.
Java is not type-safe A paper by ATT researcher Vijay Saraswat explaining why Java is not type safe. Type safety is the cornerstone of Java security.
Experience with Secure Multi-Processing in Java Princeton Team member Dirk Balfanz teams up with Javasoft's Li Gong discuss how a Java VM might grow up to be multi-user.
Implementing Protection Domains in the Java Development Kit 1.2 By L. Gong and R. Schemers. Published in Proceedings of the Internet Society Symposium on Network and Distributed System Security, San Diego, California, March 1998.
Going Beyond the Sandbox: An Overview of the New Security Architecture in the Java Development Kit 1.2 By L. Gong, M. Mueller, H. Prafullchandra, and R. Schemers. Published in Proceedings of the USENIX Symposium on Internet Technologies and Systems, Monterey, California, December 1997.
A Type System for Java Bytecode Subroutines Raymie Stata and Martin Abadi discuss type systems for Java
Trust Management on the World Wide Web A paper by Rohit Khare and Adam Rifkin about managing trust on the web.
Mobile Code Bibliography An extensive collection of Mobile Code publications. Grep for security to find a number of more relevant papers.
Foresight Computer Security Fact Forum The Foresight Institute discusses aspects of the Java Security model. This is an interesting set of links. Well-organized.

Java Security Articles (By the Authors and About the Authors) This page is a collection of articles written by or about the Java Security book. Many are hyperlinked to Web sites. Publications include Byte, JavaWorld, and C!Net. (You can sign up for notification about future articles.)
Lectures and talks promoting the Java Security book This includes bookstore signings, on-line chats, radio, trade shows and academic lectures by Ed Felten and Gary McGraw.
Java(tm) and JavaSoft Products JavaSoft's Documentation page. Includes information on getting Java specs.
JavaSoft FORUM on Java Security A discussion of Java Security issued hoted by JavaSoft and including several prominent security researchers.
Java Security Chapter 14 of "WWW Beyond the Basics" a Web book by Virginia Tech students. This web-based document by Vijay Sureshkumar offers a concise overview of some security issues and provides a quick introduction to the security model.
Security for Java Programmers: An Introduction Jay Heiser's 2/97 article from the Java Developers Journal. Introductory.
Java Security Model: Java Protection Domains A handout from JavaSoft which briefly explains the new security model.
Introduction To Capability Based Security A Web-based tutorial from Electric Communities.
Object Signing CodeStock Notes Netscape developer information about signing code (including Java). Also see Netscape Object Signing.
Secure Computing with Java: Now and The Future A white paper from JavaSoft explaining Java Security. Looks suspiciously like our book in places. Hmm.
Java's security architecture An overview of the JVM's security model and a look at its built-in safety features.
Security and the class loader architecture A look at the role played by class loaders in the JVM's overall security model
Security and the class verifier A look at the role played by the class verifier in the JVM's overall security model
Java security: How to install the security manager and customize your security policy Learn about the security manager and the Java API, what remains unprotected by the security manager, and security beyond the JVM architecture
Code Signing for Java Applets A home-grown article by Dan Grisom explaining how to sign Java code. I wrote a couple of articles for about code signing too. See the Java Security Articles page.
Javaworld's Java Security Books list An exhaustive list of Java security books (including etherbooks and non-existent titles). We'll give you one guess which one we think is best!
Signing Applets for Internet Explorer and Netscape Navigator An article by Joseph Bowbeer from June 97 (JDK 1.1 days).
Directions in Java Security: The JDC Interviews JavaSoft Security Guru Li Gong Cheese, but interesting cheese. You'll have to register as a Java Developer to see this interview.
Building a bigger sandbox A superficial look at the new code signing model.
Package The package API summary for JDK 1.2.
Security in JDK 1.2 Sun's on-line tutorial stepping through JDK 1.2 security. The party line.
Trust Based Security for Java Microsoft's view on Trust-Based security in Java. Pointers to code signing HOWTOs related to Authenticode.
Netscape Object Signing Establishing Trust for Downloaded Software Netscape's Object Signing model page. All three major vendors have slightly different approaches (though all are based on stack inspection).
The trick to using Java networking applets behind firewalls A JavaWorld Java tip addressing the firewall problem.
Java 2 security model white paper Sun's perspective on the new model.
The Evolution of Java Security from IBM An IBM whitepaper explaining how Java has evolved from JDK 1.0.2 to JDK 1.2 (now called Java 2). The API explanation is dated.

Hostile Applets
Mark LaDue's Hostile Applets Home Page A collection of increasingly hostile applets put together by Mark LaDue, a graduate student at Georgia Tech. In our terminology, these are all malicious applets.
Georgia Tech kicked Mark off their site, so his page is now hosted by Reliable Software Technologies, though Mark retains complete editorial control over content and RST does not endorse or necessarily agree with his opinions.
The Hostile Mail Applet Page WARNING: Jim Buzbee's first malicious applet sends mail somewhere unknown, from YOUR machine.
File Scanner WARNING: Jim Buzbee's malicious applet scans your diskdrive to see if particular files exist.
A tiny (killer App)let Brought to you by the Naval Postgraduate school. WARNING: This applet will crash your browser.
Netscape Browser/Java Applet Security Bug Redirect attack take one. This hole has been plugged.
MSIE Java Security Hole This applet, brought to you by Ben Mesander, colludes with an evil Website to send an HTTP redirect that apparently works only against MSIE. Ben's work was featured in a C!Net news story.
the crapplet Can't say that I've checked this one out, but it claims to do nasty things. Sounds like a typical DoS.
Two Security Holes Major Malfunction and Ben Mesander demonstrate a couple of security holes. A more cogent explanation can be found in the article "Is your browser a blabbermouth? Are your ports being scanned?"

Note: We will avoid reviewing products for commercial enterprises in this section. These links are not endorsements; they are provided solely for completeness. Contact us for more information.
Finjan Software Finjan Software produces two products SurfinShield and SurfinGate. Finjan recently formed a Technical Advisory Board.
MindQ Home Page MindQ offers a CD-ROM about Java Security.
Maximized software Offers the WebReferee product.
Phaos Technology SSLAVA secure socket layer API classes.
Digitivity Technology for more secure mobile code.
Acme.Crypto FREE crypto classes from Jef Poskanzer.
Java-cryptlib The FREE Java-cryptlib allows you to write platform independent crypto programs.
JavaTM Cryptography Extension JavaSoft's JCE is an extension package to the JDK. North American distribution only (export control bites).
Java Cryptography Toolkit Commercial encryption classes. Free for personal use only.
FlexxGuard And guess what, big blue does it too! Applet regulation must have a market somewhere.
Security7 Security 7 and a related organization, WithinReach, once collaborated to spread fear, uncertainty, and doubts about hostile mobile code. Among others, we don't condone this approach. (See the Infoworld story on the link between Security7 and WithinReach).
Advanced Computer Research Online Make the secure4u widget. Yet another hostile code "stopper".
Aphah Aphah makes an outstanding decompiler. Now that mocha is defunct, this is the place to turn.
International Computer Security Association The ICSA recently created a Malicious Mobile Code Consortium. This organization is likely to create self-imposed certification criteria for vendors. It remains to be seen what the certification will mean.
4th Pass 4thpass makes an obfuscation tool.
eSafe Technologies Esafe makes a mobile code sandbox (as if Java doesn't have one already).
JCP JCP provides cryptographic solutions for e-commerce, including an SSL class library and a crypto development kit.
Server-Based Java Security Products A CMPnet comparative review of four of the several Java security add-on products on the market.
TrendMicro Trendmicro makes the Interscan Appletrap product. This whitepaper explains Trendmicro's view of mobile code.
Java Security Vendors: Solutions of Snake Oil Your hosts try to make some sense of third-party solutions. A preview of contect from Securing Java.

Mostly Harmless
SunSite@UTK Java Security Several links to Java Security sites. Includes bug info. Partly useful.
Wei Wang (et al): Java Security Not a great paper, but it's out there. Written for a class project.
Java Security Scott Oak's book Java Security. O'Reilly is known for their developer-oriented books. This book fits the bill, as it provides both an API reference guide and a number of code samples. It is almost up-to-date (JDK1.2beta3) and carefully details JDK 1.2 functionality. One caveat, Oaks is an employee of Sun Microsystems and certainly toes the party line. The discussion of security risks an implications reflects this fact. Also missing is any treatment of Java security holes. If you are a developer who wants to learn about the APIs and you don't care too much about the bigger picture, this book is for you.
Symantec spots first Java virus (CNN)

JavaApp.Strange Brew (Symantec)

Rumors of this "virus" were greatly exaggerated by Symantec. Alas.