Dr. Gary McGraw and Dr. Edward W. Felten are well-known experts on Java Security. They are the authors of a new book dedicated to this important field. It is a deceptively small book of 6 chapters with 2 appendices (a Security FAQ and the two CERT alerts) and references. Packed into those 184 easy to read and understand pages is a thorough discussion of the Java Security model, what is good about it and what could be improved along with numerous examples. In addition they present well known security flaws and why they could have or did cause such problems.

In the initial discussion of the growth of internet use and why security is so important the authors directly state the important point that "the lessons of this book apply directly to all of these executable content languages" and that the concerns apply to both developers and users of Java. The reference to these executable content languages refers to not only to Java but also to ActiveX, JavaScript, SafeTcl, Word and Excel macros, Telescript, and Postscript. This is an important point because some supporters of one of these languages may believe that with Java's security concerns, they are safe. That is certainly not the case.

Another important point is that 100% security of web-based systems is not possible. This means that one must carefully consider the cost-benefit of using the web - how much risk is acceptable to the enterprise. The crux of the matter here is the control of access to a system's resources.

McGraw and Felten place security risks into four categories: "system modification, invasion of privacy, denial of service, and antagonism." Each of these is discussed in detail along with Java's "three-tier approach to security." The third tier is further broken down into a 3-prong defense. They prefer to use the term "prong" since without one of the prongs, the entire security system is broken. These three tiers and prongs are:

A Three Tier Approach to Security
	Restricted access to file systems and the network.
	Restricted access to browser internals.
	A set of load time and runtime checks to verify that bytecode is following the rules.
	A Three Prong Defense The Byte Code Verifier The Class Loader The Security Manager

It is essential that you never install classes of unknown origin as built-in classes by putting them in the CLASSPATH.

Type safety is the most essential element of Java's security.

Functionality and security will always exist in an inverse relationship.

The Java runtime system is large (upwards of 28,000 lines of code not including the VM).

The ultimate cracker goal is complete control of your machine.

Currently, public variables are writable across name spaces.

It is possible to do things in byte code that the Java compiler would not allow.

It is very easy to decompile byte code but obfuscating the Java source code makes that decompilation much more difficult.

Eight serious security problems have been discovered (and fixed) so far. some involve Netscape Navigator (2.0 or before) and some involve Microsoft Internet Explorer. Each of these is discussed in some detail. Plus full text of the 2 security alerts from the CERT Coordination Center are included as an Appendix. (The CERT Coordination Center, a DARPA funded organization, is part of the Software Engineering Institute at Carnegie Mellon University, Pittsburgh, PA., USA.) February 1996 Jumping the Firewall March 1996 Slash and Burn March 1996 Applets Running Wild May 1996 Casting Caution to the Wind June 1996 Tag-teamApplets June 1996 You're not my Type July 1996 (also called) Casting Caution to the Wind August 1996 Big Attacks come in Small Packages

Following all this sometimes scary information about what nasty things can be done to our computer systems, McGraw and Felten talk about what we can do to protect ourselves from these nefarious attacks. For one thing, use public variables sparingly and wisely if you must use them at all. For another thing, log file system and network access at the very least. If possible, also capture applet byte code. And disable Java in your browser unless you specifically know and trust the site you are visiting - including sites internal to your enterprise. The authors have six guidelines for Java users in using Java safely, each of which is covered in detail in the book.

Guidelines for Using Java Safely
	Know what web sites you are visiting.
	Know your Java environment.
	Use up-to-date browsers with the latest security updates.
	Keep a lookout for security alerts.
	Apply drastic measures if your information is truly critical.
	Assess your risks.

The final chapter is all about the future - plans and dreams for enhancing Java security. Included are improvements in JDK 1.1, the Crypto API, certificates, access control hooks in JDK 1.1, signed applets with digital signatures (which involves certification and authentication), and secure communication with a secure socket layer.


In addition to all the security information they present in the book, they give numerous references throughout where you can find more information. (An appendix of all the web links given would have been a nice addition.) This great book is a must-read for everyone who has more than a casual acquaintance with Java and belongs on the shelf of every serious Java developer. We will be watching Drs. McGraw and Felten for further developments in this most interesting, important, and relevant research.


Dr. Gary McGraw is a researcher at Reliable Software Technologies.
Dr. Edward W. Felten is a member of Princeton University's Safe Internet Programming Team.

---

Link Summary:
See MokaByte's interview with Dr. McGraw
Order the book: "Java Security: Hostile Applets, Holes, & Antidotes"
Reliable Software Technologies (http://www.rstcorp.com)
See Safe Internet Programming at Princeton University's SIP website.
See the Java Security FAQ at JavaSoft's website.
See CERT Coordination Center for security alerts and help with security problems.