Java Security: Hotlist: Papers

Java Security Hotlist Categories

Return to Hotlist | Return to Java Security...

The pages on this hotlist have been spidered and indexed. Search the index below.

PAPERS

Low Level Security in Java Frank Yellin's seminal paper on low-level details of Java Security.

Joseph Bank's Java Security paper One of the first papers to appear on Java Security. Nice introduction to executable content. Excellent paper.

Java Security: From HotJava to Netscape and Beyond The original IEEE Java Security paper by the Princeton Team. An excellent reference.

Blocking Java Applets at the Firewall A paper by David Martin (Boston University), S. Rajagopalan (Bellcore), and Aviel Rubin (Bellcore) exploring the idea of using a firewall to protect against hostile applets.

Java Security: Weaknesses and Solutions An HTML paper by Jean-Paul Billon translated (sort of) from French.

Security Breaches in the JDK 1.1 beta2 security API Another technical opus by Billon. This one is about serialization and private keys.

The Java Security Reference Model for 1.0.2 This report provides the security reference model for the Java Developer's Kit (JDK) version 1.0.2. The model defines the fundamental security requirements for the Java environment, serves as a basis for a security test plan, and is a first step toward further assurance documentation and analysis. An important piece of work in Java security.

The Security of Static Typing with Dynamic Linking A paper by Drew Dean of Princeton, To appear in Proceedings of the Fourth ACM Conference on Computer and Communications Security, April 1997.

Work on the Java Type System A paper by Sophia Drossopoulou and Susan Eisenbach to be presented at the 11th European Conference on Object Oriented Programming, June 1997.

Defensive Java Virtual Machine Version 0.5 alpha Release A formal model of a subset of the Java Virtual Machine (JVM) built using ACL2, a mathematical logic. Formal analysis is underway. This research is sponsored by JavaSoft and is being carried out by Computational Logic, Inc. (CLI).

A Comparison between Java and ActiveX Security A paper by David Hopwood presented at the Compsec '97 - the 14th World Conference on Computer Security, Audit and Control.

Extensible Security Architectures for Java A paper by the Princeton Team (Wallach, Balfanz, Dean, and Felten) about security policies, extensible systems, and the real world.

Java is not type-safe A paper by ATT researcher Vijay Saraswat explaining why Java is not type safe. Type safety is the cornerstone of Java security.

Experience with Secure Multi-Processing in Java Princeton Team member Dirk Balfanz teams up with Javasoft's Li Gong discuss how a Java VM might grow up to be multi-user.

Implementing Protection Domains in the Java Development Kit 1.2 By L. Gong and R. Schemers. Published in Proceedings of the Internet Society Symposium on Network and Distributed System Security, San Diego, California, March 1998.

Going Beyond the Sandbox: An Overview of the New Security Architecture in the Java Development Kit 1.2 By L. Gong, M. Mueller, H. Prafullchandra, and R. Schemers. Published in Proceedings of the USENIX Symposium on Internet Technologies and Systems, Monterey, California, December 1997.

A Type System for Java Bytecode Subroutines Raymie Stata and Martin Abadi discuss type systems for Java

Trust Management on the World Wide Web A paper by Rohit Khare and Adam Rifkin about managing trust on the web.

Mobile Code Bibliography An extensive collection of Mobile Code publications. Grep for security to find a number of more relevant papers.

Foresight Computer Security Fact Forum The Foresight Institute discusses aspects of the Java Security model. This is an interesting set of links. Well-organized.

IEEE Internet Computing Online: Mobile Code Security McGraw and Felten editted the November-December 1998 issue of IEEE Internet Computing, focusing on mobile code security.

Software Assurance for Security This short article discusses a methodology for security analysis during the design of a system (as opposed to penetrate and patch). Java could use some of this.

Note: The opinions expressed on this page are the opinions of Gary McGraw and Ed Felten.
Statements made on this page should not be construed as having come from our employers or our publishers.
We welcome correspondence, see the Java Security page for e-mail addresses.

Copyright © 1996-9, Gary McGraw and Edward Felten

Low Level Security in Java	Frank Yellin's seminal paper on low-level details of Java Security.
Joseph Bank's Java Security paper	One of the first papers to appear on Java Security. Nice introduction to executable content. Excellent paper.
Java Security: From HotJava to Netscape and Beyond	The original IEEE Java Security paper by the Princeton Team. An excellent reference.
Blocking Java Applets at the Firewall	A paper by David Martin (Boston University), S. Rajagopalan (Bellcore), and Aviel Rubin (Bellcore) exploring the idea of using a firewall to protect against hostile applets.
Java Security: Weaknesses and Solutions	An HTML paper by Jean-Paul Billon translated (sort of) from French.
Security Breaches in the JDK 1.1 beta2 security API	Another technical opus by Billon. This one is about serialization and private keys.
The Java Security Reference Model for 1.0.2	This report provides the security reference model for the Java Developer's Kit (JDK) version 1.0.2. The model defines the fundamental security requirements for the Java environment, serves as a basis for a security test plan, and is a first step toward further assurance documentation and analysis. An important piece of work in Java security.
The Security of Static Typing with Dynamic Linking	A paper by Drew Dean of Princeton, To appear in Proceedings of the Fourth ACM Conference on Computer and Communications Security, April 1997.
Work on the Java Type System	A paper by Sophia Drossopoulou and Susan Eisenbach to be presented at the 11th European Conference on Object Oriented Programming, June 1997.
Defensive Java Virtual Machine Version 0.5 alpha Release	A formal model of a subset of the Java Virtual Machine (JVM) built using ACL2, a mathematical logic. Formal analysis is underway. This research is sponsored by JavaSoft and is being carried out by Computational Logic, Inc. (CLI).
A Comparison between Java and ActiveX Security	A paper by David Hopwood presented at the Compsec '97 - the 14th World Conference on Computer Security, Audit and Control.
Extensible Security Architectures for Java	A paper by the Princeton Team (Wallach, Balfanz, Dean, and Felten) about security policies, extensible systems, and the real world.
Java is not type-safe	A paper by ATT researcher Vijay Saraswat explaining why Java is not type safe. Type safety is the cornerstone of Java security.
Experience with Secure Multi-Processing in Java	Princeton Team member Dirk Balfanz teams up with Javasoft's Li Gong discuss how a Java VM might grow up to be multi-user.
Implementing Protection Domains in the Java Development Kit 1.2	By L. Gong and R. Schemers. Published in Proceedings of the Internet Society Symposium on Network and Distributed System Security, San Diego, California, March 1998.
Going Beyond the Sandbox: An Overview of the New Security Architecture in the Java Development Kit 1.2	By L. Gong, M. Mueller, H. Prafullchandra, and R. Schemers. Published in Proceedings of the USENIX Symposium on Internet Technologies and Systems, Monterey, California, December 1997.
A Type System for Java Bytecode Subroutines	Raymie Stata and Martin Abadi discuss type systems for Java
Trust Management on the World Wide Web	A paper by Rohit Khare and Adam Rifkin about managing trust on the web.
Mobile Code Bibliography	An extensive collection of Mobile Code publications. Grep for security to find a number of more relevant papers.
Foresight Computer Security Fact Forum	The Foresight Institute discusses aspects of the Java Security model. This is an interesting set of links. Well-organized.
IEEE Internet Computing Online: Mobile Code Security	McGraw and Felten editted the November-December 1998 issue of IEEE Internet Computing, focusing on mobile code security.
Software Assurance for Security	This short article discusses a methodology for security analysis during the design of a system (as opposed to penetrate and patch). Java could use some of this.