4/5/
96
Java
Se
curity
Ho
tJa
va to
Ne
tsca
pe
a
nd
Be
yon
d
Dre
w D
ean
E
d F
elte
n
Dan
Wal
lach
Dre
w D
ean
E
d F
elte
n
Dan
Wal
lach
De
part
ment
of C
ompu
ter S
cie
nce
De
part
ment
of C
ompu
ter S
cie
nce
Prin
ceto
n U
nive
rsity
Prin
ceto
n U
nive
rsity
4/5/
96P
age
2
Intr
odu
ctio
n
Q
Q
Rem
ote
Co
de is
Eve
ryw
her
eR
emo
te C
ode
is E
very
wh
ere
Q
Q
Java
- A
ne
w la
ngu
age f
or
exe
cuta
ble c
onte
nt o
nJa
va - A
ne
w la
ngu
age f
or
exe
cuta
ble c
onte
nt o
nth
e W
orld
Wid
e W
ebth
e W
orld
Wid
e W
eb
Q
Q
Ho
tJav
a - A
Web
bro
wse
r writ
ten
in J
ava
Ho
tJav
a - A
Web
bro
wse
r writ
ten
in J
ava
Q
Q
Ne
tsca
pe 2
.0 -
A W
eb
bro
wse
r with
Ja
va su
ppor
tN
ets
cap
e 2.0
- A
We
b br
ow
ser w
ith J
ava
supp
ort
4/5/
96P
age
3
Rem
ote
Cod
e
Q
Q
All
ow
s in
tera
ctive
co
nten
tA
llo
ws
inte
racti
ve c
ont
ent
XXho
t im
age
map
sho
t im
age
map
s
XXan
imat
ion
san
imat
ion
s
XXfr
ont-
end
s to
shar
ed ga
mes
, dat
abas
es, etc.
fron
t-en
ds t
o sh
ared
gam
es, d
atab
ases
, etc.
�
�
Dyn
am
icD
yna
mic
Web
pag
esW
eb p
ages
4/5/
96P
age
4
Java
: B
uzzw
ord
Com
plia
nce
Q
Q
Po
rtab
le by
te co
de in
terp
rete
rP
ort
able
byte
code
inte
rpre
ter
XXLo
ad-t
ime
com
pila
tion
pos
sibl
eLo
ad-t
ime
com
pila
tion
pos
sibl
e
Q
Q
Ab
stra
ct W
indo
w T
oolk
it (p
ort
abl
e run
time
)A
bst
ract
Win
dow
Too
lkit
(po
rta
ble r
untim
e)
Q
Q
Reu
sab
le cla
ss m
odu
les (
Reu
sab
le cla
ss m
odu
les (
app
lets
app
lets ))
Q
Q
Saf
e for
un
tru
sted
code
Saf
e for
un
tru
sted
code
XXR
estr
icte
d file
sys
tem
/ net
wor
k acc
ess
Res
tric
ted f
ile s
yste
m / n
etw
ork a
cces
s
XXR
estr
icte
d acc
ess t
o br
ow
ser in
tern
als
Res
tric
ted a
cces
s to
bro
wse
r inte
rnal
s
XXLo
ad a
nd ru
n-tim
e ch
ecks
Load
and
run-
time
chec
ks
4/5/
96P
age
5
Out
line
Q
Q
Intr
oduc
tion
Intr
oduc
tion
Q
Q
Java
Se
ma
ntics
Java
Se
ma
ntics
Q
Q
Ho
tJav
a and
Ne
tsca
pe Sec
uri
ty F
law
sH
otJ
ava a
nd N
ets
cape
Sec
uri
ty F
law
s
Q
Q
Sec
urity
An
alys
isS
ecur
ity A
nal
ysis
Q
Q
App
licat
ion
Req
uire
me
nts
App
licat
ion
Req
uire
me
nts
Q
Q
Use
r In
terf
ace
Use
r In
terf
ace
Q
Q
Fu
ture
wor
k / C
onc
lusi
ons
Fu
ture
wor
k / C
onc
lusi
ons
4/5/
96P
age
6
Java
vs.
C+
+
Q
Q
Na
me s
pace
s an
d pa
cka
ges
Na
me s
pace
s an
d pa
cka
ges
Q
Q
pu
blic
pu
blic
, , pro
tect
ed
pro
tect
ed
, , priva
tep
riva
te, o
r pub
lic-
, or p
ublic
-w
ithin
-cu
rren
t-p
ackag
e mem
bers
with
in-c
urr
ent-
pack
age m
embe
rs
Q
Q
Lang
uag
e-le
vel th
read
s an
d sy
nch
roni
zatio
nLa
ngua
ge-
leve
l thre
ads a
nd
syn
chro
nizat
ion
Q
Q
No
poin
ters
No
poin
ters
Q
Q
Ga
rbag
e co
llect
ion
Ga
rbag
e co
llect
ion
Q
Q
Typ
e sa
fety
Typ
e sa
fety
4/5/
96P
age
7
Java
Typ
e S
afet
y
Q
Q
Load
-tim
e co
de ve
rifie
rLo
ad-t
ime
code
veri
fier
Q
Q
Ru
n-tim
e ex
cep
tion
sR
un-
time
exce
ptio
ns
XXA
rray
bo
und
sA
rray
bo
und
s
XXT
ype
com
patib
ility
Typ
e co
mpa
tibili
ty
XXLo
cal v
s. re
mot
e co
de se
curit
y ch
ecks
Loca
l vs.
rem
ote c
ode
secu
rity c
hec
ks
4/5/
96P
age
8
Java
Rem
ote
Byt
ecod
e
Q
Q
Cla
ssLo
ader
sC
lass
Load
ers
XXC
lass
Load
ers b
ind
nam
es to
C
lass
Load
ers b
ind
nam
es to
Cla
ssC
lass
obje
ctsob
jects
XXD
efau
lt C
lass
Load
er can
onl
y lo
ad c
ode f
rom
file
Def
ault
Cla
ssLo
ader
can
onl
y lo
ad c
ode f
rom
file
syst
emsy
stem
XXO
ther
Cla
ssL
oade
rs ca
n ac
cess
netw
ork
, etc
.O
ther
Cla
ssL
oade
rs ca
n ac
cess
netw
ork
, etc
.
XXA
ll cl
asse
s tagg
ed w
ith th
eir C
lass
Load
erA
ll cl
asse
s tagg
ed w
ith th
eir C
lass
Load
er
Q
Q
App
lets
may
not
cre
ate C
lass
Load
ers
App
lets
may
not
cre
ate C
lass
Load
ers
4/5/
96P
age
9
Java
Sec
urity
Man
ager
cla
ss
�
�
Ne
w in
Jav
a bet
a ver
sion
sN
ew
in J
ava b
eta v
ersi
ons
Q
Q
Imp
lem
ents
muc
h of
Java
’s se
curi
ty p
olic
yIm
ple
men
ts m
uch
of Ja
va’s
secu
rity
po
licy
Q
Q
Ru
ntim
e ch
eck
s on
dan
gero
us met
hods
(i.e
. aR
unt
ime
che
cks o
n da
nge
rous
met
hods
(i.e
. are
fere
nce
mon
itor
refe
ren
ce m
on
itor [
Lam
pso
n])
[Lam
pso
n])
XXT
ampe
rpro
of, v
erifi
able
, alw
ays i
nvo
ked
Tam
perp
roo
f, ver
ifiab
le, a
lway
s in
voke
d
Q
Q
Cu
stom
izab
le (e
vent
ual
ly)C
ust
omiz
able
(eve
ntu
ally)
Q
Q
Can
’t be
chan
ged a
fter
bro
wse
r initi
aliz
atio
nC
an’t
be ch
ange
d aft
er b
row
ser in
itia
lizat
ion
4/5/
96P
age
10
Hot
Java
1.0
αα 3 S
ecur
ity
Q
Q
Co
vert
Ch
anne
lsC
ove
rt C
han
nels
XXU
RLs
UR
Ls
XXD
NS
DN
S
XXT
wo-
vs.
thre
e-pa
rty
atta
cks
Tw
o- v
s. th
ree-
part
y at
tack
s
Bob
Cha
rlie
Ali
ce
App
let
We
b re
ques
ts Cov
ert C
hann
el
App
let
4/5/
96P
age
11
Hot
Java
1.0
αα 3 S
ecur
ity
Q
Q
Info
rma
tion
avai
lab
le to
leak
Info
rma
tion
avai
lab
le to
leak
XXM
ailc
ap fi
les
Mai
lcap
file
s
XXS
yste
m.g
ete
nv(
)S
yste
m.g
ete
nv(
)
Q
Q
De
nial
of s
ervi
ce at
tack
sD
eni
al o
f ser
vice
atta
cks
XXC
:\T
EM
PC
:\T
EM
P
XXA
cqu
ire a
sys
tem
lock
Acq
uire
a s
yste
m lo
ck
Q
Q
Man
-in
-th
e-m
iddl
e atta
ckM
an-i
n-t
he-
mid
dle a
ttack
XXS
et H
TT
P p
roxy
ser
ver
Set
HT
TP
pro
xy s
erve
r
4/5/
96P
age
12
Sun
’s R
espo
nse
Q
Q
“Fix
ed in
the
next
rele
ase”
“Fix
ed in
the
next
rele
ase”
XXg
ete
nv(
)g
ete
nv(
)is
go
neis
go
ne
XXa
cce
pt(
)a
cce
pt(
)bu
g fix
ed b
ug
fixed
XXD
NS
/UR
L ch
ann
els c
lose
d (no
t!)
DN
S/U
RL
chan
nel
s clo
sed (
not!
)
XXA
CLs
rem
oved
(no
file
acce
ss a
t all
in N
etsc
ape)
AC
Ls re
mov
ed (n
o fil
e ac
cess
at a
ll in
Net
scap
e)
Q
Q
Too
bad
Too
bad
XXD
enia
l of s
ervi
ce at
tack
s “lo
wer
in p
riori
ty th
anD
enia
l of s
ervi
ce at
tack
s “lo
wer
in p
riori
ty th
ansy
stem
inte
grity
”sy
stem
inte
grity
”
4/5/
96P
age
13
Net
scap
e 2.0
Sec
urity
�
�
Sep
arat
ion
of N
ets
cape
an
d Ja
va co
deS
epar
ation
of N
ets
cape
an
d Ja
va co
deXX
can’
t ch
ange
HT
TP
pro
xy s
erve
rca
n’t
chan
ge HT
TP
pro
xy s
erve
r
XXle
ss ch
ance
for
accid
enta
l or m
alic
iou
s bug
less
chan
ce fo
r ac
ciden
tal o
r mal
icio
us b
ugin
trod
uctio
nin
trod
uctio
n
�
�
Fix
ed s
ecu
rity
polic
yF
ixed
sec
urit
y po
licy
XXca
n’t
tric
k u
sers
into
low
erin
g se
curity
can’
t tr
ick
use
rs in
to lo
wer
ing
secu
rity
Q
Q
Ser
iou
s lim
its o
n fu
nct
ion
alit
yS
erio
us l
imits
on
fun
ctio
na
lity
XXno
file
sys
tem
acce
ssno
file
sys
tem
acce
ss
4/5/
96P
age
14
Net
scap
e 2.0
ββ In
secu
rity
Q
Q
pro
tecte
d va
riabl
es w
ere
effe
ctiv
ely
publ
icp
rote
cted
varia
ble
s wer
e eff
ect
ivel
y pu
blic
XXse
man
tics o
f se
man
tics o
f p
rote
cte
dp
rote
cte
dch
ang
ed in J
DK
ch
ang
ed in J
DK
ββ22
(Net
scap
e 2.0
(N
etsc
ape 2
.0 ββ
4)4)
XXco
uld
set
coul
d se
t Se
curi
tyM
an
ag
er.
inC
he
ckS
ecu
rity
Ma
na
ge
r.in
Ch
eck
, ope
ning
, ope
ning
DN
S c
han
nel
DN
S c
han
nel
Q
Q
coul
d le
arn
the
use
r’s n
ame [
Bur
char
d]
coul
d le
arn
the
use
r’s n
ame [
Bur
char
d]
Q
Q
coul
d re
ad th
e cl
ipbo
ard
[Bur
char
d]
coul
d re
ad th
e cl
ipbo
ard
[Bur
char
d]
XXfix
ed in
JD
K
fixed
in J
DK
ββ22
4/5/
96P
age
15
JDK
1.0
Inse
curit
y
Q
Q
java
pja
vap
, the
dis
asse
mb
ler,
calls
, t
he d
isas
sem
ble
r, ca
lls s
prin
tf()
sprin
tf()
wro
ngw
rong
XXca
n ov
erflo
w in
tern
al b
uffe
rsca
n ov
erflo
w in
tern
al b
uffe
rs))
sim
ilar a
ttack
last
yea
r on
sim
ilar a
ttack
last
yea
r on
sysl
og
(3)
sysl
og
(3)
[CE
RT
95:
13]
[CE
RT
95:
13]
XXex
amin
ing a
Jav
a cla
ss ca
n ru
n ar
bitr
ary
nat
ive
code
!ex
amin
ing a
Jav
a cla
ss ca
n ru
n ar
bitr
ary
nat
ive
code
!
Q
Q
sim
ilar b
ugs
in J
ava 1
.0si
mila
r bug
s in
Jav
a 1.0
αα3
we
re fix
ed, b
ut t
hey
3 w
ere
fixed
, bu
t th
eyfo
rgo
t fo
rgo
t ja
vap
java
p..
4/5/
96P
age
16
Net
scap
e 2.0
Inse
curit
y
Q
Q
De
nial
of s
ervi
ce at
tack
s sti
ll av
aila
ble
De
nial
of s
ervi
ce at
tack
s sti
ll av
aila
ble
Q
Q
App
lets
ca
n in
terfe
re w
ith e
ach
oth
erA
pple
ts c
an
inte
rfere
with
eac
h ot
her
/* * @
(#)
che
ck_
cod
e.c
1
.51
95
/12
/02
*/
/*-
* V
erify
th
at th
e c
od
e w
ithin
a m
eth
od
blo
ck d
oe
sn't
* e
xplo
it a
ny
secu
rity
ho
les.
* *
Th
is c
od
e is
stil
l a w
ork
in p
rog
ress
. A
ll cu
rre
ntly
*
exi
stin
g c
od
e p
ass
es
the
te
st, b
ut so
do
es
a lo
t o
f b
ad
co
de
. *
/
4/5/
96P
age
17
Net
scap
e 2.0
Inse
curit
y
Q
Q
Java
trus
ts D
NS
Java
trus
ts D
NS
XXIn
tern
et ho
sts c
an h
ave
mul
tiple
IP a
ddre
sses
Inte
rnet
host
s can
hav
e m
ultip
le IP
add
ress
es
XXJa
va hos
t equ
ality
test
is
Java
hos
t equ
ality
test
is to
o le
nien
tto
o le
nien
t
Q
Q
With
a h
acke
d DN
S s
erv
er
With
a h
acke
d DN
S s
erv
er
XXT
wo-
way
cha
nnel
to a
ny m
achi
ne o
n th
e In
tern
etT
wo-
way
cha
nnel
to a
ny m
achi
ne o
n th
e In
tern
et
XXA
ppl
ets c
an c
onne
ct to
mac
hine
s A
ppl
ets c
an c
onne
ct to
mac
hine
s beh
ind
behi
nda
firew
all
a fir
ewal
l))
Exp
loit
num
ero
us Uni
x an
d W
indo
ws b
ugs
Exp
loit
num
ero
us Uni
x an
d W
indo
ws b
ugs
))T
alk
to in
tern
al W
eb a
nd N
etN
ews s
erv
ers
Ta
lk to
inte
rna
l Web
and
Net
New
s se
rve
rs
4/5/
96P
age
18
Net
scap
e DN
S A
ttack
atta
cker
.com
atta
cker
.com
vict
im.o
rgvi
ctim
.org
Use
r
DN
S
Web
pro
xy
Inte
rnal
mai
lse
rver
Firewall
appl
etap
plet
DN
S
Web
ser
ver
host
nam
e lo
okup
host
nam
e lo
okup
appl
et e
xplo
its s
endm
ail b
ugru
ns a
rbitr
ary
C c
ode
Mai
l ser
ver
info
rmat
ion
leak
The
DN
S a
ttack
allo
ws
conn
ectio
ns to
any
mac
hine
beh
ind
the
firew
all.
Tru
sted
mai
lse
rver
4/5/
96P
age
19
Net
scap
e 2.0
Inse
curit
y
Q
Q
Java
trus
ts by
teco
de to
en
forc
e lan
gua
geJa
va trus
ts by
teco
de to
en
forc
e lan
gua
gese
man
tics
sem
antic
sXX
Sup
ercl
ass c
onst
ruct
ors m
ay th
row
Sup
ercl
ass c
onst
ruct
ors m
ay th
row
Se
curi
tyE
xce
ptio
nS
ecu
rity
Exc
ep
tion
))P
reve
nts in
stan
tiatio
n of
P
reve
nts in
stan
tiatio
n of
Cla
ssL
oa
de
rC
lass
Lo
ad
er
and
oth
er c
lass
es a
nd o
the
r cla
sses
XXE
xcep
tion
can
be
ign
ored
by c
usto
m by
teco
deE
xcep
tion
can
be
ign
ored
by c
usto
m by
teco
de
Q
Q
A C
lass
Load
er ca
n br
eak
the
type
sys
tem
A C
lass
Load
er ca
n br
eak
the
type
sys
tem
4/5/
96P
age
20
Run
ning
Mac
hine
Cod
e
Q
Q
Ava
ilab
le to
ols
Ava
ilab
le to
ols
XXR
ead
/mod
ify an
y va
riab
le, a
nd ca
ll an
y m
eth
odR
ead
/mod
ify an
y va
riab
le, a
nd ca
ll an
y m
eth
od
XXU
se in
ts a
s ob
ject
refe
renc
es, a
nd vi
ce v
ers
aU
se in
ts a
s ob
ject
refe
renc
es, a
nd vi
ce v
ers
a
XXD
oub
le d
eref
eren
ce an
y po
inte
rD
oub
le d
eref
eren
ce an
y po
inte
r
XXA
cces
s to
C im
ple
men
tatio
n of c
lass
A
cces
s to
C im
ple
men
tatio
n of c
lass
Cla
ssC
lass
Q
Q
Pu
zzle
: Run
arb
itrar
y mac
hin
e co
de?
Pu
zzle
: Run
arb
itrar
y mac
hin
e co
de?
4/5/
96P
age
21
Run
ning
Mac
hine
Cod
e
4/5/
96P
age
22
Out
line
Q
Q
Intr
oduc
tion
Intr
oduc
tion
Q
Q
Java
Se
ma
ntics
Java
Se
ma
ntics
Q
Q
Ho
tJav
a and
Ne
tsca
pe Sec
uri
ty F
law
sH
otJ
ava a
nd N
ets
cape
Sec
uri
ty F
law
s
Q
Q
Sec
urity
Ana
lysi
sS
ecur
ity A
naly
sis
Q
Q
App
licat
ion
Req
uire
me
nts
App
licat
ion
Req
uire
me
nts
Q
Q
Use
r In
terf
ace
Use
r In
terf
ace
Q
Q
Fu
ture
wor
k / C
onc
lusi
ons
Fu
ture
wor
k / C
onc
lusi
ons
4/5/
96P
age
23
Sec
urity
Ana
lysi
s
Q
Q
Su
n w
ants
you
to b
elie
ve Ja
va is
sec
ure
Su
n w
ants
you
to b
elie
ve Ja
va is
sec
ure
XXA
ppl
ets d
on’
t hav
e ac
cess
to a
ny in
form
atio
nA
ppl
ets d
on’
t hav
e ac
cess
to a
ny in
form
atio
n
XXT
her
e are
no
chan
nels
to le
ak in
form
atio
n ou
tT
her
e are
no
chan
nels
to le
ak in
form
atio
n ou
t
XXS
afe l
angu
age t
hw
arts
mal
icio
us a
pple
tsS
afe l
angu
age t
hw
arts
mal
icio
us a
pple
ts
Q
Q
We
foun
dW
e fo
und
XXIn
tere
stin
g in
form
atio
n av
aila
ble
to a
pple
tsIn
tere
stin
g in
form
atio
n av
aila
ble
to a
pple
ts
XXC
hann
els e
xist
to le
ak in
form
atio
n o
utC
hann
els e
xist
to le
ak in
form
atio
n o
ut
XXA
ppl
ets c
an e
xecu
te a
rbitr
ary
mac
hin
e co
deA
ppl
ets c
an e
xecu
te a
rbitr
ary
mac
hin
e co
de
4/5/
96P
age
24
Sec
urity
Pol
icy
Q
Q
No
form
al m
odel
No
form
al m
odel
XX“A
pro
gram
that
has
not b
een
spec
ified
cann
ot b
e “A
pro
gram
that
has
not b
een
spec
ified
cann
ot b
e in
corre
ct; i
t can
on
ly b
e su
rpris
ing
.” [Y
BK
85]
inco
rrect
; it c
an o
nly
be
surp
risin
g.”
[YB
K85
]
Q
Q
Wh
y th
is is
ba
dW
hy
this
is b
ad
XXW
e ca
n’t
say w
hat
“sec
ure”
mea
nsW
e ca
n’t
say w
hat
“sec
ure”
mea
ns
XXW
e ca
n’t
verif
y an
imp
lem
enta
tion
We
can’
t ve
rify
an im
ple
men
tatio
n
4/5/
96P
age
25
Acc
ount
abili
ty
Q
Q
Java
does
Ja
va do
es n
otno
t lo
g ap
plet
s o
r the
ir ac
tions
log
appl
ets
or t
heir
actio
ns
Q
Q
Sh
ould
log
Sh
ould
log
XXF
ile s
yste
m an
d n
etw
ork
acc
ess
File
sys
tem
and
net
wo
rk a
cces
s
XXA
ppl
et b
ytec
ode
Ap
plet
byt
eco
de
Q
Q
Evi
den
ce of a
n at
tack
Evi
den
ce of a
n at
tack
XXR
eco
nstr
uct w
hat h
app
ened
Rec
ons
truc
t wha
t ha
ppen
ed
XXS
eek l
egal
reco
urs
eS
eek l
egal
reco
urs
e
4/5/
96P
age
26
Inte
grity
Q
Q
Ho
tJav
a is
hard
er to
se
cure
than
Ne
tsca
pe
Ho
tJav
a is
hard
er to
se
cure
than
Ne
tsca
pe
XXM
ore
stat
e kep
t in
Java
Mor
e st
ate k
ept i
n Ja
va
XXLa
ck o
f for
mal
inte
rfac
e bet
wee
n bro
wse
r an
d ap
ple
tsLa
ck o
f for
mal
inte
rfac
e bet
wee
n bro
wse
r an
d ap
ple
ts
XXM
ista
kes (
publ
ic v
aria
bles
) bec
ome
secu
rity
pro
blem
sM
ista
kes (
publ
ic v
aria
bles
) bec
ome
secu
rity
pro
blem
sin
Hot
Java
in H
otJa
va
Q
Q
Bro
wse
r in J
ava w
on’t
hav
e C s
afe
ty pr
oble
ms
Bro
wse
r in J
ava w
on’t
hav
e C s
afe
ty pr
oble
ms
Q
Q
Th
is is
sue
will
rea
ppe
ar in
futu
re H
otJ
ava
Th
is is
sue
will
rea
ppe
ar in
futu
re H
otJ
ava
rele
ases
(exp
ect
ed
1Q96
)re
leas
es (e
xpe
cte
d 1Q
96)
4/5/
96P
age
27
Ass
uran
ce
Q
Q
Java
and
Ho
tJav
a do
not i
den
tify
a T
CB
(tru
sted
Java
and
Ho
tJav
a do
not i
den
tify
a T
CB
(tru
sted
com
putin
g ba
se)
com
putin
g ba
se)
Q
Q
Sec
urity
crit
ical
func
tiona
lity
spre
ad th
roug
hou
tS
ecur
ity c
ritic
al fu
nctio
nalit
y sp
read
thro
ugho
ut
the
code
the
code
XXD
ynam
ic ty
pe
chec
ksD
ynam
ic ty
pe
chec
ks
XXN
ot a
ll na
tive
met
hods
pro
tect
ed by
No
t all
nativ
e m
etho
ds pro
tect
ed by
Se
curi
tyM
an
ag
er
Se
curi
tyM
an
ag
er
Q
Q
Bu
gs in
rel
ease
editi
on -
rush
ed sh
ipm
ent?
Bu
gs in
rel
ease
editi
on -
rush
ed sh
ipm
ent?
4/5/
96P
age
28
Ana
tom
y of
a F
ile O
pen
public
File
InputS
tream
(Str
ing n
am
e)
thro
ws
File
NotF
oundE
xceptio
n {
Secu
rity
Manager
secu
rity
=
S
yste
m.g
etS
ecu
rity
Manager(
);
if
(secu
rity
!=
null)
{
se
curity
.check
Read(n
am
e);
}
tr
y {
open(n
am
e);
} ca
tch (
IOE
xceptio
n e
) {
thro
w n
ew
File
NotF
oundE
xceptio
n(n
am
e);
}}
4/5/
96P
age
29
Lang
uage
Issu
es
Q
Q
Pu
blic
var
iabl
es a
re
Pu
blic
var
iabl
es a
re d
ange
rous
dang
erou
sXX
Why
are
they
writ
able
acro
ss nam
e spa
ces?
Why
are
they
writ
able
acro
ss nam
e spa
ces?
Q
Q
Java
’s
Java
’s pa
cka
ge
pa
cka
ge
mec
han
ism
mec
han
ism
XXN
ot a
s use
ful a
s par
ame
teri
zed m
odu
le s
yste
mN
ot a
s use
ful a
s par
ame
teri
zed m
odu
le s
yste
m(e
.g. S
tan
dard
ML’
s fu
ncto
rs)
(e.g
. Sta
nda
rd M
L’s
func
tors
)
XXH
iera
rch
ical
mo
dule
sys
tem
allo
ws
hier
arch
ical
Hie
rarc
hic
al m
odu
le s
yste
m al
low
s hi
erar
chic
alpr
ote
ctio
npr
ote
ctio
n
4/5/
96P
age
30
Inte
rmed
iate
Rep
rese
ntat
ion
Q
Q
Ab
stra
ct S
ynta
x T
rees
vs.
Byt
ecod
eA
bst
ract
Syn
tax
Tre
es v
s. B
ytec
ode
XXA
ST
s ea
sier
to ty
pe ch
eck
AS
Ts
easi
er to
type
chec
k))
No
need
for g
loba
l dat
aflo
w a
naly
sis
No
need
for g
loba
l dat
aflo
w a
naly
sis
XXA
ST
s ha
ve sa
me s
eman
tics a
s lan
gua
ge
AS
Ts
have
sam
e sem
antic
s as l
ang
uag
e))
Byt
eco
de ha
s its
ow
n se
ma
ntic
sB
yte
code
has i
ts o
wn
sem
ant
ics
XXC
ompa
rabl
e com
pila
tion
spee
dC
ompa
rabl
e com
pila
tion
spee
d
4/5/
96P
age
31
App
licat
ion
Req
uire
men
ts
Q
Q
Wh
at d
o w
e w
ant t
o w
rite
in J
ava?
Wh
at d
o w
e w
ant t
o w
rite
in J
ava?
XXD
istr
ibut
ed a
pplic
atio
nsD
istr
ibut
ed a
pplic
atio
ns))
A/V
con
fere
ncin
g, b
ut no
t cro
ss-n
etw
ork
bugs
A/V
con
fere
ncin
g, b
ut no
t cro
ss-n
etw
ork
bugs
))Lo
osel
y co
uple
d co
mpu
tatio
ns (e
.g. f
act
orin
g), b
ut ne
ither
Loos
ely
coup
led
com
puta
tions (e
.g. f
act
orin
g), b
ut ne
ither
stea
ling
cycl
es no
r den
ial-o
f-ser
vice
atta
cks
stea
ling
cycl
es no
r den
ial-o
f-ser
vice
atta
cks
))G
am
es,
but
not t
roja
n-ho
rse b
ench
ma
rks
Ga
me
s, b
ut no
t tro
jan-
hors
e ben
chm
ark
s
XXG
ener
al App
licat
ions
Gen
eral
App
licat
ions
))S
ave/
rest
ore p
refe
renc
es, b
ut
not r
ead
S
ave/
rest
ore p
refe
renc
es, b
ut
not r
ead
/etc
/pa
ssw
d/e
tc/p
ass
wd
4/5/
96P
age
32
Use
r Int
erfa
ce
Q
Q
Too
ea
sy fo
r th
e us
er ju
st to
clic
k O
KT
oo e
asy
for
the
user
just
to c
lick
OK
XXG
oal
: min
imiz
e u
ser in
volv
emen
t in s
ecur
ityG
oal
: min
imiz
e u
ser in
volv
emen
t in s
ecur
ity
XXT
rust
ed an
d u
nsp
oofa
ble
dia
logs
for
file
acce
ssT
rust
ed an
d u
nsp
oofa
ble
dia
logs
for
file
acce
ss
Q
Q
Un
forg
able
devi
ce a
ccess
ind
icat
ors
Un
forg
able
devi
ce a
ccess
ind
icat
ors
Q
Q
Acc
ess
to th
e cl
ipbo
ard
Acc
ess
to th
e cl
ipbo
ard
XXP
ast
e to
ap
ple
tP
ast
e to
ap
ple
t on
on
Ed
itE
dit
men
u m
enu
))E
xplic
it us
er-in
itiat
ed r
eque
st, n
ot
appl
et-in
itiate
dE
xplic
it us
er-in
itiat
ed r
eque
st, n
ot
appl
et-in
itiate
d
4/5/
96P
age
33
Dig
ital
sign
atur
es fo
r ap
plet
s
Q
Q
Gra
nt m
ore
tru
st to
sig
ned
appl
ets
?G
ran
t mor
e tr
ust
to s
ign
ed ap
ple
ts?
Q
Q
Log
user
-ap
prov
ed cap
abili
ties p
er a
pple
t or p
er
Log
user
-ap
prov
ed cap
abili
ties p
er a
pple
t or p
er
sour
ceso
urce
Q
Q
Use
r-sp
ecifie
d or
org
aniz
atio
n-sp
eci
fied
polic
ies?
Use
r-sp
ecifie
d or
org
aniz
atio
n-sp
eci
fied
polic
ies?
XXD
iffer
ent d
egre
es o
f tru
st b
etw
een o
rgan
izat
ions
Diff
eren
t deg
rees
of t
rust
bet
wee
n org
aniz
atio
ns
XXO
ne
rigi
d po
licy
won
’t fit
eve
rybo
dyO
ne
rigi
d po
licy
won
’t fit
eve
rybo
dy
Q
Q
Inte
racti
on w
ith o
rgan
izati
on’
s fir
ewa
ll?In
tera
ction
with
org
aniz
atio
n’s
firew
all?
4/5/
96P
age
34
Fut
ure
Wor
k
Q
Q
De
sign
a se
t of s
ecu
rity
polic
ies
De
sign
a se
t of s
ecu
rity
polic
ies
Q
Q
Imp
lem
ent p
olic
ies i
n N
etsc
ape
and/
or H
otJ
ava
Imp
lem
ent p
olic
ies i
n N
etsc
ape
and/
or H
otJ
ava
Q
Q
Bu
ild a
hig
h-as
sura
nce
Java
run
time
syst
emB
uild
a h
igh-
assu
ran
ce Ja
va ru
ntim
e sy
stem
4/5/
96P
age
35
Con
clus
ions
Q
Q
Rem
ote
code
is in
evita
ble
for
the
Web
Rem
ote
code
is in
evita
ble
for
the
Web
Q
Q
Java
is p
rom
isin
g, but
ha
s im
port
ant
bugs
and
Java
is p
rom
isin
g, but
ha
s im
port
ant
bugs
and
des
ign i
ssu
esd
esig
n iss
ues
Q
Q
Str
onge
r se
curity
me
asur
es ca
n al
low
S
tron
ger s
ecu
rity m
eas
ures
can
allo
w m
ore
mor
efu
nctio
nalit
y fo
r un
tru
sted
appl
ets
with
out
func
tiona
lity
for
untr
ust
ed ap
ple
ts w
ithou
tco
mpr
omis
ing
priva
cy a
nd in
teg
rity
com
prom
isin
g pri
vacy
and
inte
gri
ty
http
://w
ww
.cs.
prin
ceto
n.ed
u/~
ddea
n/ja
va/
