Java Security

Java Security

- Tech and Technology
Java Security , Testing and Source Code
Sun's top-level Java Security Resource Page.
Sun's Java Security FAQ. Security Flaws found by Princeton (Dean, Felten, Wallach).
PostScript paper analyzing Java security and summarizing several security flaws (most of which are now fixed).
Java Security Flaws found by David Hopwood (Old!)
Attack where custom bytecodes could be generated that run native methods, and are missed by the bytecode verifier. DNS-spoofing bug. Allows applets to connect to arbitrary hosts instead of just the server from which the applet came. Fixed in Netscape 2.01 and JDK 1.01.
Bugs in Sun's alpha HotJava browser. Not present in Netscape or JDK. Summary report of Princeton flaws. Future flaws will be listed here. -
David Hopwood's package/Classloader-spoofing bug. Lets applets run arbitrary native code if the cracker can get a file somewhere (anywhere) on the client system in a location the malicious applet knows about. Fixed in Netscape 2.01 and JDK 1.01. Early report.
Details on how files could get on local system.
Using Netscape's cache to get files on local system.
Results of using Netscape's cache. Later experiments found the same problems on MacOS (but not UNIX). -
Another fake-the-bytecode-verifier attack, this one from David Hopwood. Like the Princeton attack, it requires custom generation of bytecodes rather than coming from standard Java source, would let the applet run arbitrary native code, and is fixed as of Netscape 2.02 and JDK 1.02.
David's list of known and previous Java security bugs, with discussion. This and the PostScript Princeton paper are probably the best two places to start. -
Sprint's evade-the-firewall bug. Mark Ladue's "Hostile Applets" collection (mostly denial-of-service attacks).
Links to the applets themselves. You may need to quit Netscape if you run any of them.
An article that explains many of the applets, with source code. -
Article by Godmar Back on bypassing Java's SecurityManager in Netscape. This allows applets to do unrestricted operations, so is only for totally secure intranets that run totally trusted applets. (The owner of the browser has to do this, not the Java programmer who writes the applet!)
The comp.lang.java.security Usenet newsgroup.
Papers and Information on Garbage Collection
These are not specific to Java programming, but general to programming languages that use garbage collection (e.g. Lisp, Smalltalk, Eiffel, ML, and extensions to C and C++).
A survey of garbage collection techniques by Paul Wilson. To appear in ACM's Computing Surveys . (PostScript)
Collection of GC-related papers from the University of Texas.
Garbage Collection FAQ maintained by David Chase of Centerline.
Harlequin's Memory Management Reference. GC Articles by Hans-J Boehm at Xerox PARC:
complexity of mark-sweep vs. copying garbage collectors. Explicit allocation/deallocation (malloc/free). A garbage collector for C and C++. -
Henry Baker's collection of papers, related to GC.
Large garbage-collection bibliography from Richard Jones.
Great Circle: A commercial collector for C/C++. -
Java - Latest Java Information. Java in Server, Desktops, Tablets, Mobile Phones. Java News.
What is Java ? What is Java ?
Java Tools Software Tools - Programing and Tools
Java SDK Versions Java SDK Development
Applets and Classes - Development. What is a class? What is an Object? What is an Applet?
Java Links Resources - Sites and Links with Information
Java Security
Latest Java Information. How to run and install Java in Servers, Desktops, Tablets, Mobile Phones and another devices.
Technology Java Security 2022


Java 19 arrives iTWire
Oracle releases Java 19 with seven significant enhancements The Register
Java 19 improves concurrency with Project Loom virtual threads InTallaght
Oracle Technology announces the release of JDK 19 with new system properties, for System.out and System.err and support for Unicode 14.0 OI Canadian


Jakarta EE 10 - A New Era For Java On The Cloud iProgrammer
Software supply chain security gets its first Linux distro, Wolfi TechRepublic
Uber Blames LAPSUS$ Hacking Group for Recent Security Breach The Hacker News