About site: Programming/Languages/Java/Security - Java Security: Web Browsers and Beyond

Return to Computers also Computers

About site: http://pages.cs.wisc.edu/~lhl/cs740/papers/java-security2.ps Title: Programming/Languages/Java/Security - Java Security: Web Browsers and Beyond Paper published in 1998 by Drew Dean, Edward Felten, Dan Wallach, and Dirk Balfanz. [Postscript format].

Angle_eCards Includes Christmas, Halloween, flowers, zodiac, Native American, tropical, and space. Animations and effects available. WebHub A complete development environment for building web applications. Singularity_is_Near By Raymond Kurzweil; Viking Press, 2005, ISBN 0670033847. Book site, with descriptions, excerpts, resources, news, press reviews, biography. SteeleSoft_Consulting A web development company specializing in writing PHP/MySQL based web applications and web sites. Listbox_Mailing_Lists Offers two-way discussion lists and one-way announcement lists with web-based tools for maintaining subscribers, sending messages, and features like timed delivery, custom autoreplies and advanced lis Components_and_Tools__Localization_-_Delphi_Programming_-_Net_Links Localization tools for Delphi, from your About.com Guide.   Alexa statistic for http://pages.cs.wisc.edu/~lhl/cs740/papers/java-security2.ps Please visit: http://pages.cs.wisc.edu/~lhl/cs740/papers/java-security2.ps

Related sites for http://pages.cs.wisc.edu/~lhl/cs740/papers/java-security2.ps     DBPD_Magazine Digital incarnation of Database Programming & Design, a technical magazine for database professionals.     WebPainter Includes all the tools needed to create professional Web animation and graphics. Unique cel animation interface to create small-sized, high-quality GIF animations, QuickTime movies, and JPEG and GIF f     Attar_Software Software to build Knowledge Based Systems. Popular data mining product offering efficient implementation of rule induction strategy.     CTM_Solutions Developers of motion pictures, Web TV and Internet productions.     Nokia_Theme_Studio Application for creating mobile themes with SVG-T support.     Fischertechnik_North_America German manufacturer of a flexible construction system and robot kits that can be utilized to learn and teach concepts in engineering, robotics, PLC/computer-control, and industrial robots.     eFORM_and_FUNCTION__Word_templates Transform paper forms into eform Microsoft Word templates. Learn about email forms and submitting business forms to email. Get eform MS Word templates free.     RFC_3149 MGCP Business Phone Packages. A. Srinath, G. Levendel, K. Fritz, et al. September 2001.     Abydos_Suite Abydos provide IT workflow and business process automation solutions based around Abydos Designer, Abydos OM and the Abydos Provisioning Engine.     CADintosh 2D CAD package for Macintosh from LemkeSoft (of GraphicConverter fame). Shareware.     Courion_Corporation Courion delivered the industry's first web-based support automation application, Password Courier, which automates the most common IT support problem - password resets. Courion has also delivered the     Royal_National_Institute_for_the_Blind__Web_Access_Centre Web accessibility resources.     Accelebrate Provider of on-site, instructor-led training on JSP, Struts, and other Java technologies.     Rampart User authentication for multiple sites and pages through a single datasource and code base.     Deskpaper_com Provides free wallpapers including movies, nature, celebrities, games, space and cartoons.     Go_cc Offers free 3rd-level domains. Service includes URL and email forwarding.     Squirrel_Cart_Shipping_Module A PHP/MySQL e-commerce system. Also company offer shopping cart hosting. By Nextnet Hosting. [Commercial]     Freakshells_com Offers shells for bots and IRC bouncers. Has IPv6 support.     DC_Web_Design Offers design, Flash, database integration, hosting, and domain name registration services. Located in Northamptonshire, United Kingdom.     Windows_CE__International_Glossaries These glossaries provide international terminology for the individual use of specific terms in software development and localization.

This is websites2007.org cache of m/ as retrieved on 2008.10.07 websites2007.org's cache is the snapshot that we took of the page as we crawled the web. The page may have changed since that time.

%!PS-Adobe-2.0%%Creator: dvipsk 5.58f Copyright 1986, 1994 Radical Eye Software%%Title: paper.dvi%%Pages: 20%%PageOrder: Ascend%%BoundingBox: 0 0 612 792%%DocumentFonts: Palatino-Roman Palatino-Bold Palatino-Italic Courier%%DocumentPaperSizes: Letter%%EndComments%DVIPSCommandLine: dvips -o paper.ps paper%DVIPSParameters: dpi=600, compressed, comments removed%DVIPSSource: TeX output 1997.02.24:1849%%BeginProcSet: texc.pro/TeXDict 250 dict def TeXDict begin /N{def}def /B{bind def}N /S{exch}N/X{S N}B /TR{translate}N /isls false N /vsize 11 72 mul N /hsize 8.5 72mul N /landplus90{false}def /@rigin{isls{[0 landplus90{1 -1}{-1 1}ifelse 0 0 0]concat}if 72 Resolution div 72 VResolution div neg scaleisls{landplus90{VResolution 72 div vsize mul 0 exch}{Resolution -72 divhsize mul 0}ifelse TR}if Resolution VResolution vsize -72 div 1 add mulTR[matrix currentmatrix{dup dup round sub abs 0.00001 lt{round}if}forall round exch round exch]setmatrix}N /@landscape{/isls true N}B/@manualfeed{statusdict /manualfeed true put}B /@copies{/#copies X}B/FMat[1 0 0 -1 0 0]N /FBB[0 0 0 0]N /nn 0 N /IE 0 N /ctr 0 N /df-tail{/nn 8 dict N nn begin /FontType 3 N /FontMatrix fntrx N /FontBBox FBB Nstring /base X array /BitMaps X /BuildChar{CharBuilder}N /Encoding IE Nend dup{/foo setfont}2 array copy cvx N load 0 nn put /ctr 0 N[}B /df{/sf 1 N /fntrx FMat N df-tail}B /dfs{div /sf X /fntrx[sf 0 0 sf neg 0 0]N df-tail}B /E{pop nn dup definefont setfont}B /ch-width{ch-data duplength 5 sub get}B /ch-height{ch-data dup length 4 sub get}B /ch-xoff{128 ch-data dup length 3 sub get sub}B /ch-yoff{ch-data dup length 2 subget 127 sub}B /ch-dx{ch-data dup length 1 sub get}B /ch-image{ch-datadup type /stringtype ne{ctr get /ctr ctr 1 add N}if}B /id 0 N /rw 0 N/rc 0 N /gp 0 N /cp 0 N /G 0 N /sf 0 N /CharBuilder{save 3 1 roll S dup/base get 2 index get S /BitMaps get S get /ch-data X pop /ctr 0 N ch-dx0 ch-xoff ch-yoff ch-height sub ch-xoff ch-width add ch-yoffsetcachedevice ch-width ch-height true[1 0 0 -1 -.1 ch-xoff sub ch-yoff.1 sub]/id ch-image N /rw ch-width 7 add 8 idiv string N /rc 0 N /gp 0 N/cp 0 N{rc 0 ne{rc 1 sub /rc X rw}{G}ifelse}imagemask restore}B /G{{idgp get /gp gp 1 add N dup 18 mod S 18 idiv pl S get exec}loop}B /adv{cpadd /cp X}B /chg{rw cp id gp 4 index getinterval putinterval dup gp add/gp X adv}B /nd{/cp 0 N rw exit}B /lsh{rw cp 2 copy get dup 0 eq{pop 1}{dup 255 eq{pop 254}{dup dup add 255 and S 1 and or}ifelse}ifelse put 1adv}B /rsh{rw cp 2 copy get dup 0 eq{pop 128}{dup 255 eq{pop 127}{dup 2idiv S 128 and or}ifelse}ifelse put 1 adv}B /clr{rw cp 2 index stringputinterval adv}B /set{rw cp fillstr 0 4 index getinterval putintervaladv}B /fillstr 18 string 0 1 17{2 copy 255 put pop}for N /pl[{adv 1 chg}{adv 1 chg nd}{1 add chg}{1 add chg nd}{adv lsh}{adv lsh nd}{adv rsh}{adv rsh nd}{1 add adv}{/rc X nd}{1 add set}{1 add clr}{adv 2 chg}{adv 2chg nd}{pop nd}]dup{bind pop}forall N /D{/cc X dup type /stringtype ne{]}if nn /base get cc ctr put nn /BitMaps get S ctr S sf 1 ne{dup duplength 1 sub dup 2 index S get sf div put}if put /ctr ctr 1 add N}B /I{cc 1 add D}B /bop{userdict /bop-hook known{bop-hook}if /SI save N @rigin0 0 moveto /V matrix currentmatrix dup 1 get dup mul exch 0 get dup muladd .99 lt{/QV}{/RV}ifelse load def pop pop}N /eop{SI restore userdict/eop-hook known{eop-hook}if showpage}N /@start{userdict /start-hookknown{start-hook}if pop /VResolution X /Resolution X 1000 div /DVImag X/IE 256 array N 0 1 255{IE S 1 string dup 0 3 index put cvn put}for65781.76 div /vsize X 65781.76 div /hsize X}N /p{show}N /RMat[1 0 0 -1 00]N /BDot 260 string N /rulex 0 N /ruley 0 N /v{/ruley X /rulex X V}B /V{}B /RV statusdict begin /product where{pop product dup length 7 ge{0 7getinterval dup(Display)eq exch 0 4 getinterval(NeXT)eq or}{pop false}ifelse}{false}ifelse end{{gsave TR -.1 .1 TR 1 1 scale rulex ruley falseRMat{BDot}imagemask grestore}}{{gsave TR -.1 .1 TR rulex ruley scale 1 1false RMat{BDot}imagemask grestore}}ifelse B /QV{gsave newpath transformround exch round exch itransform moveto rulex 0 rlineto 0 ruley negrlineto rulex neg 0 rlineto fill grestore}B /a{moveto}B /delta 0 N /tail{dup /delta X 0 rmoveto}B /M{S p delta add tail}B /b{S p tail}B /c{-4 M}B /d{-3 M}B /e{-2 M}B /f{-1 M}B /g{0 M}B /h{1 M}B /i{2 M}B /j{3 M}B /k{4 M}B /w{0 rmoveto}B /l{p -4 w}B /m{p -3 w}B /n{p -2 w}B /o{p -1 w}B /q{p 1 w}B /r{p 2 w}B /s{p 3 w}B /t{p 4 w}B /x{0 S rmoveto}B /y{3 2 roll pa}B /bos{/SS save N}B /eos{SS restore}B end%%EndProcSet%%BeginFont: Palatino-Roman% @@psencodingfile@{% author = "S. Rahtz, P. MacKay, Alan Jeffrey, B. Horn, K. Berry",% version = "0.6",% date = "22 June 1996",% filename = "8r.enc",% email = "kb@@mail.tug.org",% address = "135 Center Hill Rd. // Plymouth, MA 02360",% codetable = "ISO/ASCII",% checksum = "119 662 4424",% docstring = "Encoding for TrueType or Type 1 fonts to be used with TeX."% @}% % Idea is to have all the characters normally included in Type 1 fonts% available for typesetting. This is effectively the characters in Adobe% Standard Encoding + ISO Latin 1 + extra characters from Lucida.% % Character code assignments were made as follows:% % (1) the Windows ANSI characters are almost all in their Windows ANSI% positions, because some Windows users cannot easily reencode the% fonts, and it makes no difference on other systems. The only Windows% ANSI characters not available are those that make no sense for% typesetting -- rubout (127 decimal), nobreakspace (160), softhyphen% (173). quotesingle and grave are moved just because it's such an% irritation not having them in TeX positions.% % (2) Remaining characters are assigned arbitrarily to the lower part% of the range, avoiding 0, 10 and 13 in case we meet dumb software.% % (3) Y&Y Lucida Bright includes some extra text characters; in the% hopes that other PostScript fonts, perhaps created for public% consumption, will include them, they are included starting at 0x12.% % (4) Remaining positions left undefined are for use in (hopefully)% upward-compatible revisions, if someday more characters are generally% available.% % (5) hyphen appears twice for compatibility with both ASCII and Windows.% /TeXBase1Encoding [% 0x00 (encoded characters from Adobe Standard not in Windows 3.1) /.notdef /dotaccent /fi /fl /fraction /hungarumlaut /Lslash /lslash /ogonek /ring /.notdef /breve /minus /.notdef % These are the only two remaining unencoded characters, so may as% well include them. /Zcaron /zcaron % 0x10 /caron /dotlessi % (unusual TeX characters available in, e.g., Lucida Bright) /dotlessj /ff /ffi /ffl /.notdef /.notdef /.notdef /.notdef /.notdef /.notdef /.notdef /.notdef % very contentious; it's so painful not having quoteleft and quoteright % at 96 and 145 that we move the things normally found there down to here. /grave /quotesingle % 0x20 (ASCII begins) /space /exclam /quotedbl /numbersign /dollar /percent /ampersand /quoteright /parenleft /parenright /asterisk /plus /comma /hyphen /period /slash% 0x30 /zero /one /two /three /four /five /six /seven /eight /nine /colon /semicolon /less /equal /greater /question% 0x40 /at /A /B /C /D /E /F /G /H /I /J /K /L /M /N /O% 0x50 /P /Q /R /S /T /U /V /W /X /Y /Z /bracketleft /backslash /bracketright /asciicircum /underscore% 0x60 /quoteleft /a /b /c /d /e /f /g /h /i /j /k /l /m /n /o% 0x70 /p /q /r /s /t /u /v /w /x /y /z /braceleft /bar /braceright /asciitilde /.notdef % rubout; ASCII ends% 0x80 /.notdef /.notdef /quotesinglbase /florin /quotedblbase /ellipsis /dagger /daggerdbl /circumflex /perthousand /Scaron /guilsinglleft /OE /.notdef /.notdef /.notdef% 0x90 /.notdef /.notdef /.notdef /quotedblleft /quotedblright /bullet /endash /emdash /tilde /trademark /scaron /guilsinglright /oe /.notdef /.notdef /Ydieresis% 0xA0 /.notdef % nobreakspace /exclamdown /cent /sterling /currency /yen /brokenbar /section /dieresis /copyright /ordfeminine /guillemotleft /logicalnot /hyphen % Y&Y (also at 45); Windows' softhyphen /registered /macron% 0xD0 /degree /plusminus /twosuperior /threesuperior /acute /mu /paragraph /periodcentered /cedilla /onesuperior /ordmasculine /guillemotright /onequarter /onehalf /threequarters /questiondown% 0xC0 /Agrave /Aacute /Acircumflex /Atilde /Adieresis /Aring /AE /Ccedilla /Egrave /Eacute /Ecircumflex /Edieresis /Igrave /Iacute /Icircumflex /Idieresis% 0xD0 /Eth /Ntilde /Ograve /Oacute /Ocircumflex /Otilde /Odieresis /multiply /Oslash /Ugrave /Uacute /Ucircumflex /Udieresis /Yacute /Thorn /germandbls% 0xE0 /agrave /aacute /acircumflex /atilde /adieresis /aring /ae /ccedilla /egrave /eacute /ecircumflex /edieresis /igrave /iacute /icircumflex /idieresis% 0xF0 /eth /ntilde /ograve /oacute /ocircumflex /otilde /odieresis /divide /oslash /ugrave /uacute /ucircumflex /udieresis /yacute /thorn /ydieresis] def%%EndFont%%BeginProcSet: texps.proTeXDict begin /rf{findfont dup length 1 add dict begin{1 index /FID ne 2index /UniqueID ne and{def}{pop pop}ifelse}forall[1 index 0 6 -1 rollexec 0 exch 5 -1 roll VResolution Resolution div mul neg 0 0]/Metricsexch def dict begin Encoding{exch dup type /integertype ne{pop pop 1 subdup 0 le{pop}{[}ifelse}{FontMatrix 0 get div Metrics 0 get div def}ifelse}forall Metrics /Metrics currentdict end def[2 index currentdictend definefont 3 -1 roll makefont /setfont load]cvx def}def/ObliqueSlant{dup sin S cos div neg}B /SlantFont{4 index mul add}def/ExtendFont{3 -1 roll mul exch}def /ReEncodeFont{/Encoding exch def}defend%%EndProcSet%%BeginProcSet: special.proTeXDict begin /SDict 200 dict N SDict begin /@SpecialDefaults{/hs 612 N/vs 792 N /ho 0 N /vo 0 N /hsc 1 N /vsc 1 N /ang 0 N /CLIP 0 N /rwiSeenfalse N /rhiSeen false N /letter{}N /note{}N /a4{}N /legal{}N}B/@scaleunit 100 N /@hscale{@scaleunit div /hsc X}B /@vscale{@scaleunitdiv /vsc X}B /@hsize{/hs X /CLIP 1 N}B /@vsize{/vs X /CLIP 1 N}B /@clip{/CLIP 2 N}B /@hoffset{/ho X}B /@voffset{/vo X}B /@angle{/ang X}B /@rwi{10 div /rwi X /rwiSeen true N}B /@rhi{10 div /rhi X /rhiSeen true N}B/@llx{/llx X}B /@lly{/lly X}B /@urx{/urx X}B /@ury{/ury X}B /magscaletrue def end /@MacSetUp{userdict /md known{userdict /md get type/dicttype eq{userdict begin md length 10 add md maxlength ge{/md md duplength 20 add dict copy def}if end md begin /letter{}N /note{}N /legal{}N /od{txpose 1 0 mtx defaultmatrix dtransform S atan/pa X newpathclippath mark{transform{itransform moveto}}{transform{itransform lineto}}{6 -2 roll transform 6 -2 roll transform 6 -2 roll transform{itransform 6 2 roll itransform 6 2 roll itransform 6 2 roll curveto}}{{closepath}}pathforall newpath counttomark array astore /gc xdf pop ct 390 put 10 fz 0 fs 2 F/|______Courier fnt invertflag{PaintBlack}if}N/txpose{pxs pys scale ppr aload pop por{noflips{pop S neg S TR pop 1 -1scale}if xflip yflip and{pop S neg S TR 180 rotate 1 -1 scale ppr 3 getppr 1 get neg sub neg ppr 2 get ppr 0 get neg sub neg TR}if xflip yflipnot and{pop S neg S TR pop 180 rotate ppr 3 get ppr 1 get neg sub neg 0TR}if yflip xflip not and{ppr 1 get neg ppr 0 get neg TR}if}{noflips{TRpop pop 270 rotate 1 -1 scale}if xflip yflip and{TR pop pop 90 rotate 1-1 scale ppr 3 get ppr 1 get neg sub neg ppr 2 get ppr 0 get neg sub negTR}if xflip yflip not and{TR pop pop 90 rotate ppr 3 get ppr 1 get negsub neg 0 TR}if yflip xflip not and{TR pop pop 270 rotate ppr 2 get ppr0 get neg sub neg 0 S TR}if}ifelse scaleby96{ppr aload pop 4 -1 roll add2 div 3 1 roll add 2 div 2 copy TR .96 dup scale neg S neg S TR}if}N /cp{pop pop showpage pm restore}N end}if}if}N /normalscale{Resolution 72div VResolution 72 div neg scale magscale{DVImag dup scale}if 0 setgray}N /psfts{S 65781.76 div N}N /startTexFig{/psf$SavedState save N userdictmaxlength dict begin /magscale true def normalscale currentpoint TR/psf$ury psfts /psf$urx psfts /psf$lly psfts /psf$llx psfts /psf$y psfts/psf$x psfts currentpoint /psf$cy X /psf$cx X /psf$sx psf$x psf$urxpsf$llx sub div N /psf$sy psf$y psf$ury psf$lly sub div N psf$sx psf$syscale psf$cx psf$sx div psf$llx sub psf$cy psf$sy div psf$ury sub TR/showpage{}N /erasepage{}N /copypage{}N /p 3 def @MacSetUp}N /doclip{psf$llx psf$lly psf$urx psf$ury currentpoint 6 2 roll newpath 4 copy 4 2roll moveto 6 -1 roll S lineto S lineto S lineto closepath clip newpathmoveto}N /endTexFig{end psf$SavedState restore}N /@beginspecial{SDictbegin /SpecialSave save N gsave normalscale currentpoint TR@SpecialDefaults count /ocount X /dcount countdictstack N}N /@setspecial{CLIP 1 eq{newpath 0 0 moveto hs 0 rlineto 0 vs rlineto hs neg 0 rlinetoclosepath clip}if ho vo TR hsc vsc scale ang rotate rwiSeen{rwi urx llxsub div rhiSeen{rhi ury lly sub div}{dup}ifelse scale llx neg lly neg TR}{rhiSeen{rhi ury lly sub div dup scale llx neg lly neg TR}if}ifelseCLIP 2 eq{newpath llx lly moveto urx lly lineto urx ury lineto llx urylineto closepath clip}if /showpage{}N /erasepage{}N /copypage{}N newpath}N /@endspecial{count ocount sub{pop}repeat countdictstack dcount sub{end}repeat grestore SpecialSave restore end}N /@defspecial{SDict begin}N /@fedspecial{end}B /li{lineto}B /rl{rlineto}B /rc{rcurveto}B /np{/SaveX currentpoint /SaveY X N 1 setlinecap newpath}N /st{stroke SaveXSaveY moveto}N /fil{fill SaveX SaveY moveto}N /ellipse{/endangle X/startangle X /yrad X /xrad X /savematrix matrix currentmatrix N TR xradyrad scale 0 0 1 startangle endangle arc savematrix setmatrix}N end%%EndProcSetTeXDict begin 40258431 52099146 1000 600 600 (paper.dvi)@start /Fa 1 34 df33 D E /Fb 149 df48 D E /Fc 3 68 df65 DII E /Fd 133[4246 42 69 46 51 28 37 32 1[51 46 51 74 28 51 28 28 5146 32 42 51 37 51 42 9[83 65 1[55 51 60 1[51 69 69 8351 1[32 32 69 3[69 60 55 65 9[42 1[42 42 42 42 42 2[216[23 35[51 3[{ TeXBase1Encoding ReEncodeFont }51 83.333336/Palatino-Bold rf /Fe 134[55 1[83 55 61 33 44 39 1[6155 61 89 33 61 1[33 61 55 39 50 61 44 61 50 9[100 1[7866 61 2[61 1[83 100 61 1[39 39 2[55 61 83 72 66 78 8[5050 50 50 50 50 50 50 2[25 33 45[{ TeXBase1Encoding ReEncodeFont }48100.000000 /Palatino-Bold rf /Ff 2 104 df102DI E /Fg 140[26 26 1[33 29 2[18 29 3[33 1[261[27 1[29 94[35 2[{ TeXBase1Encoding ReEncodeFont }1166.666664 /Palatino-Italic rf /Fh 134[40 40 40 40 4040 40 40 1[40 40 40 40 40 1[40 40 40 2[40 40 40 40 403[40 1[40 6[40 1[40 1[40 40 2[40 1[40 1[40 4[40 40 403[40 1[40 40 9[40 40 40 1[40 2[40 40 40[{ TeXBase1Encoding ReEncodeFont }42 66.666664 /Courierrf /Fi 104[66 2[33 33 25[37 34 55 38 40 22 28 26 37 4036 39 59 19 37 1[19 39 37 22 32 41 29 37 33 3[22 1[223[66 1[52 41 35 44 1[40 1[55 63 41 48 22 22 55 1[37 4151 47 41 52 5[17 17 2[33 1[33 33 33 33 33 33 1[17 2217 2[22 22 18 36[40 2[{ TeXBase1Encoding ReEncodeFont }6466.666664 /Palatino-Roman rf /Fj 198[25 25 25 25 25 2525 25 25 25 48[{ TeXBase1Encoding ReEncodeFont }10 50.000000/Palatino-Roman rf /Fk 103[50 26[50 1[50 50 50 50 5050 50 50 50 50 1[50 50 50 50 50 50 50 50 50 50 50 5050 50 50 50 1[50 1[50 50 50 2[50 50 1[50 50 50 50 1[5050 50 50 50 1[50 50 50 50 50 50 50 50 50 50 3[50 1[5050 50 50 50 50 50 50 50 50 50 50 50 50 50 50 50 1[5050 2[50 2[50 34[{ TeXBase1Encoding ReEncodeFont }75 83.333336/Courier rf /Fl 198[29 29 29 29 29 29 29 29 29 29 48[{ TeXBase1Encoding ReEncodeFont }10 58.333336 /Palatino-Romanrf /Fm 133[37 42 42 60 42 46 28 32 32 38 42 37 46 6523 37 23 23 42 42 23 32 42 34 38 37 8[60 78 60 65 5146 55 1[51 65 65 78 46 55 28 28 65 1[46 51 65 55 51 606[21 42 42 42 42 1[42 1[42 42 1[25 1[28 21 50 1[28 2823 36[44 2[{ TeXBase1Encoding ReEncodeFont }64 83.333336/Palatino-Italic rf /Fn 75[28 28[83 42 1[42 42 24[4246 43 69 47 50 27 35 33 46 50 45 48 73 24 46 19 24 4846 28 40 51 37 46 42 3[28 1[28 55 55 55 83 60 65 51 4455 65 50 65 69 79 51 60 28 28 69 63 46 51 64 59 51 651[37 3[21 21 42 42 42 42 42 42 42 42 42 42 50 21 28 2150 1[28 28 23 65 34[50 50 2[{ TeXBase1Encoding ReEncodeFont }8383.333336 /Palatino-Roman rf /Fo 134[66 60 100 66 7340 53 47 1[73 66 73 106 40 73 1[40 73 66 47 60 73 5373 60 12[80 73 86 7[47 47 2[66 2[86 80 93 9[60 60 6060 60 60 60 49[{ TeXBase1Encoding ReEncodeFont }39 119.999947/Palatino-Bold rf /Fp 139[25 33 29 14[33 46 37 31[5865[{ TeXBase1Encoding ReEncodeFont }7 75.000000 /Palatino-Boldrf /Fq 133[37 42 39 62 42 45 24 32 30 1[45 41 43 66 2242 1[22 43 42 25 36 46 33 41 37 9[75 2[46 39 3[59 6271 2[25 25 62 2[46 4[56 17[19 25 19 40[45 45 2[{ TeXBase1Encoding ReEncodeFont }40 75.000000 /Palatino-Romanrf /Fr 133[50 55 1[83 56 60 32 42 39 1[60 54 58 88 2955 1[29 58 1[33 48 61 44 55 50 9[100 1[78 1[52 2[60 1[833[33 3[55 61 77 71 61 8[50 50 50 1[50 50 1[50 50 50 1[251[25 44[{ TeXBase1Encoding ReEncodeFont }43 100.000000/Palatino-Roman rf /Fs 134[80 1[120 81 87 47 61 57 2[7883 4[42 3[69 88 64 79 72 9[143 3[75 8[48 7[88 7[36 58[{ TeXBase1Encoding ReEncodeFont }20 144.000000 /Palatino-Romanrf end%%EndProlog%%BeginSetup%%Feature: *Resolution 600dpiTeXDict begin%%PaperSize: Letter%%EndSetup%%Page: 1 11 0 bop 646 432 a Fs(Java)35 b(Security:)42 b(W)-13 b(eb)36b(Br)m(owsers)f(and)h(Beyond)292 719 y Fr(Dr)n(ew)26b(Dean)252 b(Edwar)n(d)25 b(W)-9 b(.)25 b(Felten)221b(Dan)24 b(S.)i(W)-9 b(allach)364 b(Dirk)26 b(Balfanz)139791 y Fq(ddean@cs.princeton.edu)99 b(felten@cs.princeton.edu)f(dwallach@cs.princeton.edu)i(balfanz@cs.princeton.edu)1215937 y Fr(Department)25 b(of)h(Computer)f(Science)14921053 y(Princeton)i(University)1518 1169 y(Princeton,)g(NJ)d(08544)15631368 y(Febr)o(uary)i(24,)e(1997)1807 1667 y Fp(Abstract)3201804 y Fq(The)g(intr)o(oduction)h(of)f(Java)i(applets)e(has)i(taken)f(the)g(W)-7 b(orld)23 b(W)l(ide)h(W)-7 b(eb)25 b(by)f(storm.)41b(Java)25 b(allows)f(web)i(cr)o(eators)208 1895 y(to)f(embellish)f(their)h(content)i(with)f(arbitrary)e(pr)o(ograms)f(which)j(execute)f(in)g(the)h(web)g(br)o(owser)-6 b(,)25 b(whether)h(for)e(sim-)2081987 y(ple)k(animations)j(or)d(complex)g(fr)o(ont-ends)h(to)g(other)h(services.)53 b(W)-7 b(e)29 b(examined)g(the)h(Java)g(language)f(and)h(the)g(Sun)208 2078 y(HotJava,)18 b(Netscape)f(Navigator)-6b(,)17 b(and)g(Micr)o(osoft)e(Internet)j(Explor)o(er)c(br)o(owsers)h(which)j(support)e(it,)h(and)h(found)e(a)i(sig-)208 2169y(ni\002cant)h(number)f(of)f(\003aws)h(which)h(compr)o(omise)c(their)j(security)-8 b(.)21 b(These)c(\003aws)h(arise)f(for)g(several)f(r)o(easons,)h(including)208 2261 y(implementation)25 b(err)o(ors,)g(unintended)g(interactions)h(between)h(br)o(owser)d(featur)o(es,)h(dif)o(fer)o(ences)e(between)k(the)f(Java)208 2352 y(language)17b(and)h(bytecode)g(semantics,)f(and)i(weaknesses)e(in)h(the)g(design)f(of)g(the)h(language)g(and)g(the)h(bytecode)e(format.)2082443 y(On)25 b(a)h(deeper)d(level,)j(these)f(\003aws)h(arise)e(because)i(of)f(weaknesses)f(in)h(the)h(design)e(methodology)g(used)g(in)i(cr)o(eating)208 2535 y(Java)21 b(and)g(the)g(br)o(owsers.)26b(In)21 b(addition)g(to)f(the)h(\003aws,)h(we)e(discuss)g(the)h(underlying)e(tension)h(between)i(the)f(openness)2082626 y(desir)o(ed)c(by)j(web)h(application)g(writers)e(and)h(the)h(security)e(needs)h(of)g(their)g(users,)f(and)h(we)h(suggest)d(how)j(both)g(might)208 2717 y(be)d(accommodated.)0 3003 yFo(1)119 b(Introduction)0 3192 y Fn(The)28 b(continuing)i(gr)o(owth)e(and)g(popularity)g(of)g(the)g(Internet)g(has)g(led)f(to)i(a)e(\003urry)i(of)f(developments)g(for)f(the)i(W)-8 b(orld)03292 y(W)j(ide)24 b(W)-8 b(eb.)37 b(Many)24 b(content)h(pr)o(oviders)e(have)h(expr)o(essed)f(fr)o(ustration)i(with)g(the)f(inability)h(to)g(expr)o(ess)e(their)i(ideas)f(in)0 3391 y(HTML.)19 b(For)h(example,)f(befor)o(e)g(support)h(for)g(tables)f(was)h(common,)h(many)g(pages)e(simply)i(used)e(digitized)h(pictur)o(es)f(of)0 3491y(tables.)25 b(As)19 b(quickly)i(as)e(new)h(HTML)f(tags)h(ar)o(e)e(added,)g(ther)o(e)h(will)i(be)e(demand)g(for)h(mor)o(e.)25b(In)20 b(addition,)f(many)h(content)0 3591 y(pr)o(oviders)g(wish)i(to)f(integrate)f(interactive)g(featur)o(es)f(such)i(as)g(chat)f(systems)i(and)e(animations.)125 3690 y(Rather)f(than)h(cr)o(eating)f(new)h(HTML)f(extensions,)h(Sun)g(Micr)o(osystems)g(popularized)e(the)i(notion)h(of)f(downloading)0 3790 y(a)k(pr)o(ogram)g(\(called)f(an)hFm(applet)p Fn(\))f(which)i(r)o(uns)g(inside)g(the)g(web)f(br)o(owser)-6 b(.)36 b(Such)24 b(r)o(emote)g(code)g(raises)g(serious)h(security)03889 y(issues;)c(a)g(casual)f(web)h(r)o(eader)e(should)j(not)g(be)e(concerned)h(about)g(malicious)h(side-ef)o(fects)d(fr)o(om)h(visiting)i(a)f(web)g(page.)0 3989 y(Languages)i(such)i(as)f(Java[21)m(],)g(Safe-T)-9 b(cl[6)m(],)25 b(Phantom[10)o(],)g(Juice[14)n(])e(and)h(T)-8b(elescript[16)o(])23 b(have)h(been)g(pr)o(oposed)f(for)04089 y(r)o(unning)f(untr)o(usted)f(code,)g(and)f(each)g(has)h(varying)g(ideas)f(of)g(how)i(to)f(thwart)g(malicious)h(pr)o(ograms.)1254188 y(After)j(several)g(years)h(of)g(development)h(inside)f(Sun)h(Micr)o(osystems,)g(the)g(Java)e(language)h(was)g(r)o(eleased)e(in)j(mid-)0 4288 y(1995)15 b(as)i(part)g(of)g(Sun's)h(HotJava)e(web)h(br)o(owser)-6 b(.)24 b(Shortly)18 b(ther)o(eafter)-6 b(,)15b(Netscape)i(Communications)i(Corp.)24 b(announced)04388 y(they)30 b(had)f(licensed)g(Java)g(and)g(would)h(incorporate)f(it)h(into)g(their)g(Netscape)e(Navigator)h(web)h(br)o(owser)-6b(,)31 b(beginning)0 4487 y(with)f(version)g(2.0.)49b(Micr)o(osoft)29 b(has)g(also)g(licensed)g(Java)f(fr)o(om)h(Sun,)i(and)d(incorporated)h(it)g(into)h(Micr)o(osoft)f(Internet)04587 y(Explor)o(er)22 b(3.0.)31 b(W)-5 b(ith)24 b(the)f(support)g(of)h(many)f(in\003uential)h(companies,)g(Java)d(appears)h(to)h(have)g(the)g(best)g(chance)g(of)g(be-)0 4686 y(coming)d(the)g(standar)o(d)e(for)h(executable)f(content)i(on)f(the)h(web.)25 b(This)20b(also)f(makes)g(it)h(an)f(attractive)f(tar)o(get)g(for)h(malicious)04786 y(attackers,)g(and)i(demands)f(external)g(r)o(eview)g(of)h(its)g(security)-9 b(.)125 4886 y(The)19 b(original)g(version)h(of)f(this)g(paper)f(was)h(written)h(in)f(November)-6 b(,)19 b(1995)e(\227)i(after)f(Netscape)g(announced)h(it)g(would)0 4985 y(use)24 b(Java.)33b(Since)23 b(that)h(time,)g(we)g(have)f(found)h(a)f(number)h(of)g(bugs)g(in)g(Navigator)f(thr)o(ough)i(its)f(various)f(beta)g(r)o(eleases)05085 y(and)g(later)g(in)h(Micr)o(osoft's)f(Internet)h(Explor)o(er)-6b(.)32 b(As)24 b(a)f(dir)o(ect)f(r)o(esult)h(of)h(our)f(investigation,)j(and)d(the)g(tir)o(eless)h(ef)o(forts)e(of)0 5185 y(the)k(vendors')f(Java)f(pr)o(ogrammers,)i(we)f(believe)g(the)g(security)h(of)f(Java)f(has)i(signi\002cantly)g(impr)o(oved)f(since)h(its)g(early)05284 y(days.)39 b(In)26 b(particular)-6 b(,)25 b(Internet)g(Explor)o(er)g(3.0,)g(which)h(shipped)f(in)h(August,)h(1996,)d(had)h(the)h(bene\002t)f(of)g(nine)h(months)1929 5589 y(1)p eop%%Page: 2 22 1 bop 0 83 a Fn(of)24 b(our)h(investigation)g(into)g(Netscape's)f(Java.)34 b(Still,)25 b(despite)f(all)g(the)g(work)h(done)g(by)f(us)g(and)g(by)g(others,)i(no)f(one)f(can)0 183 y(claim)d(that)f(Java's)g(security)h(pr)o(oblems)g(ar)o(e)e(\002xed.)125 282 y(Netscape)e(Navigator)h(and)h(HotJava)1335 252 y Fl(1)1386 282 yFn(ar)o(e)e(examples)h(of)h(two)g(distinct)g(ar)o(chitectur)o(es)e(for)i(building)g(web)g(br)o(owsers.)0 382 y(Netscape)j(Navigator)h(is)h(written)f(in)h(an)f(unsafe)g(language,)g(C,)g(and)g(r)o(uns)h(Java)e(applets)h(as)g(an)g(add-on)g(featur)o(e.)31 b(Hot-)0482 y(Java)24 b(is)h(written)g(in)h(Java)e(itself,)h(with)h(the)f(same)g(r)o(untime)h(system)g(supporting)g(both)f(the)g(br)o(owser)g(and)g(the)g(applets.)0 581 y(Both)j(ar)o(chitectur)o(es)e(have)g(advantages)h(and)g(disadvantages)f(with)i(r)o(espect)e(to)i(security:)39b(Netscape)26 b(Navigator)h(can)0 681 y(suf)o(fer)h(fr)o(om)h(being)h(implemented)g(in)g(an)f(unsafe)g(language)h(\(buf)o(fer)d(over\003ow)-8 b(,)33 b(memory)d(leakage,)h(etc.\),)f(but)g(pr)o(o-)0780 y(vides)c(a)f(well-de\002ned)g(interface)g(to)h(the)g(Java)e(subsystem.)41 b(In)26 b(Netscape)f(Navigator)-6 b(,)26b(Java)f(applets)g(can)g(name)h(only)0 880 y(those)i(functions)g(and)f(variables)f(explicitly)h(exported)f(to)i(the)f(Java)f(subsystem.)46b(HotJava,)27 b(implemented)h(in)f(a)g(safe)0 980 y(language,)21b(does)g(not)h(suf)o(fer)d(fr)o(om)i(potential)g(memory)h(corr)o(uption)g(pr)o(oblems,)f(but)g(can)g(accidentally)f(export)h(private)01079 y(br)o(owser)f(state)h(to)g(applets.)125 1179 y(In)k(or)o(der)f(to)i(be)f(secur)o(e,)g(such)h(systems)g(must)g(limit)g(applets')f(access)g(to)g(system)h(r)o(esour)o(ces)e(such)i(as)f(the)g(\002le)h(sys-)0 1279 y(tem,)k(the)e(CPU,)f(the)h(network,)i(the)e(graphics)g(display)-9 b(,)29 b(and)f(the)g(br)o(owser)6 b('s)28b(internal)g(state.)47 b(The)28 b(language)f(should)01378 y(be)e Fm(memory)f(safe)h Fn(\226)g(pr)o(eventing)g(for)o(ged)e(pointers)j(and)f(checking)g(array)f(bounds.)39 b(Additionally)-9b(,)25 b(the)h(system)f(should)0 1478 y(garbage-collect)k(memory)j(to)f(pr)o(event)f(both)h(malicious)h(and)e(accidental)g(memory)h(leakage.)55 b(Finally)-9 b(,)33 b(the)e(system)0 1577 y(must)23b(manage)g(system)g(calls)g(and)f(other)h(methods)g(which)h(allow)f(applets)f(to)h(af)o(fect)e(each)h(other)h(as)g(well)g(as)f(the)h(envi-)0 1677 y(r)o(onment)e(beyond)g(the)g(br)o(owser)-6b(.)125 1777 y(Many)27 b(systems)h(in)g(the)g(past)f(have)g(attempted)g(to)h(use)f(language-based)f(pr)o(otection.)46 b(The)27b(Anderson)h(r)o(eport[2)n(])0 1876 y(describes)23 b(an)g(early)g(attempt)g(to)g(build)h(a)f(secur)o(e)f(subset)h(of)h(Fortran.)33b(This)24 b(ef)o(fort)e(was)h(a)g(failur)o(e)f(because)h(the)g(imple-)01976 y(mentors)g(failed)f(to)g(consider)h(all)f(of)h(the)f(consequences)i(of)e(the)h(implementation)g(of)g(one)g(constr)o(uct:)29b(assigned)23 b Fk(GOTO)p Fn(.)0 2076 y(This)j(subtle)g(\003aw)f(r)o(esulted)g(in)h(a)f(complete)g(br)o(eak)f(of)i(the)f(system.)40b(Jones)26 b(and)f(Liskov)h(describe)f(language)g(support)02175 y(for)c(secur)o(e)e(data\003ow[26)o(].)25 b(Rees)c(describes)f(a)g(modern)h(capability)f(system)i(built)f(on)g(top)g(of)g(Scheme[40)n(].)125 2275 y(The)30 b(r)o(emainder)e(of)i(this)h(paper)e(is)h(str)o(uctur)o(ed)f(as)h(follows.)54 b(Section)31 b(2)e(discusses)h(the)h(Java)d(language)i(in)g(mor)o(e)0 2374 y(detail,)f(Section)f(3)f(gives)h(a)g(taxonomy)g(of)g(known)h(security)f(\003aws)h(in)f(Sun's)g(HotJava,)h(Netscape's)e(Navigator)-6 b(,)28 b(and)02474 y(Micr)o(osoft's)g(Internet)g(Explor)o(er)f(web)h(br)o(owsers,)i(Section)e(4)g(considers)g(how)h(the)g(str)o(uctur)o(e)e(of)h(these)h(systems)g(con-)0 2574 y(tributes)g(to)g(the)g(existence)f(of)h(bugs,)h(Section)f(5)f(discusses)h(the)g(need)f(for)h(\003exible)g(security)f(in)i(Java,)f(and)f(Section)g(6)0 2673 y(pr)o(esents)18b(our)h(conclusions.)26 b(A)18 b(mor)o(e)g(complete)h(discussion)h(of)e(some)h(of)f(these)h(issues)g(can)f(be)g(found)h(in)g(McGraw)e(and)02773 y(Felten's)k(book[34].)0 3059 y Fo(2)119 b(Java)30b(Semantics)0 3248 y Fn(Java)e(is)h(similar)g(in)g(many)h(ways)f(to)g(C++[42)o(].)50 b(Both)29 b(pr)o(ovide)f(support)h(for)g(object-oriented)g(pr)o(ogramming,)i(shar)o(e)0 3347y(many)c(keywor)o(ds)g(and)g(other)g(syntactic)g(elements,)h(and)f(can)f(be)h(used)g(to)g(develop)g(standalone)f(applications.)44b(Java)0 3447 y(diver)o(ges)31 b(fr)o(om)h(C++)g(in)h(the)f(following)i(ways:)48 b(it)32 b(is)g(type-safe,)i(supports)e(only)h(single)g(inheritance)f(\(although)h(it)0 3547 y(decouples)18b(subtyping)i(fr)o(om)e(inheritance\),)h(and)f(has)h(language)f(support)h(for)f(concurr)o(ency)-9 b(.)25 b(Java)17 b(supplies)i(each)f(class)0 3646 y(and)24 b(object)h(with)g(a)g(lock,)g(and)f(pr)o(ovides)g(the)h Fk(synchronized)d Fn(keywor)o(d)j(so)g(each)f(class)g(\(or)h(instance)f(of)h(a)f(class,)h(as)0 3746 y(appr)o(opriate\))19b(can)h(operate)g(as)g(a)h(Mesa-style)e(monitor[30].)1253846 y(Java)i(compilers)i(pr)o(oduce)f(a)h(machine-independent)f(bytecode,)h(which)h(may)f(be)g(transmitted)g(acr)o(oss)f(a)g(network)03945 y(and)c(then)g(interpr)o(eted)f(or)h(compiled)g(to)g(native)g(code)g(by)g(the)g(Java)f(r)o(untime)i(system.)25 b(In)18b(support)g(of)g(this)h(downloaded)0 4045 y(code,)35b(Java)c(distinguishes)i Fm(r)o(emote)f Fn(code)g(fr)o(om)gFm(local)g Fn(code.)60 b(Separate)31 b(sour)o(ces)26744015 y Fl(2)2739 4045 y Fn(of)h(Java)f(bytecode)h(ar)o(e)f(loaded)h(in)0 4144 y(separate)26 b(name)h(spaces)f(to)i(pr)o(event)e(both)h(accidental)f(and)h(malicious)h(name)f(clashes.)44 b(Bytecode)27b(loaded)f(fr)o(om)h(the)0 4244 y(local)i(\002le)g(system)h(is)f(visible)h(to)f(all)g(applets.)50 b(The)29 b(documentation[22)o(])g(says)g(the)g(\223system)h(name)f(space\224)e(has)i(two)04344 y(special)20 b(pr)o(operties:)104 4510 y(1.)41 b(It)20b(is)h(shar)o(ed)f(by)h(all)f(\223name)h(spaces.\224)1044676 y(2.)41 b(It)20 b(is)h(always)g(sear)o(ched)e(\002rst,)i(to)g(pr)o(event)f(downloaded)h(code)f(fr)o(om)g(overriding)h(a)f(system)i(class.)p 0 4752 1560 4 v 90 4809 a Fj(1)120 4832 y Fi(Unless)e(otherwise)g(noted,)g(\223HotJava-Alpha\224)h(r)o(efers)g(to)f(the)g(1.0)g(alpha)h(3)g(r)o(elease)f(of)h(the)e(HotJava)i(web)f(br)o(owser)h(fr)o(om)g(Sun)f(Micr)o(osystems,)0 4911 y(\223Netscape)15b(Navigator)5 b(\224)16 b(r)o(efers)e(to)h(Netscape)g(Navigator)g(2.0,)g(\223Internet)f(Explor)o(er)5 b(\224)15 b(r)o(efers)g(to)g(Micr)o(osoft)g(Internet)f(Explor)o(er)h(3.0,)g(and)f(\223JDK\224)i(r)o(efers)0 4990 y(to)h(the)e(Java)i(Development)e(Kit,)i(version)f(1.0,)h(fr)o(om)f(Sun.)90 5048 y Fj(2)120 5071 y Fi(While)24 b(the)g(documentation[22)o(])h(does)f(not)g(de\002ne)f(\223sour)o(ce\224,)k(it)d(appears)h(to)f(mean)g(the)f(URL)h(pr)o(e\002x)g(of)h(origin.)44b(Sun)24 b(and)f(Netscape)i(have)0 5150 y(announced)16b(plans)h(to)g(include)g(support)g(for)h(digital)f(signatur)o(es)g(in)f(futur)o(e)h(versions)g(of)g(their)g(pr)o(oducts.)k(Micr)o(osoft)d(has)e(some)h(support)g(for)h(digital)0 5229 y(signatur)o(es.)i(See)c(section)h(5.4.)1929 5589 y Fn(2)p eop%%Page: 3 33 2 bop 0 83 a Fn(However)-6 b(,)20 b(we)h(have)f(found)h(that)g(the)g(second)g(pr)o(operty)f(does)g(not)i(hold.)125 183 y(The)28b(Java)g(r)o(untime)h(system)h(knows)g(how)g(to)f(load)f(bytecode)h(only)h(fr)o(om)e(the)h(local)g(\002le)g(system.)50 b(T)-8b(o)30 b(load)e(code)0 282 y(fr)o(om)21 b(other)g(sour)o(ces,)f(the)h(Java)f(r)o(untime)i(system)f(calls)g(a)g(subclass)g(of)g(the)gFk(abstract)e Fn(class)3029 252 y Fl(3)3083 282 y Fk(ClassLoader)pFn(,)g(which)0 382 y(de\002nes)f(an)g(interface)f(for)h(the)g(r)o(untime)h(system)g(to)f(ask)g(a)g(Java)f(pr)o(ogram)g(to)i(pr)o(ovide)e(a)g(class.)25 b(Classes)18 b(ar)o(e)f(transported)0482 y(acr)o(oss)23 b(the)h(network)g(as)f(byte)h(str)o(eams,)f(and)h(r)o(econstituted)f(into)h Fk(Class)f Fn(objects)h(by)g(subclasses)g(of)fFk(ClassLoader)p Fn(.)0 581 y(Each)k(class)g(is)h(internally)g(tagged)f(with)i(the)e Fk(ClassLoader)f Fn(that)h(loaded)g(it,)i(and)e(that)hFk(ClassLoader)d Fn(is)j(used)g(to)0 681 y(r)o(esolve)21b(any)g(futur)o(e)f(unr)o(esolved)h(symbols)h(for)f(the)h(class.)27b(Additionally)-9 b(,)21 b(the)g Fk(SecurityManager)dFn(has)k(methods)g(to)0 780 y(determine)g(if)h(a)f(class)g(loaded)g(by)h(a)f Fk(ClassLoader)f Fn(is)i(in)g(the)f(dynamic)h(call)f(chain,)h(and)g(if)f(so,)h(wher)o(e.)31 b(This)23 b(nesting)0880 y(depth)f(is)h(then)g(used)f(to)h(make)g(access)e(contr)o(ol)i(decisions)h(in)e(JDK)h(1.0.x)e(and)h(derived)f(systems)j(\(including)f(Netscape)0 980 y(Navigator)d(and)g(Internet)h(Explor)o(er\).)1251079 y(Java)27 b(pr)o(ogrammers)h(can)h(combine)g(r)o(elated)e(classes)i(into)g(a)g Fk(package)p Fn(.)48 b(These)29 b(packages)e(ar)o(e)h(similar)h(to)g(name)0 1179 y(spaces)21 b(in)h(C++[43)o(],)f(modules)g(in)h(Modula-2[44)m(],)f(or)h(str)o(uctur)o(es)f(in)h(Standar)o(d)d(ML[35)n(].)26 b(While)c(package)e(names)i(con-)0 1279y(sist)f(of)g(components)h(separated)d(by)i(dots,)g(the)g(package)f(name)g(space)g(is)h(actually)g(\003at:)k(scoping)d(r)o(ules)f(ar)o(e)e(not)j(r)o(elated)0 1378 y(to)i(the)f(appar)o(ent)f(name)h(hierar)o(chy)-9 b(.)32 b(In)23 b(Java,)f Fk(public)g Fn(and)hFk(private)f Fn(have)h(the)g(same)g(meaning)h(as)f(in)h(C++:)31b(Public)0 1478 y(classes,)g(methods,)i(and)c(instance)h(variables)e(ar)o(e)g(accessible)h(everywher)o(e,)i(while)f(private)e(methods)j(and)e(instance)0 1577 y(variables)21 b(ar)o(e)f(only)j(accessible)f(inside)g(the)g(class)g(de\002nition.)30 b(Java)20 bFk(protected)h Fn(methods)h(and)g(variables)f(ar)o(e)f(acces-)01677 y(sible)f(in)g(the)f(class)h(or)g(its)g(subclasses)f(or)h(in)g(the)g(curr)o(ent)e(\(package,)g(origin)j(of)e(code\))g(pair)-6b(.)24 b(A)18 b(\(package,)g(origin)h(of)g(code\))0 1777y(pair)g(de\002nes)h(the)g(scope)h(of)e(a)h(Java)f(class,)g(method,)i(or)f(instance)g(variable)f(that)h(is)g(not)h(given)f(a)gFk(public)p Fn(,)e Fk(private)p Fn(,)h(or)0 1876 y Fk(protected)gFn(modi\002er)785 1846 y Fl(4)818 1876 y Fn(.)26 b(Unlike)20b(C++,)h Fk(protected)d Fn(variables)i(and)f(methods)j(can)e(only)h(be)f(accessed)f(in)i(subclasses)0 1976 y(when)g(they)g(occur)g(in)g(instances)h(of)e(the)h(subclasses)g(or)g(further)f(subclasses.)26b(For)21 b(example:)0 2142 y Fk(class)49 b(Foo)g({)1002242 y(protected)f(int)h(x;)100 2341 y(void)g(SetFoo\(Foo)f(obj\))h({)g(obj.x)g(=)h(1;)f(})h(//)f(Legal)100 2441 y(void)g(SetBar\(Bar)f(obj\))h({)g(obj.x)g(=)h(1;)f(})h(//)f(Legal)0 2540 y(})0 2740y(class)g(Bar)g(extends)g(Foo)g({)100 2839 y(void)g(SetFoo\(Foo)f(obj\))h({)g(obj.x)g(=)h(1;)f(})h(//)f(Illegal)100 2939y(void)g(SetBar\(Bar)f(obj\))h({)g(obj.x)g(=)h(1;)f(})h(//)f(Legal)03039 y(})0 3205 y Fn(The)23 b(de\002nition)i(of)e Fk(protected)fFn(was)i(the)f(same)h(as)f(C++)h(in)g(some)g(early)f(versions)h(of)f(Java;)g(it)h(was)g(changed)f(during)0 3304 y(the)e(beta-test)f(period)g(to)h(patch)g(a)f(security)h(pr)o(oblem[37)n(])f(\(see)h(also)g(section)g(4.2\).)125 3404 y(The)g(Java)g(bytecode)g(r)o(untime)i(system)g(is)f(designed)g(to)g(enfor)o(ce)f(the)h(language's)g(access)f(semantics.)30 b(Unlike)22 b(C++,)0 3504 y(pr)o(ograms)g(ar)o(e)f(not)i(permitted)f(to)h(for)o(ge)f(a)f(pointer)i(to)g(a)f(function)h(and)f(invoke)h(it)g(dir)o(ectly)-9 b(,)22 b(nor)g(to)h(for)o(ge)f(a)g(pointer)h(to)0 3603 y(data)f(and)i(access)f(it)g(dir)o(ectly)-9b(.)33 b(If)24 b(a)f(r)o(ogue)g(applet)g(attempts)g(to)h(call)g(a)f(private)f(method,)j(the)f(r)o(untime)g(system)h(thr)o(ows)03703 y(an)j(exception,)i(pr)o(eventing)d(the)h(errant)g(access.)46b(Thus,)31 b(if)c(the)i(system)f(libraries)g(ar)o(e)e(speci\002ed)i(safely)-9 b(,)29 b(the)f(r)o(untime)0 3802 y(system)21b(is)h(designed)e(to)h(ensur)o(e)f(that)h(application)g(code)f(cannot)h(br)o(eak)f(these)h(speci\002cations.)125 3902 y(The)27b(Java)f(documentation)j(claims)f(that)f(the)h(safety)f(of)h(Java)e(bytecodes)i(can)f(be)g(statically)h(determined)f(at)g(load)04002 y(time.)f(This)21 b(is)g(not)h(entir)o(ely)e(tr)o(ue:)26b(the)21 b(type)f(system)i(uses)f(a)f(covariant[7)n(])h(r)o(ule)g(for)f(subtyping)i(arrays,)d(so)j(array)d(stor)o(es)0 4101y(r)o(equir)o(e)g(r)o(un)i(time)g(type)f(checks)10454071 y Fl(5)1099 4101 y Fn(in)h(addition)g(to)g(the)f(normal)h(array)e(bounds)i(checks.)26 b(Cast)20 b(expr)o(essions)g(also)h(r)o(equir)o(e)0 4201 y(r)o(untime)g(checks.)26 b(Unfortunately)-9 b(,)20b(this)h(means)f(the)h(bytecode)f(veri\002er)g(is)g(not)h(the)g(only)g(piece)f(of)h(the)f(r)o(untime)h(system)0 4301 y(that)g(must)g(be)g(corr)o(ect)e(to)i(ensur)o(e)g(type)f(safety)-9 b(.)25b(Dynamic)c(checks)g(also)g(intr)o(oduce)f(a)h(performance)e(penalty)-9b(.)p 0 4377 1560 4 v 90 4433 a Fj(3)120 4456 y Fi(An)18b Fh(abstract)g Fi(class)i(is)f(a)g(class)i(with)e(one)f(or)i(mor)o(e)e(methods)g(declar)o(ed)h(but)f(not)h(implemented.)25b(Abstract)19 b(classes)h(cannot)f(be)g(instantiated,)04535 y(but)d(de\002ne)g(method)f(signatur)o(es)h(for)i(subclasses)g(to)e(implement.)90 4593 y Fj(4)120 4617 y Fi(Colloquially)-7b(,)18 b(methods)d(or)i(variables)h(with)e(no)h(access)h(modi\002ers)f(ar)o(e)f(said)h(to)g(have)e Fg(package)k(scope)p Fi(.)904675 y Fj(5)120 4698 y Fi(For)e(example,)f(suppose)h(that)eFh(A)i Fi(is)g(a)f(subtype)g(of)h Fh(B)p Fi(;)f(then)f(the)h(Java)h(typing)f(r)o(ules)h(say)g(that)f Fh(A[])g Fi(\(\223array)i(of)fFh(A)p Fi(\224\))f(is)h(a)g(subtype)f(of)h Fh(B[])p Fi(.)i(Now)f(the)04777 y(following)g(pr)o(ocedur)o(e)f(cannot)f(be)g(statically)i(type-checked:)0 4856 y Fh(void)39 b(proc\(B[])g(x,)g(B)h(y\))gFf(f)100 4935 y Fh(x[0])f(=)h(y;)0 5013 y Ff(g)0 5092y Fi(Since)18 b Fh(A[])g Fi(is)h(a)f(subtype)g(of)h Fh(B[])pFi(,)f Fh(x)g Fi(could)h(r)o(eally)g(have)e(type)h Fh(A[])pFi(;)g(similarly)-7 b(,)19 b Fh(y)f Fi(could)h(r)o(eally)g(have)f(type)f Fh(A)p Fi(.)h(The)g(body)f(of)i Fh(proc)f Fi(is)g(not)g(type-safe)05171 y(if)i(the)e(value)i(of)f Fh(x)h Fi(passed)f(in)g(by)g(the)g(caller)h(has)g(type)e Fh(A[])h Fi(and)g(the)g(value)g(of)hFh(y)f Fi(passed)g(in)g(by)g(the)g(caller)i(has)e(type)gFh(B)p Fi(.)f(This)i(condition)f(cannot)g(be)0 5250 y(checked)d(statically)-7 b(.)1929 5589 y Fn(3)p eop%%Page: 4 44 3 bop 0 83 a Fe(2.1)99 b(Java)25 b(Security)g(Mechanisms)0241 y Fn(In)i(HotJava-Alpha,)e(all)h(of)h(the)f(access)g(contr)o(ols)h(wer)o(e)e(done)i(on)g(an)f(ad)g(hoc)g(basis)h(which)g(was)f(clearly)g(insuf)o(\002cient.)0 341 y(The)20 b(beta)g(r)o(elease)f(of)h(JDK)h(intr)o(oduced)f(the)g Fk(SecurityManager)e Fn(class,)i(meant)g(to)h(be)f(a)g(r)o(efer)o(ence)e(monitor[29].)25 b(The)0 440y Fk(SecurityManager)18 b Fn(de\002nes)k(and)e(implements)i(a)f(security)g(policy)-9 b(,)22 b(centralizing)f(all)g(access)f(contr)o(ol)i(decisions.)27 b(All)0 540 y(potentially)18 b(danger)o(ous)f(methods)h(\002rst)f(consult)h(the)g(security)f(manager)g(befor)o(e)f(executing.)24 b(Netscape)17 b(and)g(Micr)o(osoft)0 640y(also)k(use)g(this)g(ar)o(chitectur)o(e.)125 739 y(When)26b(the)g(Java)f(r)o(untime)h(system)h(starts)f(up,)h(ther)o(e)e(is)h(no)h(security)f(manager)f(installed.)42 b(Befor)o(e)24 b(executing)i(un-)0839 y(tr)o(usted)d(code,)g(it)g(is)h(the)f(web)g(br)o(owser)6b('s)23 b(or)g(other)g(user)g(agent's)g(r)o(esponsibility)h(to)f(install)h(a)e(security)i(manager)-6 b(.)31 b(The)0 938y Fk(SecurityManager)16 b Fn(class)j(is)h(meant)f(to)g(de\002ne)g(an)g(interface)f(for)g(access)h(contr)o(ol;)h(the)f(default)fFk(SecurityManager)0 1038 y Fn(implementation)23 b(thr)o(ows)f(a)gFk(SecurityException)d Fn(for)i(all)h(access)f(checks,)h(for)o(cing)g(the)g(user)g(agent)f(to)i(de\002ne)e(and)0 1138 y(implement)h(its)g(own)g(policy)f(in)h(a)f(subclass)g(of)g Fk(SecurityManager)pFn(.)j(The)d(security)h(managers)e(in)i(curr)o(ent)e(br)o(owsers)01237 y(typically)29 b(make)f(their)g(access)g(contr)o(ol)h(decisions)g(by)g(examining)g(the)f(contents)i(of)e(the)h(call)f(stack,)i(looking)g(for)e(the)0 1337 y(pr)o(esence)20 b(of)g(a)h Fk(ClassLoader)pFn(,)d(indicating)j(that)g(they)g(wer)o(e)f(called,)g(dir)o(ectly)g(or)g(indir)o(ectly)-9 b(,)20 b(fr)o(om)h(an)f(applet.)1251437 y(Java)f(uses)j(its)f(type)g(system)h(to)f(pr)o(ovide)g(pr)o(otection)g(for)g(the)g(security)g(manager)-6 b(.)26b(If)20 b(Java's)g(type)h(system)h(is)g(sound,)0 1536y(then)27 b(the)f(security)g(manager)f(should)i(be)f(tamperpr)o(oof.)40b(By)26 b(using)h(types)g(instead)e(of)i(separate)d(addr)o(ess)h(spaces)g(for)0 1636 y(pr)o(otection,)c(Java)g(is)g(mor)o(e)h(easily)f(embeddable)f(in)i(other)g(softwar)o(e,)e(and)h(potentially)h(performs)f(better)g(because)g(pr)o(o-)0 1735 y(tection)g(boundaries)g(can)f(be)h(cr)o(ossed)f(without)i(a)e(context)h(switch[3].)0 2021y Fo(3)119 b(T)-13 b(axonomy)31 b(of)f(Java)f(Bugs)02210 y Fn(W)-8 b(e)20 b(now)h(pr)o(esent)f(a)f(taxonomy)i(of)f(known)h(Java)e(bugs,)h(past)g(and)g(pr)o(esent.)k(Dividing)d(the)f(bugs)h(into)g(classes)f(is)g(useful)0 2310 y(because)h(it)i(helps)f(us)h(understand)f(how)h(and)e(why)i(they)g(ar)o(ose,)e(and)h(it)h(alerts)e(us)i(to)g(aspects)e(of)i(the)f(system)h(that)f(may)02410 y(harbor)e(futur)o(e)g(bugs.)0 2652 y Fe(3.1)99b(Denial)25 b(of)g(Service)g(Attacks)0 2810 y Fn(Java)f(has)i(few)g(pr)o(ovisions)g(to)g(thwart)g(denial)f(of)h(service)f(attacks.)40b(The)26 b(obvious)h(attacks)e(ar)o(e)f(busy-waiting)j(to)f(con-)02910 y(sume)21 b(CPU)e(cycles)i(and)e(allocating)i(memory)g(until)g(the)f(system)h(r)o(uns)g(out,)f(starving)h(other)f(thr)o(eads)f(and)h(system)h(pr)o(o-)0 3010 y(cesses.)k(Additionally)-9b(,)20 b(an)g(applet)g(can)g(acquir)o(e)f(locks)i(on)g(critical)f(pieces)g(of)g(the)h(br)o(owser)e(to)i(cripple)f(it.)25b(For)c(example,)0 3109 y(the)f(code)g(in)g(\002gur)o(e)g(1)f(locks)i(the)f(status)g(line)h(at)e(the)h(bottom)h(of)f(the)g(HotJava-Alpha)f(br)o(owser)-6 b(,)19 b(ef)o(fectively)f(pr)o(eventing)03209 y(it)i(fr)o(om)f(loading)h(any)g(mor)o(e)f(pages.)25b(In)20 b(Netscape)f(Navigator)-6 b(,)19 b(this)h(attack)f(can)h(lock)g(the)g Fk(java.net.InetAddress)0 3309 y Fn(class,)25b(blocking)h(all)f(hostname)h(lookups)f(and)g(hence)g(most)g(new)g(network)h(connections.)39 b(HotJava,)25 b(Navigator)-6b(,)24 b(and)0 3408 y(Internet)f(Explor)o(er)f(all)h(have)f(classes)h(suitable)g(for)g(this)h(attack.)31 b(The)24 b(attack)e(could)h(be)g(pr)o(evented)e(by)i(r)o(eplacing)g(such)0 3508 y(critical)c(classes)h(with)g(wrappers)f(that)h(do)g(not)g(expose)g(the)g(locks)g(to)g(untr)o(usted)g(code.)25 b(However)-6 b(,)19 b(the)h(CPU)g(and)f(mem-)03607 y(ory)30 b(attacks)f(cannot)h(be)g(easily)f(\002xed;)34b(many)c(genuine)g(applications)g(may)g(need)f(lar)o(ge)g(amounts)h(of)g(memory)g(and)0 3707 y(CPU.)f(Another)h(attack,)h(\002rst)f(implemented)g(by)g(Mark)f(LaDue,)i(is)f(to)g(open)h(a)e(lar)o(ge)g(number)h(of)f(windows)i(on)g(the)0 3807 y(scr)o(een.)k(This)25b(will)g(sometimes)h(crash)e(the)g(machine.)37 b(LaDue)24b(has)g(a)g(web)g(page)g(with)h(many)g(other)f(denial)g(of)h(service)03906 y(attacks[28)n(].)125 4006 y(Ther)o(e)20 b(ar)o(e)h(two)h(twists)h(that)f(can)f(make)h(denial)f(of)h(service)g(attacks)f(mor)o(e)g(dif)o(\002cult)h(to)g(cope)f(with.)30 b(First,)22 b(an)g(attack)04106 y(can)i(be)g(pr)o(ogrammed)g(to)h(occur)f(after)f(some)j(time)e(delay)-9 b(,)25 b(causing)f(the)h(failur)o(e)e(to)i(occur)f(when)i(the)e(user)g(is)h(viewing)0 4205 y(a)k(dif)o(fer)o(ent)e(web)i(page,)h(ther)o(eby)f(masking)h(the)f(sour)o(ce)g(of)g(the)g(attack.)50b(Second,)31 b(an)e(attack)f(can)h(cause)f Fm(degradation)04305 y(of)h(service)g Fn(rather)f(than)h(outright)h(denial)e(of)h(service.)49 b(Degradation)28 b(of)h(service)f(means)h(signi\002cantly)h(r)o(educing)e(the)0 4404 y(performance)d(of)h(the)h(br)o(owser)f(without)h(stopping)g(it.)42 b(For)27 b(example,)f(the)h(locking-based)f(attack)f(could)i(be)f(used)g(to)0 4504 y(hold)d(a)g(critical)f(system)i(lock)f(most)h(of)f(the)g(time,)g(r)o(eleasing)f(it)h(only)h(brie\003y)f(and)g(occasionally)-9 b(.)32 b(The)23 b(r)o(esult)f(would)h(be)0 4604 y(a)d(br)o(owser)h(that)f(r)o(uns)i(very)e(slowly)-9b(.)0 4848 y Fk(synchronized)48 b(\(Class.forName\("net.www.html.Mete)o(redSt)o(ream"\))o(\))c({)199 4948 y(while\(true\))k(Thread.sleep\(10000\);)0 5047 y(})347 5313 y Fn(Figur)o(e)20b(1:)25 b(Java)19 b(code)i(fragment)f(to)h(deadlock)f(the)h(HotJava)f(br)o(owser)g(by)h(locking)h(its)f(status)g(line.)19295589 y(4)p eop%%Page: 5 55 4 bop 1125 812 a @beginspecial 70 @llx 640 @lly 320@urx 763 @ury 1980 @rwi @setspecial%%BeginDocument: three-party-attack.eps1 setlinejoin/M { moveto } bind def /S { show } bind def/R { rmoveto } bind def /L { lineto } bind def/B { newpath 0 0 M 0 1 L 1 1 L 1 0 L closepath } bind def/CS { closepath stroke } bind def/S { /fixwidth exch def dup length /nchars exch def dup stringwidth pop fixwidth exch sub nchars div exch 0 exch ashow} def/bwproc { rgbproc dup length 3 idiv string 0 3 0 5 -1 roll { add 2 1 roll 1 sub dup 0 eq { pop 3 idiv 3 -1 roll dup 4 -1 roll dup 3 1 roll 5 -1 roll put 1 add 3 0 } { 2 1 roll } ifelse } forall pop pop pop} defsystemdict /colorimage known not { /colorimage { pop pop /rgbproc exch def { bwproc } image } def} if1 1 scale0 setlinewidth/drawtri {/y3 exch def/x3 exch def/y2 exch def/x2 exch def/y1 exch def/x1 exch def0 setgraynewpathx1 y1 movetox2 y2 linetox3 y3 linetoclosepathstroke} bind def/filltri {/y3 exch def/x3 exch def/y2 exch def/x2 exch def/y1 exch def/x1 exch defnewpathx1 y1 movetox2 y2 linetox3 y3 linetoclosepathfill} bind def/cliptri {/y3 exch def/x3 exch def/y2 exch def/x2 exch def/y1 exch def/x1 exch def0 setgraynewpathx1 y1 movetox2 y2 linetox3 y3 linetoclosepathclip} bind def/imgscanrgb {gsavetranslate/scandy exch def/scandx exch def/istr scandx 3 mul string defscandx scandy scalescandx scandy 8[scandx 0 0 scandy neg 0 scandy]{currentfile istr readhexstring pop}false 3colorimagegrestore} bind def/imgscanbw {gsavetranslate/scandy exch def/scandx exch def/istr scandx string defscandx scandy scalescandx scandy 8[scandx 0 0 scandy neg 0 scandy]{currentfile istr readhexstring pop}imagegrestore} bind def/showcaseisoencoding [/.notdef /.notdef /.notdef /.notdef/.notdef /.notdef /.notdef /.notdef/.notdef /.notdef /.notdef /.notdef/.notdef /.notdef /.notdef /.notdef/.notdef /.notdef /.notdef /.notdef/.notdef /.notdef /.notdef /.notdef/.notdef /.notdef /.notdef /.notdef/.notdef /.notdef /.notdef /.notdef/space /exclam /quotedbl /numbersign/dollar /percent /ampersand /quoteright/parenleft /parenright /asterisk /plus/comma /minus /period /slash/zero /one /two /three /four /five /six /seven/eight /nine /colon /semicolon/less /equal /greater /question/at /A /B /C /D /E /F /G/H /I /J /K /L /M /N /O/P /Q /R /S /T /U /V /W/X /Y /Z /bracketleft/backslash /bracketright /asciicircum /underscore/quoteleft /a /b /c /d /e /f /g/h /i /j /k /l /m /n /o/p /q /r /s /t /u /v /w/x /y /z /braceleft/bar /braceright /asciitilde /guilsinglright/fraction /florin /quotesingle /quotedblleft/guilsinglleft /fi /fl /endash/dagger /daggerdbl /bullet /quotesinglbase/quotedblbase /quotedblright /ellipsis /trademark/dotlessi /grave /acute /circumflex/tilde /macron /breve /dotaccent/dieresis /perthousand /ring /cedilla/Ydieresis /hungarumlaut /ogonek /caron/emdash /exclamdown /cent /sterling/currency /yen /brokenbar /section/dieresis /copyright /ordfeminine /guillemotleft/logicalnot /hyphen /registered /macron/degree /plusminus /twosuperior /threesuperior/acute /mu /paragraph /periodcentered/cedilla /onesuperior /ordmasculine /guillemotright/onequarter /onehalf /threequarters /questiondown/Agrave /Aacute /Acircumflex /Atilde/Adieresis /Aring /AE /Ccedilla/Egrave /Eacute /Ecircumflex /Edieresis/Igrave /Iacute /Icircumflex /Idieresis/Eth /Ntilde /Ograve /Oacute/Ocircumflex /Otilde /Odieresis /multiply/Oslash /Ugrave /Uacute /Ucircumflex/Udieresis /Yacute /Thorn /germandbls/agrave /aacute /acircumflex /atilde/adieresis /aring /ae /ccedilla/egrave /eacute /ecircumflex /edieresis/igrave /iacute /icircumflex /idieresis/eth /ntilde /ograve /oacute/ocircumflex /otilde /odieresis /divide/oslash /ugrave /uacute /ucircumflex/udieresis /yacute /thorn /ydieresis ] def/showcasedingbatencoding [/.notdef /.notdef /.notdef /.notdef/.notdef /.notdef /.notdef /.notdef/.notdef /.notdef /.notdef /.notdef/.notdef /.notdef /.notdef /.notdef/.notdef /.notdef /.notdef /.notdef/.notdef /.notdef /.notdef /.notdef/.notdef /.notdef /.notdef /.notdef/.notdef /.notdef /.notdef /.notdef/.notdef /a1 /a2 /a202 /a3 /a4 /a5 /a119 /a118 /a117/a11 /a12 /a13 /a14 /a15 /a16 /a105 /a17 /a18 /a19/a20 /a21 /a22 /a23 /a24 /a25 /a26 /a27 /a28 /a6 /a7/a8 /a9 /a10 /a29/a30 /a31 /a32 /a33 /a34 /a35 /a36 /a37 /a38 /a39/a40 /a41 /a42 /a43 /a44 /a45 /a46 /a47 /a48 /a49/a50 /a51 /a52 /a53 /a54 /a55 /a56 /a57 /a58 /a59/a60 /a61 /a62 /a63 /a64 /a65 /a66 /a67 /a68 /a69/a70 /a71 /a72 /a73 /a74 /a203 /a75 /a204 /a76 /a77 /a78/a79 /a81 /a82 /a83 /a84 /a97 /a98 /a99 /a100 /.notdef/a205 /a85 /a206 /a86 /a87 /a88 /a89 /a90 /a91 /a92 /a93/a94 /a95 /a96/.notdef /.notdef /.notdef /.notdef /.notdef /.notdef/.notdef /.notdef /.notdef /.notdef /.notdef /.notdef/.notdef /.notdef /.notdef /.notdef /.notdef /.notdef/.notdef /a101 /a102 /a103 /a104 /a106 /a107 /a108/a112 /a111 /a110 /a109/a120 /a121 /a122 /a123 /a124 /a125 /a126 /a127 /a128 /a129/a130 /a131 /a132 /a133 /a134 /a135 /a136 /a137 /a138 /a139/a140 /a141 /a142 /a143 /a144 /a145 /a146 /a147 /a148 /a149/a150 /a151 /a152 /a153 /a154 /a155 /a156 /a157 /a158 /a159/a160 /a161 /a163 /a164 /a196 /a165 /a192 /a166 /a167 /a168/a169 /a170 /a171 /a172 /a173 /a162 /a174 /a175 /a176 /a177/a178 /a179 /a193 /a180 /a199 /a181 /a200 /a182 /.notdef/a201 /a183 /a184 /a197 /a185 /a194 /a198 /a186 /a195 /a187/a188 /a189 /a190 /a191 /.notdef] def/Helvetica-Bold findfontdup length dict begin {1 index /FID ne {def} {pop pop} ifelse} forall /Encoding showcaseisoencoding def currentdictend/Helvetica-Bold-SHOWISO exch definefont pop/Helvetica-Oblique findfontdup length dict begin {1 index /FID ne {def} {pop pop} ifelse} forall /Encoding showcaseisoencoding def currentdictend/Helvetica-Oblique-SHOWISO exch definefont pop/Helvetica findfontdup length dict begin {1 index /FID ne {def} {pop pop} ifelse} forall /Encoding showcaseisoencoding def currentdictend/Helvetica-SHOWISO exch definefont pop/newfont 10 dict defnewfont begin /FontType 3 def /FontMatrix [1 0 0 1 0 0] def /FontBBox [0 0 1 1] def /Encoding 256 array def 0 1 255 {Encoding exch /.notdef put} for /CharProcs 1 dict def CharProcs begin /.notdef {} defend /BuildChar { 1 0 0 0 1 1 setcachedevice exch begin Encoding exch get CharProcs exch get end exec } defend/PatternFont newfont definefont popgsave/saveit save defgsavegsave0 0 0 setrgbcolorgsave0 setlinejoin154.472 753.109 translate-158.097 rotate1.1 1.1 scalenewpath 0 0 M -20 -5 L -20 5 L closepath fillgrestore1.000000 setlinewidthnewpath250.504 751.511 M244.455 753.852 L238.439 755.939 L232.453 757.763 L226.492 759.315 L220.551 760.586 L214.628 761.568 L208.717 762.25 L202.814 762.625 L196.916 762.683 L191.018 762.416 L185.115 761.815 L179.205 760.87 L173.282 759.573 L167.343 757.916 L161.384 755.888 L172.1 760.197 Lstrokegrestoregsave1 setgraynewpath100.702 734.757 M99.86 731.864 L99.1744 728.744 L98.635 725.414 L98.2314 721.893 L97.9533 718.201 L97.7903 714.356 L97.732 710.378 L97.7681 706.284 L97.8882 702.096 L98.0819 697.83 L98.3388 693.506 L98.6487 689.143 L99.001 684.761 L99.3855 680.377 L99.7918 676.011 L98.4809 689.599 Lclosepatheofill0 0 0 setrgbcolorgsave0 setlinejoin100.305 670.687 translate-84.4893 rotate1.1 1.1 scalenewpath 0 0 M -20 -5 L -20 5 L closepath fillgrestore1.000000 setlinewidthnewpath100.702 734.757 M99.86 731.864 L99.1744 728.744 L98.635 725.414 L98.2314 721.893 L97.9533 718.201 L97.7903 714.356 L97.732 710.378 L97.7681 706.284 L97.8882 702.096 L98.0819 697.83 L98.3388 693.506 L98.6487 689.143 L99.001 684.761 L99.3855 680.377 L99.7918 676.011 L98.4809 689.599 Lstrokegrestoregsave1 setgraynewpath108.024 664.314 M108.911 667.193 L109.644 670.303 L110.235 673.625 L110.692 677.139 L111.027 680.826 L111.249 684.668 L111.368 688.645 L111.395 692.738 L111.339 696.928 L111.211 701.197 L111.02 705.524 L110.777 709.891 L110.492 714.278 L110.175 718.667 L109.836 723.039 L110.938 709.432 Lclosepatheofill0 0 0 setrgbcolorgsave0 setlinejoin109.404 728.37 translate94.6321 rotate1.1 1.1 scalenewpath 0 0 M -20 -5 L -20 5 L closepath fillgrestore1.000000 setlinewidthnewpath108.024 664.314 M108.911 667.193 L109.644 670.303 L110.235 673.625 L110.692 677.139 L111.027 680.826 L111.249 684.668 L111.368 688.645 L111.395 692.738 L111.339 696.928 L111.211 701.197 L111.02 705.524 L110.777 709.891 L110.492 714.278 L110.175 718.667 L109.836 723.039 L110.938 709.432 Lstrokegrestoregsave0 0 0 setrgbcolorgsave0 setlinejoin251.939 735.244 translate49.348 rotate1.1 1.1 scalenewpath 0 0 M -20 -5 L -20 5 L closepath fillgrestore1.000000 setlinewidth[4] 0 setdashnewpath152.112 658.029 M160.759 661.311 L168.728 664.639 L176.095 668.045 L182.936 671.563 L189.326 675.225 L195.339 679.065 L201.05 683.116 L206.535 687.41 L211.87 691.98 L217.128 696.86 L222.385 702.082 L227.717 707.68 L233.197 713.686 L238.903 720.134 L244.908 727.056 L239.561 720.829 Lstrokegrestoregsave0 0 0 setrgbcolorgsave0 setlinejoin153.972 664.166 translate-130.264 rotate1.1 1.1 scalenewpath 0 0 M -20 -5 L -20 5 L closepath fillgrestore1.000000 setlinewidth[4] 0 setdashnewpath253.272 742.057 M244.648 738.716 L236.702 735.334 L229.358 731.878 L222.541 728.314 L216.176 724.608 L210.19 720.727 L204.506 716.638 L199.05 712.307 L193.747 707.701 L188.522 702.785 L183.3 697.527 L178.007 691.894 L172.567 685.85 L166.905 679.364 L160.947 672.402 L166.252 678.665 Lstrokegrestoregsave1 setgraymatrix currentmatrix[39.0996 0 0 17.6642 280.241 745.03] concatnewpath0 0 1 0 360 arcclosepath fill setmatrixmatrix currentmatrix[39.0996 0 0 17.6642 280.241 745.03] concatnewpath0 0 1 0 360 arcsetmatrix1 1 1 setrgbcolorclosepath fill1.000000 setlinewidthmatrix currentmatrix[39.0996 0 0 17.6642 280.241 745.03] concatnewpath0 0 1 0 360 arc0 0 0 setrgbcolorclosepath setmatrix strokegrestoregsave1 setgraymatrix currentmatrix[39.0996 0 0 17.6642 119.674 657.81] concatnewpath0 0 1 0 360 arcclosepath fill setmatrixmatrix currentmatrix[39.0996 0 0 17.6642 119.674 657.81] concatnewpath0 0 1 0 360 arcsetmatrix1 1 1 setrgbcolorclosepath fill1.000000 setlinewidthmatrix currentmatrix[39.0996 0 0 17.6642 119.674 657.81] concatnewpath0 0 1 0 360 arc0 0 0 setrgbcolorclosepath setmatrix strokegrestoregsavegsavematrix currentmatrix[0.492768 0 0 0.492768 183.339 748.973] concatnewpath0 0 M 0 18 L 51.032 18 L 51.032 0 Lclosepath setmatrix1 1 1 setrgbcolorgsave fill grestore0 0 0 setrgbcolorgrestorenewpath182.353 747.987 M 182.353 759.366 L 209.471 759.366 L 209.471 747.987 Lclosepath clip newpath0 0 0 setrgbcolormatrix currentmatrix[0.492768 0 0 0.492768 183.339 748.973] concat/Helvetica-Oblique-SHOWISO findfont 18 scalefont setfont0 0 0 setrgbcolor0 4.09091 M (applet) 49.032 Ssetmatrixgrestoregsavegsavematrix currentmatrix[0.492768 0 0 0.492768 120.6 704.656] concatnewpath0 0 M 0 36 L 71.03 36 L 71.03 0 Lclosepath setmatrix1 1 1 setrgbcolorgsave fill grestore0 0 0 setrgbcolorgrestorenewpath119.614 703.671 M 119.614 723.919 L 156.587 723.919 L 156.587 703.671 Lclosepath clip newpath0 0 0 setrgbcolormatrix currentmatrix[0.492768 0 0 0.492768 120.6 704.656] concat/Helvetica-Oblique-SHOWISO findfont 18 scalefont setfont0 0 0 setrgbcolor0 22.0909 M (Web) 37.008 S0 4.09091 M (requests) 69.03 Ssetmatrixgrestoregsave1 setgraynewpath153.535 753.862 M152.237 754.807 L150.787 755.728 L149.189 756.615 L147.447 757.463 L145.57 758.264 L143.565 759.013 L141.446 759.702 L139.224 760.327 L136.914 760.884 L134.533 761.369 L132.096 761.779 L129.621 762.113 L127.125 762.37 L124.625 762.552 L122.136 762.659 L119.674 762.694 L119.674 762.694 L117.212 762.659 L114.723 762.552 L112.223 762.37 L109.727 762.113 L107.252 761.779 L104.815 761.369 L102.434 760.884 L100.124 760.327 L97.9021 759.702 L95.7824 759.013 L93.778 758.264 L91.9003 757.463 L90.1587 756.615 L88.5604 755.728 L87.1107 754.807 L85.8125 753.862 L85.8125 753.862 L84.6488 752.881 L83.6097 751.854 L82.7075 750.785 L81.9531 749.679 L81.3558 748.544 L80.9235 747.385 L80.6618 746.212 L80.5742 745.03 L80.6618 743.848 L80.9235 742.674 L81.3558 741.515 L81.9531 740.38 L82.7075 739.275 L83.6097 738.206 L84.6488 737.178 L85.8125 736.197 L85.8125 736.197 L87.1107 735.252 L88.5604 734.331 L90.1587 733.444 L91.9003 732.596 L93.778 731.795 L95.7824 731.047 L97.9021 730.357 L100.124 729.732 L102.434 729.175 L104.815 728.69 L107.252 728.281 L109.727 727.947 L112.223 727.689 L114.723 727.508 L117.212 727.4 L119.674 727.365 L119.674 727.365 L122.136 727.4 L124.625 727.508 L127.125 727.689 L129.621 727.947 L132.096 728.281 L134.533 728.69 L136.914 729.175 L139.224 729.732 L141.446 730.357 L143.565 731.047 L145.57 731.795 L147.447 732.596 L149.189 733.444 L150.787 734.331 L152.237 735.252 L153.535 736.197 L153.535 736.197 L154.699 737.178 L155.738 738.206 L156.64 739.275 L157.395 740.38 L157.992 741.515 L158.424 742.674 L158.686 743.848 L158.773 745.03 L158.686 746.212 L158.424 747.385 L157.992 748.544 L157.395 749.679 L156.64 750.785 L155.738 751.854 L154.699 752.881 L153.535 753.862 Lclosepatheofill1 1 1 setrgbcolornewpath153.535 753.862 M152.237 754.807 L150.787 755.728 L149.189 756.615 L147.447 757.463 L145.57 758.264 L143.565 759.013 L141.446 759.702 L139.224 760.327 L136.914 760.884 L134.533 761.369 L132.096 761.779 L129.621 762.113 L127.125 762.37 L124.625 762.552 L122.136 762.659 L119.674 762.694 L119.674 762.694 L117.212 762.659 L114.723 762.552 L112.223 762.37 L109.727 762.113 L107.252 761.779 L104.815 761.369 L102.434 760.884 L100.124 760.327 L97.9021 759.702 L95.7824 759.013 L93.778 758.264 L91.9003 757.463 L90.1587 756.615 L88.5604 755.728 L87.1107 754.807 L85.8125 753.862 L85.8125 753.862 L84.6488 752.881 L83.6097 751.854 L82.7075 750.785 L81.9531 749.679 L81.3558 748.544 L80.9235 747.385 L80.6618 746.212 L80.5742 745.03 L80.6618 743.848 L80.9235 742.674 L81.3558 741.515 L81.9531 740.38 L82.7075 739.275 L83.6097 738.206 L84.6488 737.178 L85.8125 736.197 L85.8125 736.197 L87.1107 735.252 L88.5604 734.331 L90.1587 733.444 L91.9003 732.596 L93.778 731.795 L95.7824 731.047 L97.9021 730.357 L100.124 729.732 L102.434 729.175 L104.815 728.69 L107.252 728.281 L109.727 727.947 L112.223 727.689 L114.723 727.508 L117.212 727.4 L119.674 727.365 L119.674 727.365 L122.136 727.4 L124.625 727.508 L127.125 727.689 L129.621 727.947 L132.096 728.281 L134.533 728.69 L136.914 729.175 L139.224 729.732 L141.446 730.357 L143.565 731.047 L145.57 731.795 L147.447 732.596 L149.189 733.444 L150.787 734.331 L152.237 735.252 L153.535 736.197 L153.535 736.197 L154.699 737.178 L155.738 738.206 L156.64 739.275 L157.395 740.38 L157.992 741.515 L158.424 742.674 L158.686 743.848 L158.773 745.03 L158.686 746.212 L158.424 747.385 L157.992 748.544 L157.395 749.679 L156.64 750.785 L155.738 751.854 L154.699 752.881 L153.535 753.862 Lclosepatheofill0 0 0 setrgbcolor1.000000 setlinewidthnewpath153.535 753.862 M152.237 754.807 L150.787 755.728 L149.189 756.615 L147.447 757.463 L145.57 758.264 L143.565 759.013 L141.446 759.702 L139.224 760.327 L136.914 760.884 L134.533 761.369 L132.096 761.779 L129.621 762.113 L127.125 762.37 L124.625 762.552 L122.136 762.659 L119.674 762.694 L119.674 762.694 L117.212 762.659 L114.723 762.552 L112.223 762.37 L109.727 762.113 L107.252 761.779 L104.815 761.369 L102.434 760.884 L100.124 760.327 L97.9021 759.702 L95.7824 759.013 L93.778 758.264 L91.9003 757.463 L90.1587 756.615 L88.5604 755.728 L87.1107 754.807 L85.8125 753.862 L85.8125 753.862 L84.6488 752.881 L83.6097 751.854 L82.7075 750.785 L81.9531 749.679 L81.3558 748.544 L80.9235 747.385 L80.6618 746.212 L80.5742 745.03 L80.6618 743.848 L80.9235 742.674 L81.3558 741.515 L81.9531 740.38 L82.7075 739.275 L83.6097 738.206 L84.6488 737.178 L85.8125 736.197 L85.8125 736.197 L87.1107 735.252 L88.5604 734.331 L90.1587 733.444 L91.9003 732.596 L93.778 731.795 L95.7824 731.047 L97.9021 730.357 L100.124 729.732 L102.434 729.175 L104.815 728.69 L107.252 728.281 L109.727 727.947 L112.223 727.689 L114.723 727.508 L117.212 727.4 L119.674 727.365 L119.674 727.365 L122.136 727.4 L124.625 727.508 L127.125 727.689 L129.621 727.947 L132.096 728.281 L134.533 728.69 L136.914 729.175 L139.224 729.732 L141.446 730.357 L143.565 731.047 L145.57 731.795 L147.447 732.596 L149.189 733.444 L150.787 734.331 L152.237 735.252 L153.535 736.197 L153.535 736.197 L154.699 737.178 L155.738 738.206 L156.64 739.275 L157.395 740.38 L157.992 741.515 L158.424 742.674 L158.686 743.848 L158.773 745.03 L158.686 746.212 L158.424 747.385 L157.992 748.544 L157.395 749.679 L156.64 750.785 L155.738 751.854 L154.699 752.881 L153.535 753.862 Lclosepathstrokegrestoregsavegsavematrix currentmatrix[0.492768 0 0 0.492768 266.799 741.388] concatnewpath0 0 M 0 18 L 63.02 18 L 63.02 0 Lclosepath setmatrix0 0 0 setrgbcolorgrestorenewpath265.814 740.403 M 265.814 751.781 L 298.839 751.781 L 298.839 740.403 Lclosepath clip newpath0 0 0 setrgbcolormatrix currentmatrix[0.492768 0 0 0.492768 266.799 741.388] concat/Helvetica-Bold-SHOWISO findfont 18 scalefont setfont0 0 0 setrgbcolor0 4.09091 M (Charlie) 61.02 Ssetmatrixgrestoregsavegsavematrix currentmatrix[0.492768 0 0 0.492758 110.023 741.394] concatnewpath0 0 M 0 18 L 36.992 18 L 36.992 0 Lclosepath setmatrix0 0 0 setrgbcolorgrestorenewpath109.037 740.408 M 109.037 751.787 L 129.237 751.787 L 129.237 740.408 Lclosepath clip newpath0 0 0 setrgbcolormatrix currentmatrix[0.492768 0 0 0.492758 110.023 741.394] concat/Helvetica-Bold-SHOWISO findfont 18 scalefont setfont0 0 0 setrgbcolor0 4.09091 M (Bob) 34.992 Ssetmatrixgrestoregsavegsavematrix currentmatrix[0.492768 0 0 0.492768 108.045 653.445] concatnewpath0 0 M 0 18 L 45.02 18 L 45.02 0 Lclosepath setmatrix0 0 0 setrgbcolorgrestorenewpath107.059 652.459 M 107.059 663.838 L 131.214 663.838 L 131.214 652.459 Lclosepath clip newpath0 0 0 setrgbcolormatrix currentmatrix[0.492768 0 0 0.492768 108.045 653.445] concat/Helvetica-Bold-SHOWISO findfont 18 scalefont setfont0 0 0 setrgbcolor0 4.09091 M (Alice) 43.02 Ssetmatrixgrestoregsavegsavematrix currentmatrix[0.492768 0 0 0.492768 214.532 671.637] concatnewpath0 0 M 0 36 L 65.036 36 L 65.036 0 Lclosepath setmatrix0 0 0 setrgbcolorgrestorenewpath213.546 670.651 M 213.546 690.899 L 247.565 690.899 L 247.565 670.651 Lclosepath clip newpath0 0 0 setrgbcolormatrix currentmatrix[0.492768 0 0 0.492768 214.532 671.637] concat/Helvetica-Oblique-SHOWISO findfont 18 scalefont setfont0 0 0 setrgbcolor0 22.0909 M (covert) 49.014 S0 4.09091 M (channel) 63.036 Ssetmatrixgrestoregsavegsavematrix currentmatrix[0.492768 0 0 0.492768 70.8304 709.092] concatnewpath0 0 M 0 18 L 51.032 18 L 51.032 0 Lclosepath setmatrix0 0 0 setrgbcolorgrestorenewpath69.8448 708.106 M 69.8448 719.485 L 96.9628 719.485 L 96.9628 708.106 Lclosepath clip newpath0 0 0 setrgbcolormatrix currentmatrix[0.492768 0 0 0.492768 70.8304 709.092] concat/Helvetica-Oblique-SHOWISO findfont 18 scalefont setfont0 0 0 setrgbcolor0 4.09091 M (applet) 49.032 Ssetmatrixgrestoregrestoreshowpagesaveit restoregrestore%%EndDocument @endspecial 0 994 a Fn(Figur)o(e)19 b(2:)24 b(A)19 b(Thr)o(ee)g(Party)g(Attack)f(\227)i(Charlie)e(pr)o(oduces)h(a)g(T)-7 b(r)o(ojan)18b(horse)i(applet.)25 b(Bob)19 b(likes)h(it)f(and)g(uses)h(it)f(in)h(his)g(web)0 1094 y(page.)30 b(Alice)22 b(views)h(Bob's)f(web)h(page)f(and)g(Charlie's)g(applet)g(establishes)g(a)g(covert)h(channel)f(to)h(Charlie.)30 b(The)23 b(applet)0 1194 y(leaks)e(Alice's)f(information)i(to)f(Charlie.)k(No)c(collusion)h(with)g(Bob)f(is)g(necessary)-9b(.)125 1466 y(Sun)20 b(has)h(said)f(that)h(they)g(consider)g(denial)f(of)h(service)f(attacks)h(to)g(be)f(low-priority)i(pr)o(oblems[20)n(].)0 1709 y Fe(3.2)99 b(T)-9 b(wo)26 b(vs.)31 b(Three)25b(Party)g(Attacks)0 1867 y Fn(It)g(is)h(useful)f(to)h(distinguish)h(between)e(two)h(dif)o(fer)o(ent)d(kinds)j(of)f(attack,)g(which)h(we)g(shall)f(call)g(two-party)g(and)g(thr)o(ee-)0 1967 y(party)-9b(.)46 b(A)28 b(two-party)g(attack)f(r)o(equir)o(es)g(that)h(the)g(web)g(server)f(the)i(applet)e(r)o(esides)g(on)i(participate)d(in)j(the)f(attack.)46 b(A)0 2066 y(thr)o(ee-party)19 b(attack)h(can)h(originate)g(fr)o(om)g(anywher)o(e)f(on)i(the)f(Internet,)f(and)h(might)h(spr)o(ead)d(if)i(it)g(is)g(hidden)g(in)h(a)e(useful)0 2166y(applet)31 b(that)h(gets)g(used)f(by)h(many)g(web)g(pages)f(\(see)g(\002gur)o(e)g(2\).)58 b(Thr)o(ee-party)30 b(attacks)h(ar)o(e)f(mor)o(e)i(danger)o(ous)f(than)0 2265 y(two-party)20 b(attacks)h(because)e(they)i(do)g(not)h(r)o(equir)o(e)d(the)i(collusion)i(of)d(the)h(web)g(server)-6 b(.)0 2508 y Fe(3.3)99 b(Covert)26 b(Channels)02666 y Fn(V)-8 b(arious)25 b(covert)f(channels)h(exist)f(in)h(HotJava,)g(Navigator)-6 b(,)24 b(and)g(Internet)h(Explor)o(er)-6b(,)23 b(allowing)j(applets)e(to)h(have)f(two-)0 2766y(way)d(communication)h(with)g(arbitrary)d(thir)o(d-parties)g(on)j(the)f(Internet.)125 2866 y(T)-7 b(ypically)e(,)21 b(most)h(HotJava)f(users)h(will)h(use)f(the)g(default)f(network)h(security)g(mode,)g(which)h(only)g(allows)f(an)g(applet)0 2965 y(to)g(connect)g(to)f(the)h(host)g(fr)o(om)f(which)h(it)g(was)f(loaded.)27 b(This)22 b(is)f(the)h(only)g(security)g(mode)f(available)f(to)i(Navigator)e(and)03065 y(Internet)h(Explor)o(er)f(users)843 3035 y Fl(6)8763065 y Fn(.)26 b(In)21 b(fact,)e(the)i(br)o(owsers)g(have)f(failed)g(to)h(enfor)o(ce)f(this)i(policy)f(thr)o(ough)h(a)e(number)h(of)g(err)o(ors)0 3164 y(in)g(their)g(implementation.)125 3264 y(The)iFk(accept\(\))g Fn(system)h(call,)g(used)g(to)g(r)o(eceive)e(a)h(network)i(connection)g(initiated)f(on)g(another)g(host,)h(is)f(not)h(pr)o(o-)0 3364 y(tected)d(by)g(the)g(usual)h(security)f(checks)h(in)g(HotJava-Alpha.)28 b(This)23 b(allows)g(an)f(arbitrary)f(host)i(on)g(the)g(Internet)f(to)h(con-)0 3463 y(nect)d(to)g(a)g(HotJava)f(br)o(owser)g(as)h(long)g(as)g(the)g(location)h(of)f(the)g(br)o(owser)f(is)h(known.)27 b(For)20 b(this)h(to)f(be)g(a)f(useful)h(attack,)f(the)03563 y(applet)j(needs)g(to)g(signal)h(the)g(external)e(agent)h(to)h(connect)g(to)f(a)g(speci\002ed)g(port.)30 b(Even)22b(an)g(extr)o(emely)g(low-bandwidth)0 3663 y(covert)j(channel)g(would)g(be)g(suf)o(\002cient)f(to)i(communicate)f(this)h(information.)39b(The)24 b Fk(accept\(\))g Fn(call)g(is)i(pr)o(operly)e(pr)o(o-)03762 y(tected)c(in)h(curr)o(ent)f(Java)f(implementations.)1253862 y(If)k(the)g(web)h(server)e(which)j(pr)o(ovided)d(the)i(applet)f(is)g(r)o(unning)i(an)f(SMTP)e(mail)i(daemon,)g(the)g(applet)e(can)h(connect)0 3961 y(to)d(it)g(and)f(transmit)h(an)g(e-mail)f(message)h(to)g(any)g(machine)g(on)g(the)g(Internet.)25 b(Additionally)-9b(,)20 b(the)g Fm(Domain)e(Name)i(System)0 4061 y Fn(\(DNS\))26b(can)g(be)g(used)g(as)g(a)g(two-way)g(communication)i(channel)f(to)g(an)f(arbitrary)f(host)i(on)g(the)g(Internet.)42 b(An)27b(applet)0 4161 y(may)g(r)o(efer)o(ence)d(a)j(\002ctitious)h(name)f(in)g(the)g(attacker)6 b('s)26 b(domain.)45 b(This)27 b(transmits)h(the)f(name)g(to)g(the)g(attacker)6 b('s)26 b(DNS)0 4260 y(server)-6b(,)21 b(which)i(could)f(interpr)o(et)g(the)g(name)g(as)g(a)f(message,)h(and)g(then)h(send)f(a)f(list)i(of)f(arbitrary)f(32-bit)g(IP)h(numbers)g(as)0 4360 y(a)i(r)o(eply)-9 b(.)37 b(Repeated)24b(DNS)h(calls)g(by)g(the)g(applet)f(establish)h(a)g(channel)g(between)f(the)h(applet)g(and)f(the)h(attacker)6 b('s)24 b(DNS)04460 y(server)-6 b(.)51 b(This)31 b(channel)f(also)f(passes)h(thr)o(ough)g(a)f(number)h(of)g(\002r)o(ewalls[9)o(].)52 b(In)30b(HotJava-Alpha,)f(the)h(DNS)g(channel)0 4559 y(was)20b(available)f(even)i(with)g(the)f(security)h(mode)g(set)f(to)h(\223no)f(network)i(access,\224)d(although)i(this)g(was)g(\002xed)f(in)h(later)e(Java)0 4659 y(versions.)26 b(DNS)21 b(has)g(other)g(security)f(implications;)i(see)f(section)g(3.5.1)e(for)h(details.)1254758 y(Another)f(thir)o(d-party)f(channel)h(is)h(available)d(with)j(the)f Fm(URL)h(r)o(edir)o(ect)e Fn(featur)o(e.)23 b(Normally)-9b(,)20 b(an)f(applet)f(may)h(instr)o(uct)0 4858 y(the)26b(br)o(owser)g(to)h(load)e(any)i(page)e(on)i(the)f(web.)42b(An)26 b(attacker)6 b('s)25 b(server)h(could)g(r)o(ecor)o(d)f(the)h(URL)g(as)g(a)f(message,)j(then)0 4958 y(r)o(edir)o(ect)19b(the)i(br)o(owser)f(to)h(the)g(original)g(destination.)1255057 y(When)i(we)f(noti\002ed)i(Sun)f(about)f(these)h(channels,)g(they)h(said)e(the)h(DNS)f(channel)h(would)h(be)e(\002xed[36)n(],)h(but)g(in)g(fact)0 5157 y(it)g(was)f(still)i(available)d(in)i(JDK)f(and)h(Netscape)e(Navigator)-6 b(.)30 b(Netscape)22 b(has)h(since)f(issued)h(a)f(patch)g(\(incorporated)g(into)p 0 5233 1560 4 v90 5289 a Fj(6)120 5313 y Fi(W)l(ithout)17 b(using)f(digitally)h(signed)g(code.)1929 5589 y Fn(5)p eop%%Page: 6 66 5 bop 0 83 a Fn(Netscape)20 b(Navigator)g(2.01\))f(to)i(\002x)g(this)g(pr)o(oblem.)125 183 y(As)c(far)g(as)g(we)h(know)-8b(,)19 b(nobody)f(has)g(done)g(an)f(analysis)h(of)g(covert)f(storage)g(or)h(timing)h(channels)f(in)g(the)g(Java)e(r)o(untime)0282 y(system.)0 525 y Fe(3.4)99 b(Information)25 b(A)-7b(vailable)24 b(to)i(Applets)0 683 y Fn(If)h(a)f(r)o(ogue)h(applet)f(can)h(establish)g(a)f(channel)i(to)f(any)g(Internet)g(host,)i(the)f(next)e(issue)i(is)f(what)g(the)g(applet)g(can)f(learn)0783 y(about)21 b(the)g(user)6 b('s)21 b(envir)o(onment)g(to)g(send)g(over)f(the)h(channel.)125 882 y(In)27 b(HotJava-Alpha,)f(most)i(attempts)f(by)h(an)e(applet)h(to)g(r)o(ead)f(or)h(write)g(the)g(local)g(\002le)g(system)h(r)o(esult)f(in)g(a)g(dialog)0 982y(box)21 b(for)g(the)g(user)g(to)g(grant)g(appr)o(oval.)k(Separate)19b(access)h(contr)o(ol)i(lists)g(\(ACLs\))2581 952 y Fl(7)2633982 y Fn(specify)f(wher)o(e)g(r)o(eading)f(and)g(writing)01082 y(of)h(\002les)h(or)f(dir)o(ectories)f(may)i(occur)f(without)h(the)g(user)6 b('s)21 b(explicit)g(permission.)28 b(By)21b(default,)f(the)i(write)f(ACL)f(is)i(empty)0 1181 y(and)g(the)g(r)o(ead)e(ACL)h(contains)i(the)f(HotJava)f(library)h(dir)o(ectory)f(and)g(speci\002c)h(MIME)f Fk(mailcap)g Fn(\002les.)30 b(The)22b(r)o(ead)e(ACL)0 1281 y(also)26 b(contains)g(the)g(user)6b('s)25 b Fk(public)p 1197 1281 25 4 v 29 w(html)g Fn(dir)o(ectory)-9b(,)25 b(which)h(may)g(contain)g(information)g(which)h(compr)o(omises)f(the)0 1380 y(privacy)g(of)g(the)h(user)-6 b(.)42 b(The)26b(W)-5 b(indows)28 b(95)d(version)i(additionally)f(allows)h(writing)g(\(but)g(not)g(r)o(eading\))e(in)h(the)h Fk(\\TEMP)01480 y Fn(dir)o(ectory)-9 b(.)33 b(This)24 b(allows)g(an)g(applet)f(to)h(corr)o(upt)g(\002les)g(in)g(use)f(by)h(other)g(W)-5b(indows)25 b(applications)f(if)f(the)h(applet)f(knows)01580 y(or)g(can)f(guess)h(names)f(the)h(\002les)g(may)f(have.)30b(At)23 b(a)f(minimum,)i(an)e(applet)g(can)g(consume)i(all)e(the)h(fr)o(ee)e(space)g(in)i(the)g(\002le)0 1679 y(system.)48 b(These)28b(security)g(concerns)h(could)f(be)g(addr)o(essed)e(by)i(the)g(user)g(editing)g(the)h(ACLs;)h(however)-6 b(,)30 b(the)e(system)01779 y(default)c(should)h(have)g(been)f(less)h(permissive.)38b(Navigator)24 b(and)h(Internet)g(Explor)o(er)e(do)i(not)h(permit)f(any)f(\002le)h(system)0 1879 y(access)20 b(by)h(applets)f(\(without)i(digital)f(signatur)o(es\).)125 1978 y(In)k(HotJava-Alpha,)g(we)h(could)g(learn)f(the)g(user)6 b('s)26 b(login)h(name,)f(machine)g(name,)h(as)e(well)h(as)f(the)h(contents)h(of)e(all)02078 y(envir)o(onment)k(variables;)i Fk(System.getenv\(\))25b Fn(in)k(HotJava-Alpha)d(had)i(no)h(security)f(checks.)49b(By)28 b(pr)o(obing)g(envi-)0 2177 y(r)o(onment)23 b(variables,)g(including)h(the)f Fk(PATH)f Fn(variable,)g(we)h(could)g(often)h(discover)e(what)i(softwar)o(e)e(is)h(installed)g(on)h(the)02277 y(user)6 b('s)27 b(machine.)44 b(This)27 b(information)h(could)f(be)f(valuable)g(either)h(to)g(corporate)f(marketing)h(departments,)h(or)f(to)g(at-)0 2377 y(tackers)f(desiring)g(to)h(br)o(eak)e(into)i(a)f(user)6 b('s)27 b(machine.)42 b(In)27 b(later)e(Java)g(versions,)jFk(System.getenv\(\))c Fn(was)i(r)o(eplaced)0 2476 y(with)j(\223system)g(pr)o(operties,\224)h(many)f(of)f(which)i(ar)o(e)d(not)j(supposed)e(to)h(be)g(accessible)f(by)h(applets.)49 b(However)-6b(,)30 b(ther)o(e)0 2576 y(have)22 b(been)g(implementation)h(pr)o(oblems)g(\(see)e(Section)i(3.7.2\))d(that)i(allowed)g(an)g(applet)g(to)h(r)o(ead)d(or)j(write)f(any)g(system)0 2676 y(pr)o(operty)-9b(.)125 2775 y(Java)19 b(allows)j(applets)f(to)g(r)o(ead)f(the)h(system)h(clock,)f(making)h(it)f(possible)h(to)g(benchmark)f(the)g(user)6 b('s)22 b(machine.)27 b(As)20 b(a)0 2875 y(Java-enabled)e(web)j(br)o(owser)f(may)h(well)g(r)o(un)g(on)h(pr)o(e-r)o(elease)c(har)o(dwar)o(e)g(and/or)j(softwar)o(e,)e(an)i(attacker)f(could)g(learn)02974 y(valuable)28 b(information.)53 b(T)-5 b(iming)30b(information)h(is)e(also)h(needed)e(for)h(the)h(exploitation)g(of)f(covert)g(timing)i(channels.)0 3074 y(\223Fuzzy)20 b(time\224[25)n(])h(should)g(be)g(investigated)f(to)h(see)g(if)f(it)h(can)g(mitigate)g(these)g(pr)o(oblems.)0 3317 y Fe(3.5)99 b(Implementation)24b(Errors)0 3475 y Fn(Some)d(bugs)g(arise)f(fr)o(om)g(fairly)h(localized)e(err)o(ors)h(in)i(the)f(implementation)g(of)g(the)g(br)o(owser)f(or)h(the)g(Java)e(subsystem.)0 3701 y Fd(3.5.1)81b(DNS)21 b(W)-6 b(eaknesses)0 3859 y Fn(A)24 b(signi\002cant)i(pr)o(oblem)e(appear)o(ed)f(in)i(the)g(JDK)g(and)f(Netscape)g(Navigator)g(implementation)i(of)e(the)h(policy)g(that)g(an)0 3959y(applet)31 b(can)g(only)h(open)g(a)f(TCP/IP)g(connection)i(back)e(to)g(the)h(server)f(it)g(was)g(loaded)g(fr)o(om.)57 b(While)32b(this)g(policy)g(is)0 4058 y(r)o(easonable,)23 b(since)h(applets)f(often)h(need)g(to)g(load)f(components)i(\(images,)f(sounds,)h(etc.\))34 b(fr)o(om)24 b(their)f(host,)j(it)e(was)f(not)0 4158y(uniformly)f(enfor)o(ced.)i(This)d(policy)h(was)e(enfor)o(ced)g(as)g(follows:)104 4324 y(1.)41 b(Get)20 b(all)h(the)g(IP-addr)o(esses)e(of)i(the)g(hostname)g(that)g(the)g(applet)f(came)g(fr)o(om.)1044490 y(2.)41 b(Get)20 b(all)h(the)g(IP-addr)o(esses)e(of)i(the)g(hostname)g(that)g(the)g(applet)f(is)h(attempting)g(to)g(connect)g(to.)104 4656 y(3.)41 b(If)19 b(any)i(addr)o(ess)d(in)j(the)f(\002rst)h(set)f(matches)g(any)h(addr)o(ess)d(in)j(the)f(second)h(set,)f(allow)h(the)f(connection.)27 b(Otherwise,)208 4756 y(do)20 b(not)i(allow)f(the)g(connection.)0 4922 y(The)f(pr)o(oblem)g(occurr)o(ed)f(in)i(the)f(second)h(step:)k(the)c(applet)e(can)h(ask)g(to)h(connect)g(to)f(any)h(hostname)g(on)g(the)f(Internet,)g(so)0 5021 y(it)25b(can)f(contr)o(ol)h(which)h(DNS)f(server)f(supplies)h(the)g(second)f(list)i(of)f(IP-addr)o(esses;)f(information)i(fr)o(om)e(this)i(untr)o(usted)0 5121 y(DNS)k(server)f(was)g(used)h(to)g(make)g(an)f(access)h(contr)o(ol)g(decision.)53 b(Ther)o(e)29 b(is)h(nothing)h(to)f(pr)o(event)f(an)h(attacker)e(fr)o(om)p 0 5198 1560 4 v 905253 a Fj(7)120 5277 y Fi(While)17 b(Sun)f(calls)i(these)e(\223ACLs\224,)g(they)f(ar)o(e)i(actually)h Fg(pr)o(o\002les)fFi(\227)g(a)g(list)g(of)g(\002les)g(and)f(dir)o(ectories)h(granted)f(speci\002c)i(access)g(permissions.)1929 5589 y Fn(6)peop%%Page: 7 77 6 bop 0 55 a Fk(hotjava.props.put\("proxyHost",)44b("proxy.attacker.com"\);)0 155 y(hotjava.props.put\("proxyPort",)g("8080"\);)0 254 y(hotjava.props.put\("proxySet",)g("true"\);)0354 y(HttpClient.cachingProxyHost)h(=)k("proxy.attacker.com";)0454 y(HttpClient.cachingProxyPort)c(=)k(8080;)0 553 y(HttpClient.useProxyForCaching)44 b(=)50 b(true;)0 819y Fn(Figur)o(e)18 b(3:)24 b(Code)18 b(to)h(r)o(edir)o(ect)e(all)h(HotJava-Alpha)f(HTTP)h(r)o(etrievals.)24 b(FTP)18 b(r)o(etrievals)g(may)g(be)g(r)o(edir)o(ected)e(with)k(similar)0 918 y(code.)3002287 y @beginspecial 31 @llx 588 @lly 518 @urx 775 @ury3960 @rwi @setspecial%%BeginDocument: dns-attack-lite.eps1 setlinejoin/M { moveto } bind def /S { show } bind def/R { rmoveto } bind def /L { lineto } bind def/B { newpath 0 0 M 0 1 L 1 1 L 1 0 L closepath } bind def/CS { closepath stroke } bind def/S { /fixwidth exch def dup length /nchars exch def dup stringwidth pop fixwidth exch sub nchars div exch 0 exch ashow} def/bwproc { rgbproc dup length 3 idiv string 0 3 0 5 -1 roll { add 2 1 roll 1 sub dup 0 eq { pop 3 idiv 3 -1 roll dup 4 -1 roll dup 3 1 roll 5 -1 roll put 1 add 3 0 } { 2 1 roll } ifelse } forall pop pop pop} defsystemdict /colorimage known not { /colorimage { pop pop /rgbproc exch def { bwproc } image } def} if1 1 scale0 setlinewidth/drawtri {/y3 exch def/x3 exch def/y2 exch def/x2 exch def/y1 exch def/x1 exch def0 setgraynewpathx1 y1 movetox2 y2 linetox3 y3 linetoclosepathstroke} bind def/filltri {/y3 exch def/x3 exch def/y2 exch def/x2 exch def/y1 exch def/x1 exch defnewpathx1 y1 movetox2 y2 linetox3 y3 linetoclosepathfill} bind def/cliptri {/y3 exch def/x3 exch def/y2 exch def/x2 exch def/y1 exch def/x1 exch def0 setgraynewpathx1 y1 movetox2 y2 linetox3 y3 linetoclosepathclip} bind def/imgscanrgb {gsavetranslate/scandy exch def/scandx exch def/istr scandx 3 mul string defscandx scandy scalescandx scandy 8[scandx 0 0 scandy neg 0 scandy]{currentfile istr readhexstring pop}false 3colorimagegrestore} bind def/imgscanbw {gsavetranslate/scandy exch def/scandx exch def/istr scandx string defscandx scandy scalescandx scandy 8[scandx 0 0 scandy neg 0 scandy]{currentfile istr readhexstring pop}imagegrestore} bind def/showcaseisoencoding [/.notdef /.notdef /.notdef /.notdef/.notdef /.notdef /.notdef /.notdef/.notdef /.notdef /.notdef /.notdef/.notdef /.notdef /.notdef /.notdef/.notdef /.notdef /.notdef /.notdef/.notdef /.notdef /.notdef /.notdef/.notdef /.notdef /.notdef /.notdef/.notdef /.notdef /.notdef /.notdef/space /exclam /quotedbl /numbersign/dollar /percent /ampersand /quoteright/parenleft /parenright /asterisk /plus/comma /minus /period /slash/zero /one /two /three /four /five /six /seven/eight /nine /colon /semicolon/less /equal /greater /question/at /A /B /C /D /E /F /G/H /I /J /K /L /M /N /O/P /Q /R /S /T /U /V /W/X /Y /Z /bracketleft/backslash /bracketright /asciicircum /underscore/quoteleft /a /b /c /d /e /f /g/h /i /j /k /l /m /n /o/p /q /r /s /t /u /v /w/x /y /z /braceleft/bar /braceright /asciitilde /guilsinglright/fraction /florin /quotesingle /quotedblleft/guilsinglleft /fi /fl /endash/dagger /daggerdbl /bullet /quotesinglbase/quotedblbase /quotedblright /ellipsis /trademark/dotlessi /grave /acute /circumflex/tilde /macron /breve /dotaccent/dieresis /perthousand /ring /cedilla/Ydieresis /hungarumlaut /ogonek /caron/emdash /exclamdown /cent /sterling/currency /yen /brokenbar /section/dieresis /copyright /ordfeminine /guillemotleft/logicalnot /hyphen /registered /macron/degree /plusminus /twosuperior /threesuperior/acute /mu /paragraph /periodcentered/cedilla /onesuperior /ordmasculine /guillemotright/onequarter /onehalf /threequarters /questiondown/Agrave /Aacute /Acircumflex /Atilde/Adieresis /Aring /AE /Ccedilla/Egrave /Eacute /Ecircumflex /Edieresis/Igrave /Iacute /Icircumflex /Idieresis/Eth /Ntilde /Ograve /Oacute/Ocircumflex /Otilde /Odieresis /multiply/Oslash /Ugrave /Uacute /Ucircumflex/Udieresis /Yacute /Thorn /germandbls/agrave /aacute /acircumflex /atilde/adieresis /aring /ae /ccedilla/egrave /eacute /ecircumflex /edieresis/igrave /iacute /icircumflex /idieresis/eth /ntilde /ograve /oacute/ocircumflex /otilde /odieresis /divide/oslash /ugrave /uacute /ucircumflex/udieresis /yacute /thorn /ydieresis ] def/showcasedingbatencoding [/.notdef /.notdef /.notdef /.notdef/.notdef /.notdef /.notdef /.notdef/.notdef /.notdef /.notdef /.notdef/.notdef /.notdef /.notdef /.notdef/.notdef /.notdef /.notdef /.notdef/.notdef /.notdef /.notdef /.notdef/.notdef /.notdef /.notdef /.notdef/.notdef /.notdef /.notdef /.notdef/.notdef /a1 /a2 /a202 /a3 /a4 /a5 /a119 /a118 /a117/a11 /a12 /a13 /a14 /a15 /a16 /a105 /a17 /a18 /a19/a20 /a21 /a22 /a23 /a24 /a25 /a26 /a27 /a28 /a6 /a7/a8 /a9 /a10 /a29/a30 /a31 /a32 /a33 /a34 /a35 /a36 /a37 /a38 /a39/a40 /a41 /a42 /a43 /a44 /a45 /a46 /a47 /a48 /a49/a50 /a51 /a52 /a53 /a54 /a55 /a56 /a57 /a58 /a59/a60 /a61 /a62 /a63 /a64 /a65 /a66 /a67 /a68 /a69/a70 /a71 /a72 /a73 /a74 /a203 /a75 /a204 /a76 /a77 /a78/a79 /a81 /a82 /a83 /a84 /a97 /a98 /a99 /a100 /.notdef/a205 /a85 /a206 /a86 /a87 /a88 /a89 /a90 /a91 /a92 /a93/a94 /a95 /a96/.notdef /.notdef /.notdef /.notdef /.notdef /.notdef/.notdef /.notdef /.notdef /.notdef /.notdef /.notdef/.notdef /.notdef /.notdef /.notdef /.notdef /.notdef/.notdef /a101 /a102 /a103 /a104 /a106 /a107 /a108/a112 /a111 /a110 /a109/a120 /a121 /a122 /a123 /a124 /a125 /a126 /a127 /a128 /a129/a130 /a131 /a132 /a133 /a134 /a135 /a136 /a137 /a138 /a139/a140 /a141 /a142 /a143 /a144 /a145 /a146 /a147 /a148 /a149/a150 /a151 /a152 /a153 /a154 /a155 /a156 /a157 /a158 /a159/a160 /a161 /a163 /a164 /a196 /a165 /a192 /a166 /a167 /a168/a169 /a170 /a171 /a172 /a173 /a162 /a174 /a175 /a176 /a177/a178 /a179 /a193 /a180 /a199 /a181 /a200 /a182 /.notdef/a201 /a183 /a184 /a197 /a185 /a194 /a198 /a186 /a195 /a187/a188 /a189 /a190 /a191 /.notdef] def/Courier-Bold findfontdup length dict begin {1 index /FID ne {def} {pop pop} ifelse} forall /Encoding showcaseisoencoding def currentdictend/Courier-Bold-SHOWISO exch definefont pop/Helvetica-Bold findfontdup length dict begin {1 index /FID ne {def} {pop pop} ifelse} forall /Encoding showcaseisoencoding def currentdictend/Helvetica-Bold-SHOWISO exch definefont pop/Helvetica findfontdup length dict begin {1 index /FID ne {def} {pop pop} ifelse} forall /Encoding showcaseisoencoding def currentdictend/Helvetica-SHOWISO exch definefont pop/Helvetica-Oblique findfontdup length dict begin {1 index /FID ne {def} {pop pop} ifelse} forall /Encoding showcaseisoencoding def currentdictend/Helvetica-Oblique-SHOWISO exch definefont pop/newfont 10 dict defnewfont begin /FontType 3 def /FontMatrix [1 0 0 1 0 0] def /FontBBox [0 0 1 1] def /Encoding 256 array def 0 1 255 {Encoding exch /.notdef put} for /CharProcs 1 dict def CharProcs begin /.notdef {} defend /BuildChar { 1 0 0 0 1 1 setcachedevice exch begin Encoding exch get CharProcs exch get end exec } defend/PatternFont newfont definefont popgsave/saveit save defgsavegsave0 0 0 setrgbcolorgsave0 setlinejoin185.464 727.018 translate15.5241 rotate1.1 1.1 scalenewpath 0 0 M -20 -5 L -20 5 L closepath fillgrestoregsave0 setlinejoin102.536 703.982 translate-164.476 rotate1.1 1.1 scalenewpath 0 0 M -20 -5 L -20 5 L closepath fillgrestore1.000000 setlinewidthnewpath167.157 721.932 M120.843 709.068 Lstrokegrestoregsavegsavematrix currentmatrix[1 0 0 1 429.134 756.102] concatnewpath0 0 M 0 14 L 88.366 14 L 88.366 0 Lclosepath setmatrix0 0 0 setrgbcolorgrestorenewpath427.134 754.102 M 427.134 772.572 L 519.5 772.572 L 519.5 754.102 Lclosepath clip newpath0 0 0 setrgbcolormatrix currentmatrix[1 0 0 1 429.134 756.102] concat/Helvetica-Bold-SHOWISO findfont 14 scalefont setfont0 0 0 setrgbcolor0 2.47059 M (attacker.com) 86.366 Ssetmatrixgrestoregsavegsavematrix currentmatrix[1 0 0 1 31.5 756.103] concatnewpath0 0 M 0 14 L 68.906 14 L 68.906 0 Lclosepath setmatrix0 0 0 setrgbcolorgrestorenewpath29.5 754.103 M 29.5 772.573 L 102.406 772.573 L 102.406 754.103 Lclosepath clip newpath0 0 0 setrgbcolormatrix currentmatrix[1 0 0 1 31.5 756.103] concat/Helvetica-Bold-SHOWISO findfont 14 scalefont setfont0 0 0 setrgbcolor0 2.47059 M (victim.org) 66.906 Ssetmatrixgrestoregsave0 0 0 setrgbcolorgsave0 setlinejoin255.5 726.75 translate180 rotate1.1 1.1 scalenewpath 0 0 M -20 -5 L -20 5 L closepath fillgrestoregsave0 setlinejoin446.5 726.75 translate0 rotate1.1 1.1 scalenewpath 0 0 M -20 -5 L -20 5 L closepath fillgrestore1.000000 setlinewidthnewpath274.5 726.75 M427.5 726.75 Lstrokegrestoregsave0 0 0 setrgbcolorgsave0 setlinejoin255.5 677.25 translate180 rotate1.1 1.1 scalenewpath 0 0 M -20 -5 L -20 5 L closepath fillgrestore1.000000 setlinewidthnewpath274.5 677.25 M445.5 677.25 Lstrokegrestoregsave0 0 0 setrgbcolorgsave0 setlinejoin446.5 613.28 translate0 rotate1.1 1.1 scalenewpath 0 0 M -20 -5 L -20 5 L closepath fillgrestore1.000000 setlinewidthnewpath256.5 613.28 M427.5 613.28 Lstrokegrestoregsavematrix currentmatrix[72 0 0 -22.5 184.5 738] concatBsetmatrix0.96 0.96 0.96 setrgbcolorgsave fill grestore0 0 0 setrgbcolor1.000000 setlinewidthgsave stroke grestoregrestoregsavegsavematrix currentmatrix[1 0 0 1 189 720] concatnewpath0 0 M 0 12 L 27.332 12 L 27.332 0 Lclosepath setmatrix0 0 0 setrgbcolorgrestorenewpath187 718 M 187 734.4 L 218.332 734.4 L 218.332 718 Lclosepath clip newpath0 0 0 setrgbcolormatrix currentmatrix[1 0 0 1 189 720] concat/Helvetica-SHOWISO findfont 12 scalefont setfont0 0 0 setrgbcolor0 2.4 M (DNS) 25.332 Ssetmatrixgrestoregsavematrix currentmatrix[72 0 0 -22.5 184.5 688.5] concatBsetmatrix0.96 0.96 0.96 setrgbcolorgsave fill grestore0 0 0 setrgbcolor1.000000 setlinewidthgsave stroke grestoregrestoregsavegsavematrix currentmatrix[1 0 0 1 189 670.5] concatnewpath0 0 M 0 12 L 59.348 12 L 59.348 0 Lclosepath setmatrix0 0 0 setrgbcolorgrestorenewpath187 668.5 M 187 684.9 L 250.348 684.9 L 250.348 668.5 Lclosepath clip newpath0 0 0 setrgbcolormatrix currentmatrix[1 0 0 1 189 670.5] concat/Helvetica-SHOWISO findfont 12 scalefont setfont0 0 0 setrgbcolor0 2.4 M (Web proxy) 57.348 Ssetmatrixgrestoregsavematrix currentmatrix[72 0 0 -22.5 445.5 738] concatBsetmatrix0.96 0.96 0.96 setrgbcolorgsave fill grestore0 0 0 setrgbcolor1.000000 setlinewidthgsave stroke grestoregrestoregsavegsavematrix currentmatrix[1 0 0 1 450 720] concatnewpath0 0 M 0 12 L 27.332 12 L 27.332 0 Lclosepath setmatrix0 0 0 setrgbcolorgrestorenewpath448 718 M 448 734.4 L 479.332 734.4 L 479.332 718 Lclosepath clip newpath0 0 0 setrgbcolormatrix currentmatrix[1 0 0 1 450 720] concat/Helvetica-SHOWISO findfont 12 scalefont setfont0 0 0 setrgbcolor0 2.4 M (DNS) 25.332 Ssetmatrixgrestoregsavematrix currentmatrix[72 0 0 -22.5 445.5 688.5] concatBsetmatrix0.96 0.96 0.96 setrgbcolorgsave fill grestore0 0 0 setrgbcolor1.000000 setlinewidthgsave stroke grestoregrestoregsavegsavematrix currentmatrix[1 0 0 1 450 670.5] concatnewpath0 0 M 0 12 L 63.344 12 L 63.344 0 Lclosepath setmatrix0 0 0 setrgbcolorgrestorenewpath448 668.5 M 448 684.9 L 515.344 684.9 L 515.344 668.5 Lclosepath clip newpath0 0 0 setrgbcolormatrix currentmatrix[1 0 0 1 450 670.5] concat/Helvetica-SHOWISO findfont 12 scalefont setfont0 0 0 setrgbcolor0 2.4 M (Web server) 61.344 Ssetmatrixgrestoregsavematrix currentmatrix[72 0 0 -36 184.5 624.53] concatBsetmatrix0.96 0.96 0.96 setrgbcolorgsave fill grestore0 0 0 setrgbcolor1.000000 setlinewidthgsave stroke grestoregrestoregsavegsavematrix currentmatrix[1 0 0 1 186.333 594.53] concatnewpath0 0 M 0 24 L 68.672 24 L 68.672 0 Lclosepath setmatrix0 0 0 setrgbcolorgrestorenewpath184.333 592.53 M 184.333 620.93 L 257.005 620.93 L 257.005 592.53 Lclosepath clip newpath0 0 0 setrgbcolormatrix currentmatrix[1 0 0 1 186.333 594.53] concat1 14.4 M /Helvetica-SHOWISO findfont 12 scalefont setfont0 0 0 setrgbcolor1 14.4 M (Trusted mail) 66.672 S16 2.4 M 16 2.4 M ( server) 36.672 Ssetmatrixgrestoregsavematrix currentmatrix[72 0 0 -22.5 445.5 624.53] concatBsetmatrix0.96 0.96 0.96 setrgbcolorgsave fill grestore0 0 0 setrgbcolor1.000000 setlinewidthgsave stroke grestoregrestoregsavegsavematrix currentmatrix[1 0 0 1 450 606.53] concatnewpath0 0 M 0 12 L 60.668 12 L 60.668 0 Lclosepath setmatrix0 0 0 setrgbcolorgrestorenewpath448 604.53 M 448 620.93 L 512.668 620.93 L 512.668 604.53 Lclosepath clip newpath0 0 0 setrgbcolormatrix currentmatrix[1 0 0 1 450 606.53] concat/Helvetica-SHOWISO findfont 12 scalefont setfont0 0 0 setrgbcolor0 2.4 M (Mail server) 58.668 Ssetmatrixgrestoregsavematrix currentmatrix[22.5 0 0 -185.618 288 774.147] concatBsetmatrix0.96 0.96 0.96 setrgbcolorgsave fill grestore0 0 0 setrgbcolor1.000000 setlinewidthgsave stroke grestoregrestoregsavegsavematrix currentmatrix[0 -1 1 0 293.672 770.1] concatnewpath0 0 M 0 12 L 43.328 12 L 43.328 0 Lclosepath setmatrix0 0 0 setrgbcolorgrestorenewpath291.672 724.772 M 291.672 772.1 L 308.072 772.1 L 308.072 724.772 Lclosepath clip newpath0 0 0 setrgbcolormatrix currentmatrix[0 -1 1 0 293.672 770.1] concat/Helvetica-SHOWISO findfont 12 scalefont setfont0 0 0 setrgbcolor0 2.4 M (Firewall) 41.328 Ssetmatrixgrestoregsavegsavematrix currentmatrix[1 0 0 1 323 731.102] concatnewpath0 0 M 0 12 L 93.38 12 L 93.38 0 Lclosepath setmatrix0 0 0 setrgbcolorgrestorenewpath321 729.102 M 321 745.502 L 418.38 745.502 L 418.38 729.102 Lclosepath clip newpath0 0 0 setrgbcolormatrix currentmatrix[1 0 0 1 323 731.102] concat/Helvetica-Oblique-SHOWISO findfont 12 scalefont setfont0 0 0 setrgbcolor0 2.4 M (hostname lookup) 91.38 Ssetmatrixgrestoregsavegsavematrix currentmatrix[1 0 0 1 323 681.602] concatnewpath0 0 M 0 12 L 34.688 12 L 34.688 0 Lclosepath setmatrix0 0 0 setrgbcolorgrestorenewpath321 679.602 M 321 696.002 L 359.688 696.002 L 359.688 679.602 Lclosepath clip newpath0 0 0 setrgbcolormatrix currentmatrix[1 0 0 1 323 681.602] concat/Helvetica-Oblique-SHOWISO findfont 12 scalefont setfont0 0 0 setrgbcolor0 2.4 M (applet) 32.688 Ssetmatrixgrestoregsavegsavematrix currentmatrix[1 0 0 1 323 617.631] concatnewpath0 0 M 0 12 L 86.696 12 L 86.696 0 Lclosepath setmatrix0 0 0 setrgbcolorgrestorenewpath321 615.631 M 321 632.031 L 411.696 632.031 L 411.696 615.631 Lclosepath clip newpath0 0 0 setrgbcolormatrix currentmatrix[1 0 0 1 323 617.631] concat/Helvetica-Oblique-SHOWISO findfont 12 scalefont setfont0 0 0 setrgbcolor0 2.4 M (information leak) 84.696 Ssetmatrixgrestoregsavematrix currentmatrix[72 0 0 -36 31.5 624.53] concatBsetmatrix0.96 0.96 0.96 setrgbcolorgsave fill grestore0 0 0 setrgbcolor1.000000 setlinewidthgsave stroke grestoregrestoregsavegsavematrix currentmatrix[1 0 0 1 33.3333 594.53] concatnewpath0 0 M 0 24 L 68.012 24 L 68.012 0 Lclosepath setmatrix0 0 0 setrgbcolorgrestorenewpath31.3333 592.53 M 31.3333 620.93 L 103.345 620.93 L 103.345 592.53 Lclosepath clip newpath0 0 0 setrgbcolormatrix currentmatrix[1 0 0 1 33.3333 594.53] concat1 14.4 M /Helvetica-SHOWISO findfont 12 scalefont setfont0 0 0 setrgbcolor1 14.4 M (Internal mail) 66.012 S15.67 2.4 M 15.67 2.4 M ( server) 36.672 Ssetmatrixgrestoregsavematrix currentmatrix[72 0 0 -36 31.5 720] concatBsetmatrix0.96 0.96 0.96 setrgbcolorgsave fill grestore0 0 0 setrgbcolor1.000000 setlinewidthgsave stroke grestoregrestoregsavegsavematrix currentmatrix[1 0 0 1 53.162 703.5] concatnewpath0 0 M 0 12 L 28.676 12 L 28.676 0 Lclosepath setmatrix0 0 0 setrgbcolorgrestorenewpath51.162 701.5 M 51.162 717.9 L 83.838 717.9 L 83.838 701.5 Lclosepath clip newpath0 0 0 setrgbcolormatrix currentmatrix[1 0 0 1 53.162 703.5] concat1 2.4 M 1 2.4 M 1 2.4 M /Helvetica-Bold-SHOWISO findfont 12 scalefont setfont0 0 0 setrgbcolor1 2.4 M (User) 26.676 Ssetmatrixgrestoregsave0 0 0 setrgbcolorgsave0 setlinejoin102.536 700.018 translate164.476 rotate1.1 1.1 scalenewpath 0 0 M -20 -5 L -20 5 L closepath fillgrestore1.000000 setlinewidthnewpath184.5 677.25 M120.843 694.932 Lstrokegrestoregsave0 0 0 setrgbcolorgsave0 setlinejoin185.5 613.28 translate0 rotate1.1 1.1 scalenewpath 0 0 M -20 -5 L -20 5 L closepath fillgrestore1.000000 setlinewidthnewpath103.5 613.28 M166.5 613.28 Lstrokegrestoregsave0 0 0 setrgbcolorgsave0 setlinejoin45 624.118 translate-90 rotate1.1 1.1 scalenewpath 0 0 M -20 -5 L -20 5 L closepath fillgrestoregsave0 setlinejoin45 685 translate90 rotate1.1 1.1 scalenewpath 0 0 M -20 -5 L -20 5 L closepath fillgrestore1.000000 setlinewidthnewpath45 643.118 M45 666 Lstrokegrestoregsavegsavematrix currentmatrix[1 0 0 1 53.5882 628.922] concatnewpath0 0 M 0 24 L 78.704 24 L 78.704 0 Lclosepath setmatrix0 0 0 setrgbcolorgrestorenewpath51.5882 626.922 M 51.5882 655.322 L 134.292 655.322 L 134.292 626.922 Lclosepath clip newpath0 0 0 setrgbcolormatrix currentmatrix[1 0 0 1 53.5882 628.922] concat/Helvetica-Oblique-SHOWISO findfont 12 scalefont setfont0 0 0 setrgbcolor0 14.4 M (applet exploits) 76.704 S0 2.4 M (sendmail bug) 71.364 Ssetmatrixgrestoregsavegsavematrix currentmatrix[1 0 0 1 143 689.631] concatnewpath0 0 M 0 12 L 34.688 12 L 34.688 0 Lclosepath setmatrix0 0 0 setrgbcolorgrestorenewpath141 687.631 M 141 704.031 L 179.688 704.031 L 179.688 687.631 Lclosepath clip newpath0 0 0 setrgbcolormatrix currentmatrix[1 0 0 1 143 689.631] concat/Helvetica-Oblique-SHOWISO findfont 12 scalefont setfont0 0 0 setrgbcolor0 2.4 M (applet) 32.688 Ssetmatrixgrestoregsavegsavematrix currentmatrix[1 0 0 1 101.912 719.825] concatnewpath0 0 M 0 24 L 54.692 24 L 54.692 0 Lclosepath setmatrix0 0 0 setrgbcolorgrestorenewpath99.9118 717.825 M 99.9118 746.225 L 158.604 746.225 L 158.604 717.825 Lclosepath clip newpath0 0 0 setrgbcolormatrix currentmatrix[1 0 0 1 101.912 719.825] concat/Helvetica-Oblique-SHOWISO findfont 12 scalefont setfont0 0 0 setrgbcolor0 14.4 M (hostname) 52.692 S18.34 2.4 M 18.34 2.4 M (lookup) 35.352 Ssetmatrixgrestoregsavegsavematrix currentmatrix[1 0 0 1 50.156 685.602] concatnewpath0 0 M 0 12 L 34.688 12 L 34.688 0 Lclosepath setmatrix0 0 0 setrgbcolorgrestorenewpath48.156 683.602 M 48.156 700.002 L 86.844 700.002 L 86.844 683.602 Lclosepath clip newpath0 0 0 setrgbcolormatrix currentmatrix[1 0 0 1 50.156 685.602] concat/Helvetica-Oblique-SHOWISO findfont 12 scalefont setfont0 0 0 setrgbcolor0 2.4 M (applet) 32.688 Ssetmatrixgrestoregsave0 0 0 setrgbcolor0.500000 setlinewidth[4] 0 setdashnewpath32 699 M103.5 699 Lstrokegrestoregrestoreshowpagesaveit restoregrestore%%EndDocument @endspecial 0 2470 a(Figur)o(e)g(4:)k(DNS)c(subversion)h(of)f(Java:)j(an)d(applet)g(travels)f(fr)o(om)h Fk(attacker.com)dFn(to)k Fk(victim.org)d Fn(thr)o(ough)j(normal)0 2569y(channels.)42 b(The)26 b(applet)f(then)i(asks)f(to)h(connect)f(to)hFk(foo.attacker.com)p Fn(,)d(which)j(is)f(r)o(esolved)f(by)i(the)f(DNS)g(server)0 2669 y(for)21 b Fk(attacker.com)d Fn(to)j(be)g(mail)g(server)e(inside)j Fk(victim.org)c Fn(which)k(can)f(then)g(be)f(attacked.)0 2931 y(cr)o(eating)29 b(a)h(DNS)f(server)h(that)g(lies[4)o(].)53 b(In)30 b(particular)-6 b(,)31 b(it)f(may)g(claim)g(that)g(any)g(name)g(for)g(which)g(it)h(is)f(r)o(esponsible)0 3030y(has)d(any)f(given)h(set)f(of)h(addr)o(esses.)41 b(Using)27b(the)g(attacker)6 b('s)25 b(DNS)i(server)f(to)g(pr)o(ovide)g(a)g(pair)g(of)g(addr)o(esses)f Fm(\(machine-)0 3130 y(to-connect-to,)k(machine-applet-came-fr)o(om\))p Fn(,)d(the)k(applet)e(could)h(connect)h(to)f(any)g(desir)o(ed)f(machine)h(on)h(the)f(Internet.)03230 y(The)d(applet)f(could)g(even)h(encode)f(the)h(desir)o(ed)e(IP-addr)o(ess)g(pair)h(into)i(the)f(hostname)g(that)g(it)g(looks)g(up.)41 b(This)26 b(attack)0 3329 y(is)c(particularly)f(danger)o(ous)g(when)h(the)g(br)o(owser)g(is)g(r)o(unning)h(behind)f(a)f(\002r)o(ewall,)g(because)g(the)h(malicious)g(applet)f(can)03429 y(attack)h(any)h(machine)g(behind)g(the)h(\002r)o(ewall.)31b(At)23 b(this)g(point,)h(a)f(r)o(ogue)f(applet)h(can)f(exploit)i(a)e(whole)i(legion)g(of)f(known)0 3529 y(network)e(security)g(pr)o(oblems)g(to)g(br)o(eak)e(into)j(other)f(nearby)f(machines.)1253628 y(This)34 b(pr)o(oblem)g(was)g(postulated)g(independently)g(by)g(Steve)f(Gibbons[17])h(and)g(by)g(us.)66 b(T)-8 b(o)34b(demonstrate)g(this)0 3728 y(\003aw)-8 b(,)24 b(we)f(pr)o(oduced)f(an)h(applet)g(that)g(exploits)g(an)g(old)h Fk(sendmail)eFn(hole)h(to)h(r)o(un)g(arbitrary)d(Unix)j(commands)f(as)g(user)03827 y Fk(daemon)p Fn(.)125 3927 y(Sun)d(\(JDK)h(1.0.1\))d(and)j(Netscape)e(\(Navigator)h(2.01\))1821 3897 y Fl(8)18733927 y Fn(have)g(both)i(issued)f(patches)f(to)h(\002x)g(this)g(pr)o(oblem.)0 4153 y Fd(3.5.2)81 b(Buf)o(fer)21 b(Over\003ows)04311 y Fn(HotJava-Alpha)14 b(had)h(many)h(unchecked)gFk(sprintf\(\))e Fn(calls)i(that)f(used)h(stack-allocated)e(buf)o(fers.)23 b(Because)14 b Fk(sprintf\(\))0 4411 y Fn(does)25b(not)g(check)g(for)f(buf)o(fer)f(over\003ows,)k(an)d(attacker)f(could)i(overwrite)g(the)g(execution)f(stack,)i(ther)o(eby)d(transferring)04511 y(contr)o(ol)29 b(to)g(arbitrary)f(code.)49 b(Attackers)28b(have)g(exploited)h(the)g(same)f(bug)h(in)h(the)f(Unix)fFk(syslog\(\))g Fn(library)g(r)o(outine)0 4610 y(\(via)cFk(sendmail)p Fn(\))e(to)j(take)f(over)g(machines)h(fr)o(om)f(acr)o(oss)g(the)h(network[8)o(].)37 b(In)24 b(later)g(Java)f(r)o(eleases,)h(all)g(of)h(these)f(calls)0 4710 y(wer)o(e)f(\002xed)h(in)g(the)g(Java)f(r)o(untime.)36 b(However)-6 b(,)25 b(the)f(bytecode)f(disassembler)h(was)g(overlooked)g(all)g(the)g(way)g(thr)o(ough)0 4809y(the)g(JDK)g(1.0)e(r)o(elease.)33 b(Users)23 b(disassembling)i(Java)d(bytecode)h(using)i Fd(javap)d Fn(wer)o(e)h(at)g(risk)h(of)g(having)g(their)g(machines)0 4909 y(compr)o(omised)d(if)f(the)h(bytecode)g(had)f(very)g(long)i(method)f(names.)26 b(This)21 b(bug)g(was)g(\002xed)f(in)h(JDK)g(1.0.2.)p 0 4986 1560 4 v 90 5041 a Fj(8)120 5065y Fi(Netscape)14 b(solved)g(the)f(pr)o(oblem)h(by)f(storing)i(the)e(r)o(esults)h(of)h(all)g(DNS)f(name)g(lookups)h(internally)-7b(,)14 b(for)o(cing)h(a)f(given)f(hostname)g(to)h(map)g(to)g(exactly)05143 y(one)k(IP)h(addr)o(ess.)26 b(Netscape)19 b(Navigator)g(also)h(stor)o(es)e(the)g(applet)g(sour)o(ce)i(as)f(a)f(function)h(of)g(its)g(IP)g(addr)o(ess,)f(not)g(hostname.)26 b(This)18 b(solution)h(has)g(the)0 5222 y(added)i(pr)o(operty)h(that)g(it)g(pr)o(events)f(time-varying)h(DNS)h(attacks.)38 b(Pr)o(eviously)-7b(,)23 b(an)f(attacker)5 b('s)23 b(name)f(server)g(could)h(have)f(r)o(eturned)f(dif)o(fer)o(ent)h(IP)0 5301 y(addr)o(esses)16b(for)h(the)f(same)h(hostname)e(each)i(time)f(it)h(was)g(queried,)f(allowing)i(the)e(same)g(attacks)h(detailed)f(above.)19295589 y Fn(7)p eop%%Page: 8 88 7 bop 0 83 a Fd(3.5.3)81 b(Disclosing)20 b(Storage)f(Layout)0241 y Fn(Although)33 b(the)f(Java)e(language)i(does)g(not)g(allow)h(dir)o(ect)d(access)i(to)g(memory)h(thr)o(ough)f(pointers,)j(the)d(Java)f(library)0 341 y(allows)g(an)e(applet)h(to)g(learn)g(wher)o(e)f(in)h(memory)h(its)f(objects)h(ar)o(e)d(stor)o(ed.)53b(All)30 b(Java)e(objects)j(have)e(a)h Fk(hashCode\(\))0440 y Fn(method)25 b(which,)i(unless)e(overridden)f(by)h(the)g(pr)o(ogrammer)-6 b(,)24 b(casts)h(the)g(addr)o(ess)e(of)i(the)g(object's)g(internal)g(storage)g(to)0 540 y(an)i(integer)g(and)g(r)o(eturns)f(it.)45 b(While)28 b(this)g(does)f(not)h(dir)o(ectly)e(lead)g(to)i(a)e(security)h(br)o(each,)h(it)f(exposes)g(mor)o(e)g(internal)0640 y(state)20 b(than)h(necessary)-9 b(.)0 866 y Fd(3.5.4)81b(Public)19 b(Proxy)i(V)-9 b(ariables)0 1024 y Fn(An)22b(inter)o(esting)g(attack)f(on)h(HotJava-Alpha)f(is)h(that)g(an)f(attacker)g(can)g(change)h(the)g(br)o(owser)6 b('s)22b(HTTP)g(and)f(FTP)h(pr)o(oxy)0 1123 y(servers.)35 b(An)24b(attacker)f(can)h(establish)h(their)f(own)h(pr)o(oxy)f(server)f(as)h(a)g(man-in-the-middle.)35 b(As)24 b(long)h(as)f(the)g(client)h(is)01223 y(using)18 b(unencrypted)f(HTTP)h(and)e(FTP)i(pr)o(otocols,)g(we)f(can)g(both)h(watch)g(and)e(edit)h(all)h(traf)o(\002c)d(to)j(and)f(fr)o(om)g(the)g(HotJava-)0 1323 y(Alpha)g(br)o(owser)-6 b(.)24b(All)18 b(this)g(is)g(possible)h(simply)g(because)d(the)i(br)o(owser)g(state)f(was)h(stor)o(ed)f(in)h(public)g(variables)f(in)h(public)01422 y(classes.)44 b(While)27 b(this)h(attack)e(compr)o(omises)i(the)f(user)6 b('s)27 b(privacy)-9 b(,)28 b(its)f(implementation)h(is)f(trivial)g(\(see)f(\002gur)o(e)h(3\).)43 b(By)0 1522y(using)18 b(the)f(pr)o(operty)g(manager)6 b('s)17 bFk(put\(\))f Fn(method,)i(an)f(attackers)f(stor)o(es)i(a)e(desir)o(ed)g(pr)o(oxy)h(in)g(the)h(pr)o(operty)e(manager)6 b('s)01622 y(database.)35 b(If)24 b(the)g(attacker)f(can)h(then)h(entice)f(the)h(user)f(to)h(print)f(a)g(web)h(page,)f(these)g(settings)i(will)f(be)f(saved)f(to)i(disk,)0 1721 y(and)30 b(will)h(be)f(the)h(default)e(settings)j(the)e(next)h(time)g(the)f(user)g(starts)h(HotJava.)53b(If)31 b(the)f(variables)g(and)g(classes)g(wer)o(e)01821 y(private,)19 b(this)i(attack)f(would)h(fail.)k(Likewise,)20b(if)g(the)h(br)o(owser)f(wer)o(e)f(r)o(unning)j(behind)f(a)f(\002r)o(ewall)f(and)h(r)o(elied)f(on)i(pr)o(oxy)0 1920 y(servers)f(to)h(access)f(the)h(web,)g(this)g(attack)f(would)i(also)e(fail.)1252020 y(W)-8 b(e)20 b(note)g(that)g(the)g(same)g(variables)f(ar)o(e)fFk(public)h Fn(in)h(JDK,)g(although)h(they)f(ar)o(e)f(not)i(used.)k(This)20 b(code)g(is)g(not)h(part)e(of)0 2120 y(Navigator)h(or)h(Internet)g(Explor)o(er)-6 b(.)0 2362 y Fe(3.6)99 b(Inter)n(-Applet)24b(Security)0 2520 y Fn(Since)c(applets)h(can)f(persist)h(after)e(the)i(web)g(br)o(owser)f(leaves)g(the)h(page)f(which)h(contains)h(them,)f(it)g(becomes)g(important)0 2620 y(to)31 b(pr)o(otect)f(applets)g(fr)o(om)g(each)f(other)-6 b(.)55 b(Otherwise,)33 b(an)e(attacker)6b('s)29 b(applet)h(could)h(deliberately)e(sabotage)h(a)g(thir)o(d-)02720 y(party's)17 b(applet.)23 b(Mor)o(e)16 b(formally)-9b(,)17 b(the)g(Java)e(r)o(untime)j(should)g(maintain)f(non-interfer)o(ence[18)n(,)f(19)o(])h(between)f(unr)o(elated)0 2819y(applets.)45 b(In)27 b(many)h(envir)o(onments,)h(it)f(would)f(be)g(unacceptable)f(for)h(an)g(applet)g(to)h(even)f(learn)f(of)i(the)f(existence)g(of)0 2919 y(another)21 b(applet.)125 3019y(In)j(Netscape)g(Navigator)-6 b(,)25 b Fk(AppletContext.getApplets\(\))19 b Fn(is)25 b(car)o(eful)e(to)i(only)h(r)o(eturn)e(handles)g(to)i(applets)0 3118 y(on)16 b(the)g(same)g(web)g(page)f(as)g(the)h(caller)-6 b(.)23 b(However)-6 b(,)16b(an)g(applet)f(could)h(easily)g(get)f(a)h(handle)f(to)h(the)g(top-level)g Fk(ThreadGroup)0 3218 y Fn(and)j(then)h(enumerate)f(every)g(thr)o(ead)f(r)o(unning)j(in)f(the)f(system,)i(including)f(thr)o(eads)e(belonging)j(to)f(other)g(arbitrary)e(ap-)0 3317 y(plets.)52b(The)29 b(Java)g(r)o(untime)h(encodes)f(the)h(applet's)f(class)h(name)f(in)h(its)g(thr)o(ead)e(name,)k(so)e(a)f(r)o(ogue)g(applet)g(can)g(now)0 3417 y(learn)j(the)g(names)g(of)h(all)f(applets)f(r)o(unning)j(in)f(the)f(system.)60 b(In)33 b(addition,)i(an)d(applet)f(could)i(call)e(the)i Fk(stop\(\))e Fn(or)0 3517 y Fk(setPriority\(\))18b Fn(methods)j(on)g(thr)o(eads)f(in)h(other)g(applets.)j(The)dFk(SecurityManager)d Fn(only)j(checked)f(that)h(applets)03616 y(could)e(not)i(alter)d(the)i(state)f(of)g(system)h(thr)o(eads;)e(ther)o(e)h(wer)o(e)f(no)i(r)o(estraints)f(on)h(applets)f(altering)g(other)h(applet)e(thr)o(eads.)0 3716 y(Netscape)i(Navigator)g(4.0)g(pr)o(events)g(an)h(attacker)f(fr)o(om)g(seeing)h(thr)o(eads)f(belonging)i(to)g(applets)e(on)i(other)f(web)g(pages,)0 3816 y(in)29b(the)f(same)g(way)g(it)h(pr)o(otects)e(applets.)48 b(Internet)28b(Explor)o(er)f(allows)i(an)f(applet)f(to)i(see)f(those)h(thr)o(eads,)f(but)h(calls)f(to)0 3915 y Fk(stop\(\))20 b Fn(or)h Fk(setPriority\(\))d Fn(have)i(no)i(ef)o(fect.)125 4015 y(An)f(insidious)i(form)f(of)g(this)g(attack)f(involves)i(a)e(malicious)i(applet)e(that)h(lies)g(dormant)f(except)g(when)i(a)e(particular)0 4114 y(victim)d(applet)f(is)h(r)o(esident.)24 b(When)18 b(the)f(victim)h(applet)f(is)h(r)o(unning,)i(the)d(malicious)i(applet)d(randomly)i(mixes)g(degrada-)04214 y(tion)k(of)e(service)h(attacks)f(with)h(attacks)g(on)g(the)g(victim)g(applet's)g(thr)o(eads.)j(The)d(r)o(esult)f(is)i(that)e(the)h(user)g(sees)g(the)g(victim)0 4314 y(applet)f(as)h(slow)g(and)g(buggy)-9 b(.)0 4557 y Fe(3.7)99 b(Java)25 b(Language)g(Implementation)f(Failures)0 4715 y Fn(Unfortunately)-9 b(,)22 b(the)h(Java)e(language)h(and)f(the)i(bytecode)f(it)h(compiles)g(to)f(ar)o(e)f(not)i(as)f(secur)o(e)g(as)g(they)g(could)h(be.)30 b(Ther)o(e)0 4814 y(ar)o(e)24b(signi\002cant)i(dif)o(fer)o(ences)d(between)i(the)g(semantics)h(of)f(the)h(Java)d(language)i(and)g(the)g(semantics)h(of)f(the)h(bytecode.)04914 y(First,)f(we)g(discuss)f(David)g(Hopwood's)i(attack[24)n(])e(based)f(on)i(package)e(names.)36 b(Next,)25 b(we)f(pr)o(esent)g(our)h(attack)e(that)0 5013 y(r)o(uns)31 b(arbitrary)e(machine)i(code)f(after)g(compr)o(omising)i(the)e(type)h(system.)55 b(Several)29b(\003aws)i(in)g(the)g(type)f(system)h(ar)o(e)0 5113y(examined,)20 b(including)i(two)f(\002rst)g(noted)g(by)g(T)-8b(om)21 b(Car)o(gill.)1929 5589 y(8)p eop%%Page: 9 99 8 bop 0 83 a Fd(3.7.1)81 b(Illegal)19 b(Package)g(Names)0241 y Fn(Java)24 b(packages)g(ar)o(e)g(normally)h(named)gFk(java.io)p Fn(,)g Fk(java.net)p Fn(,)f(etc.)39 b(The)25b(language)g(pr)o(ohibits)g(\223.\224)38 b(fr)o(om)24b(being)i(the)0 341 y(\002rst)h(character)f(in)h(a)g(package)f(name.)44b(The)27 b(r)o(untime)g(system)h(r)o(eplaces)e(each)g(\223.\224)43b(with)28 b(a)f(\223/\224)f(to)h(map)g(the)g(package)0440 y(hierar)o(chy)17 b(onto)i(the)e(\002le)h(system)g(hierar)o(chy;)g(the)g(compiled)g(code)f(is)h(stor)o(ed)f(with)i(the)e(periods)h(r)o(eplaced)d(with)k(slashes.)0 540 y(David)d(Hopwood)i(found)e(that)h(if)f(the)h(\002rst)g(character)e(of)h(a)g(package)g(name)g(was)h(\223/\224,)f(the)h(Java)e(r)o(untime)i(system)g(would)0640 y(attempt)26 b(to)h(load)g(code)f(fr)o(om)g(an)h(absolute)f(path[24)o(],)h(since)g(absolute)g(pathnames)g(begin)g(with)g(a)f(\223/\224)g(character)f(on)0 739 y(Unix)d(or)h(W)-5b(indows.)31 b(Thus,)23 b(if)g(an)f(attacker)f(could)h(place)g(compiled)g(Java)f(in)i(any)f(\002le)h(on)g(the)f(victim's)h(system)g(\(either)0 839 y(thr)o(ough)h(a)f(shar)o(ed)f(\002le)h(system,)i(via)e(an)g(incoming)i(FTP)e(dir)o(ectory)-9 b(,)23 b(or)g(via)g(a)g(distributed)g(\002le)g(system)h(such)g(as)f(AFS\),)0938 y(the)k(attacker)6 b('s)26 b(code)h(would)g(be)g(tr)o(eated)e(as)h(tr)o(usted,)i(since)g(it)f(came)f(fr)o(om)h(the)g(local)g(\002le)g(system)g(rather)f(than)h(fr)o(om)0 1038 y(the)22 b(network.)31b(T)-7 b(r)o(usted)22 b(code)g(is)h(permitted)f(to)g(load)h(dynamic)f(link)h(libraries)f(\(DLLs,)g(written)h(in)f(C\))g(which)i(can)e(then)01138 y(ignor)o(e)f(the)g(Java)e(r)o(untime)j(and)e(dir)o(ectly)g(access)g(the)h(operating)g(system)g(with)h(the)f(full)f(privileges)h(of)g(the)g(user)-6 b(.)125 1237 y(This)24 b(attack)f(is)i(actually)e(mor)o(e)h(danger)o(ous)f(than)i(Hopwood)g(\002rst)f(r)o(ealized.)33b(Since)24 b(Netscape)f(Navigator)g(caches)0 1337 y(the)29b(data)e(it)i(r)o(eads)f(in)h(the)g(local)f(\002le)h(system,)j(Netscape)27 b(Navigator)6 b('s)29 b(cache)f(can)g(also)h(be)g(used)f(as)h(a)f(way)h(to)g(get)f(a)0 1437 y(\002le)f(into)g(the)g(local)f(\002le)h(system.)43 b(In)27 b(this)g(scenario,)h(a)e(normal)h(Java)e(applet)g(would)i(r)o(ead)e(\(as)h(data\))f(\002les)i(containing)01536 y(bytecode)16 b(and)f(DLL)h(code)g(fr)o(om)f(the)i(server)e(wher)o(e)g(the)h(applet)g(originated.)24 b(The)16 b(Java)e(r)o(untime)j(would)g(ask)f(Navigator)0 1636 y(to)23 b(r)o(etrieve)f(the)h(\002les;)h(Navigator)f(would)g(deposit)h(them)f(in)g(the)h(local)f(cache.)31b(As)23 b(long)h(as)f(the)g(applet)f(can)h(\002gur)o(e)g(out)01735 y(the)g(\002le)f(names)g(used)h(by)f(Navigator)g(in)h(its)f(cache,)g(it)h(can)f(execute)f(arbitrary)g(machine)i(code)f(without)i(even)e(needing)0 1835 y(prior)f(access)f(to)h(the)g(victim's)g(\002le)g(system.)0 2061 y Fd(3.7.2)81 b(Superclass)19 b(Constructors)02219 y Fn(The)26 b(Java)e(language[21)n(])i(r)o(equir)o(es)f(that)g(all)h(constr)o(uctors)h(call)e(either)h(another)g(constr)o(uctor)h(of)e(the)h(same)g(class,)h(or)e(a)0 2319 y(super)o(class)d(constr)o(uctor)i(as)e(their)h(\002rst)g(action.)32 b(The)22 b(system)i(classes)fFk(ClassLoader,)47 b(SecurityManager,)20 b Fn(and)0 2419y Fk(FileInputStream)h Fn(all)j(r)o(ely)f(on)h(this)h(behavior)e(for)h(their)g(security)-9 b(.)34 b(These)24 b(classes)g(have)f(constr)o(uctors)i(that)f(check)0 2518 y(if)h(they)h(ar)o(e)e(called)g(fr)o(om)h(an)g(applet,)g(and)g(thr)o(ow)h(a)f Fk(SecurityException)dFn(if)j(so.)39 b(Unfortunately)-9 b(,)26 b(while)g(the)f(Java)02618 y(language)20 b(pr)o(ohibits)h(the)g(following)i(code,)d(the)h(bytecode)f(veri\002er)g(r)o(eadily)g(accepted)f(its)i(bytecode)g(equivalent:)0 2784 y Fk(class)49 b(CL)g(extends)g(ClassLoader)f({)1992883 y(CL\(\))h({)399 2983 y(try)g({)g(super\(\);)g(})3993083 y(catch)f(\(Exception)g(e\))i({})199 3182 y(})03282 y(})0 3448 y Fn(This)16 b(allowed)g(an)g(attacker)e(to)i(build)g(\(partially)f(uninitialized\))g Fk(ClassLoader)p Fn(s,)gFk(SecurityManager)p Fn(s,)f(and)h Fk(FileInputStream)pFn(s.)0 3548 y Fk(ClassLoader)p Fn(s)i(ar)o(e)h(the)h(most)g(inter)o(esting)h(class)f(to)g(instantiate,)g(as)g(any)g(code)f(loaded)g(by)h(a)g Fk(ClassLoader)e Fn(asks)i(its)0 3647 y Fk(ClassLoader)eFn(to)h(r)o(esolve)g(any)h(classes)f(it)h(r)o(efer)o(ences.)k(This)c(is)g(contrary)f(to)h(the)g(documentation[22)o(])g(that)f(claims)h(the)0 3747 y(system)27 b(name)g(space)f(is)h(always)g(sear)o(ched)e(\002rst;)30 b(we)d(have)f(veri\002ed)g(this)h(dif)o(fer)o(ence)e(experimentally)-9 b(.)43 b(Fortunately)0 3847 y(for)29b(an)g(attacker)-6 b(,)29 b Fk(ClassLoader)p Fn(s)e(did)i(not)g(have)g(any)g(instance)g(variables,)g(and)g(the)g Fk(ClassLoader)eFn(constr)o(uctor)0 3946 y(only)d(needs)f(to)g(r)o(un)g(once,)h(to)f(initialize)g(a)f(variable)g(in)h(the)g(r)o(untime)h(system.)32b(This)24 b(happens)f(befor)o(e)e(any)i(applets)f(ar)o(e)04046 y(loaded.)i(Ther)o(efor)o(e,)18 b(this)h(attack)g(r)o(esulted)f(in)i(a)e(pr)o(operly)h(initialized)g Fk(ClassLoader)eFn(which)j(is)f(under)g(the)g(contr)o(ol)h(of)0 4145y(an)h(applet.)26 b(Since)21 b Fk(ClassLoader)p Fn(s)e(de\002ne)i(the)g(name)g(space)f(seen)i(by)f(other)g(Java)f(classes,)h(the)g(applet)f(can)h(constr)o(uct)0 4245 y(a)i(completely)i(customized)f(name)f(space.)34 b(A)24 b(\002x)g(for)f(this)i(pr)o(oblem)f(appear)o(ed)d(in)j(Netscape)f(Navigator)g(2.02,)g(which)0 4345 y(was)g(later)e(br)o(oken)i(\(see)f(Section)g(3.7.5\).)29 b(Netscape)22 b(Navigator)g(3.0)f(and)h(JDK)h(1.0.2)e(took)i(dif)o(fer)o(ent)e(appr)o(oaches)g(to)i(\002x)0 4444 y(this)e(pr)o(oblem.)125 4544 y(W)-8 b(e)23b(discover)o(ed)f(that)i(cr)o(eating)f(a)g Fk(ClassLoader)eFn(gives)j(an)f(attacker)f(the)i(ability)g(to)g(defeat)e(Java's)g(type)i(system.)0 4644 y(Assume)d(that)f(classes)g Fc(A)h Fn(and)fFc(B)25 b Fn(both)c(r)o(efer)e(to)i(a)f(class)g(named)gFc(C)6 b Fn(.)26 b(A)20 b Fk(ClassLoader)e Fn(could)j(r)o(esolve)fFc(A)h Fn(against)f(class)0 4743 y Fc(C)6 b Fn(,)25 b(and)eFc(B)29 b Fn(against)24 b(class)f Fc(C)916 4713 y Fb(0)9404743 y Fn(.)35 b(If)24 b(an)g(object)g(of)g(class)g Fc(C)30b Fn(is)25 b(allocated)e(in)h Fc(A)p Fn(,)h(and)f(then)g(is)h(passed)e(as)h(an)g(ar)o(gument)f(to)h(a)0 4843 y(method)i(of)gFc(B)t Fn(,)h(the)f(method)h(in)f Fc(B)k Fn(will)d(tr)o(eat)d(the)i(object)h(as)e(having)h(a)g(dif)o(fer)o(ent)e(type,)iFc(C)2976 4813 y Fb(0)3000 4843 y Fn(.)41 b(If)25 b(the)h(\002elds)g(of)g Fc(C)3674 4813 y Fb(0)3723 4843 y Fn(have)0 4942y(dif)o(fer)o(ent)f(types)j(\(e.g.,)f Fk(Object)f Fn(and)hFk(int)p Fn(\))g(or)g(dif)o(fer)o(ent)e(access)i(modi\002ers)h(\()pFk(public,)48 b(private,)g(protected)p Fn(\))0 5042 y(than)23b(those)h(of)g Fc(C)6 b Fn(,)24 b(then)f(Java's)g(type)g(safety)f(is)i(defeated.)31 b(This)24 b(allows)g(an)f(attacker)f(to)i(get)f(and)g(set)g(the)h(value)e(of)h Fm(any)0 5142 y Fn(non-)p Fk(static)cFn(variable,)g(and)g(call)g Fm(any)h Fn(method)g(\(including)g(native)g(methods\).)25 b(This)c(attack)e(also)h(allows)g(an)g(applet)f(to)05241 y(modify)24 b(the)g(class)f(hierar)o(chy)-9 b(,)23b(as)g(it)h(can)f(r)o(ead)f(and)h(write)h(variables)e(normally)i(only)h(visible)f(to)g(the)f(r)o(untime)i(system.)1929 5589y(9)p eop%%Page: 10 1010 9 bop 0 83 a Fn(Any)28 b(attack)e(which)j(allows)f(object)g(r)o(efer)o(ences)e(to)i(be)f(used)g(as)h(integers,)h(and)eFm(vice)g(versa)p Fn(,)j(leads)d(to)h(complete)g(pene-)0183 y(tration)c(of)g(Java)e(\(see)h(section)h(3.7.4\).)32b(Java's)23 b(bytecode)g(veri\002cation)h(and)f(class)h(r)o(esolution)g(mechanisms)h(ar)o(e)d(unable)0 282 y(to)h(detect)e(these)i(inconsistencies)h(because)d(Java)g(de\002nes)i(only)g(a)f(weak)g(corr)o(espondence)f(between)i(class)f(names)g(and)0 382 yFk(Class)e Fn(objects.)125 482 y(Netscape)27 b(Navigator)i(3.0)e(and)i(Micr)o(osoft)f(Internet)h(Explor)o(er)e(\002x)i(the)g(super)o(class)f(constr)o(uctor)i(issue)f(and)f(take)0 581 y(other)23b(measur)o(es)e(to)i(pr)o(event)f(applets)g(fr)o(om)g(instantiating)iFk(ClassLoader)p Fn(s.)29 b(JDK)22 b(1.1-Beta)e(initially)k(of)o(fer)o(ed)c(\223safe\224)0 681 y Fk(ClassLoader)p Fn(s)c(to)j(applets,)f(but)g(the)g(featur)o(e)e(was)i(withdrawn)h(fr)o(om)e(the)i(\002nal)f(r)o(elease)e(because)i(they)g(could,)h(in)f(fact,)0 780y(still)j(be)g(abused.)125 880 y(Fundamentally)-9 b(,)35b(the)e(job)g(of)f(a)g Fk(ClassLoader)f Fn(is)i(to)g(r)o(esolve)f(names)g(to)h(classes)g(as)f(part)g(of)h(Java's)e(dynamic)0980 y(linking.)53 b(Dynamic)30 b(linking)h(has)f(subtle)g(interactions)g(with)g(static)f(typechecking.)53 b(For)30 b(a)f(formal)g(analysis)h(of)f(this)0 1079 y(pr)o(ocess)20 b(and)h(some)g(necessary)f(conditions)j(for)d(corr)o(ectness,)g(see)h(Dean[1)-5b(1)n(])21 b(for)f(details.)0 1305 y Fd(3.7.3)81 b(Attacking)18b(the)i(SecurityManager)0 1463 y Fn(Unfortunately)-9b(,)16 b(a)f Fk(ClassLoader)f Fn(can)i(load)f(a)g(new)hFk(SecurityManager)d Fn(that)j(r)o(edeclar)o(es)d(the)jFk(SecurityManager)p Fn('s)0 1563 y(variables)21 b(as)hFk(public)p Fn(,)f(violating)i(the)f(r)o(equir)o(ement)g(that)g(r)o(efer)o(ence)e(monitors)j(be)f(tamperpr)o(oof.)29 b(Ther)o(e)21b(ar)o(e)g(four)h(in-)0 1663 y(ter)o(esting)16 b(variables)e(in)j(the)e(JDK)h Fk(AppletSecurity)e Fn(class:)22 b Fk(readACL,)49b(writeACL,)f(initACL,)14 b Fn(and)i Fk(networkMode)pFn(.)0 1762 y(The)k Fk(readACL)e Fn(and)i Fk(writeACL)eFn(variables)h(ar)o(e)f(lists)j(of)f(dir)o(ectories)f(and)g(\002les)i(that)e(applets)h(ar)o(e)e(allowed)i(to)g(r)o(ead)e(and)01862 y(write.)34 b(The)24 b Fk(initACL)e Fn(variable)g(tracks)h(whether)h(the)g(ACLs)f(have)g(been)g(initialized.)34b(The)24 b Fk(networkMode)d Fn(variable)0 1962 y(determines)h(what)g(hosts)i(applets)d(ar)o(e)g(allowed)h(to)h(make)f(network)h(connections)g(to.)31 b(By)22 b(setting)h(the)f Fk(networkMode)02061 y Fn(variable)k(to)h(allow)h(connections)h(anywher)o(e,)e(the)h(ACLs)e(to)i Fk(null)p Fn(,)f(and)g(the)g Fk(initACL)fFn(variable)g(to)i(tr)o(ue,)g(we)f(ef)o(fec-)0 2161 y(tively)21b(cir)o(cumvent)f(all)h(JDK)g(security)-9 b(.)125 2260y(Java's)32 b Fk(SecurityManager)p Fn(s)e(generally)j(base)g(their)g(access)g(contr)o(ol)h(decisions)g(on)g(whether)f(they)h(ar)o(e)e(being)0 2360 y(called)g(in)h(the)g(dynamic)g(scope)g(of)g(code)f(loaded)g(fr)o(om)g(the)h(network.)62 b(The)33 b(default)fFk(ClassLoader)f Fn(in)i(the)g(r)o(un-)0 2460 y(time)28b(system)g(only)g(knows)g(how)g(to)g(load)f(classes)g(fr)o(om)g(the)h(local)f(\002le)g(system,)j(and)d(appears)e(as)i(the)h(special)f(value)0 2559 y Fk(NULL)21 b Fn(to)h(the)g(r)o(untime)g(system.)29b(Any)21 b(other)h Fk(ClassLoader)e Fn(is)i(assumed)f(to)h(indicate)f(untr)o(usted)h(code.)28 b(However)-6 b(,)21 b(a)0 2659y Fk(ClassLoader)16 b Fn(can)h(pr)o(ovide)g(an)h(implementation)h(of)fFk(Class)f Fn(that)g(makes)h(certain)f(r)o(untime)i(system)g(data)d(str)o(uctur)o(es)0 2759 y(accessible)24 b(as)g Fk(int)pFn(s.)36 b(Setting)25 b(the)g Fk(ClassLoader)d Fn(\002eld)j(to)f(zer)o(o)g(causes)g(the)h(Java)e(r)o(untime)i(system)g(to)g(believe)f(that)02858 y(the)d(code)f(came)h(fr)o(om)f(the)h(local)g(\002le)f(system,)i(also)f(ef)o(fectively)e(bypassing)i(the)g Fk(SecurityManager)pFn(.)0 3084 y Fd(3.7.4)81 b(Running)19 b(Machine)g(Code)h(from)i(Java)03242 y Fn(Netscape)32 b(Navigator)g(2.0)f(pr)o(otected)g(itself)i(fr)o(om)f(the)h(attacks)f(described)f(above)h(with)i(additional)e(checks)h(in)g(the)0 3342 y(native)20 b(methods)g(which)h(implement)f(\002le)g(system)h(r)o(outines)f(that)g(applets)f(would)i(never)e(have)g(any)h(r)o(eason)f(to)i(invoke.)0 3442 y(However)-6 b(,)20b(the)h(type)g(system)g(violations)h(\(i.e.,)e(using)iFk(Object)p Fn(s)d(as)i Fk(int)p Fn(s)f(and)h Fm(vice)f(versa)pFn(\))h(make)f(it)h(possible,)h(but)e(non-)0 3541 y(trivial,)f(to)g(r)o(un)g(arbitrary)f(machine)h(code,)f(at)h(which)g(point)h(an)e(attacker)g(can)g(invoke)i(any)e(system)i(call)e(available)g(to)h(the)03641 y(user)j(r)o(unning)h(the)f(br)o(owser)f(without)i(r)o(estriction,)e(and)h(thus)g(has)g(completely)g(penetrated)e(all)i(security)f(pr)o(ovided)g(by)0 3741 y(Java.)125 3840y(While)29 b(Java)e(does)h(not)i(guarantee)d(a)h(memory)h(layout)g(for)g(objects[33)o(],)h(the)f(curr)o(ent)e(implementations)j(lay)f(out)03940 y(objects)d(in)g(the)g(obvious)g(way:)35 b(instance)26b(variables)e(ar)o(e)g(in)i(consecutive)g(memory)g(addr)o(esses,)f(and)g(packed)f(as)h(in)h(C.)0 4039 y(An)31 b(attacker)g(can)g(clearly)g(write)g(machine)h(code)f(into)i(integer)e(\002elds,)j(but)e(ther)o(e)e(ar)o(e)g(two)j(r)o(emaining)e(challenges:)0 4139 y(learning)25b(the)g(memory)h(addr)o(ess)e(of)h(our)g(code,)g(and)g(arranging)g(for)g(the)g(system)g(to)h(invoke)g(our)f(machine)g(code.)38b(All)0 4239 y(an)23 b(attacker)f(can)h(do)g(is)h(use)f(object)h(r)o(efer)o(ences)d(as)i(integers,)h(but)f(note)h(that)f(object)h(r)o(efer)o(ences)d(in)j(JDK)f(and)g(Netscape)0 4338 y(Navigator)f(ar)o(e)f(pointers)i(to)g(pointers)g(to)g(objects,)h(and)e(we)h(can)f(only)h(doubly)g(der)o(efer)o(ence)d(them.)32 b(Internet)22b(Explor)o(er)0 4438 y(uses)e(a)g(single)g(pointer)-6b(.)26 b(Below)-8 b(,)20 b(we)g(describe)f(how)i(Netscape)e(Navigator)h(can)f(be)h(attacked,)e(but)i(this)h(attack)e(has)h(been)04538 y(modi\002ed)h(to)g(work)g(with)h(Micr)o(osoft)e(Internet)h(Explor)o(er)f(as)g(well.)125 4637 y(Netscape)30 b(Navigator)6b('s)31 b(object)h(r)o(efer)o(ences)d(ar)o(e)h(pointers)i(to)f(a)g(str)o(uctur)o(e)g(which)h(contains)g(two)g(pointers:)48 b(one)04737 y(to)28 b(the)g(object's)g(private)f(data,)h(and)f(another)h(to)g(its)g(type)f(information.)48 b(Thus,)29 b(while)f(a)g(malicious)gFk(ClassLoader)0 4836 y Fn(allows)d(an)g(attacker)f(to)h(cast)f(object)h(r)o(efer)o(ences)e(to)i(integers)g(and)f(back,)h(the)g(attacker)f(can)g(only)i(doubly)f(der)o(efer)o(ence)0 4936 y(the)c(pointers.)26b(This)21 b(complicated)g(the)g(pr)o(ocess)f(of)h(learning)g(the)f(actual)g(machine)h(addr)o(ess)f(of)g(an)h(object's)g(data.)1255036 y(T)-8 b(o)19 b(solve)f(this)h(pr)o(oblem,)g(observe)f(that)gFk(Class)g Fn(objects,)h(i.e.,)f(instances)h(of)f(the)g(class)hFk(java.lang.Class)c Fn(ar)o(e)i(not)0 5135 y(implemented)27b(as)g(normal)g(Java)f(objects.)45 b Fk(Class)26 b Fn(has)h(no)g(Java-visible)f(variables,)h(but)g(its)g(internal)g(r)o(epr)o(esentation)0 5235 y(stor)o(es)k(dir)o(ect)g(pointers)h(to)g(data,)g(rather)f(than)h(the)f(usual)h(indir)o(ect)f(Java)f(r)o(efer)o(ences.)55 b(This)32 b(allows)g(an)f(attacker)g(to)0 5335 y(dir)o(ectly)24b(edit)g(the)h(method)g(table)f(to)h(point)g(to)g(our)g(own)h(machine)f(code.)36 b(The)25 b(only)h(r)o(emaining)e(pr)o(oblem)g(is)h(to)g(learn)1908 5589 y(10)p eop%%Page: 11 1111 10 bop 150 70 a Fk(lui)179 b(a0,)50 b(\(\(a+20\))e(div)h(65536\))299b(;)50 b(Most)f(significant)f(16)h(bits)g(of)h(string)e(pointer)150169 y(addi)129 b(a0,)50 b(a0,)f(\(\(a+20\))f(mod)i(65536\))99b(;)50 b(Least)f(significant)f(16)h(bits)g(of)h(string)e(pointer)150269 y(li)229 b(v0,)50 b(1010)996 b(;)50 b(System)f(call)g(number)f(for)i(unlink\(\))e(in)h(IRIX)g(5)150 369 y(syscall)150 468y(nop)150 568 y(.asciz)29 b("/tmp/JavaSafe.NOT")446 b(;)50b(File)f(to)g(delete)1122 834 y Fn(Figur)o(e)21 b(5:)k(MIPS)20b(assembly)h(code)f(to)h(delete)f(a)h(\002le.)0 1097y(the)f(code's)g(memory)g(addr)o(ess.)k(T)-8 b(o)20 b(do)g(this,)g(an)g(attacker)f(can)g(follow)i(a)e(chain)h(of)g(pointers)g(thr)o(ough)g(the)g(method)h(table)0 1197 y(and)f(back)g(to)h(the)gFk(Class)f Fn(str)o(uctur)o(e.)25 b(Because)20 b(the)g(chain)h(has)g(odd)f(length)i(and)e(two)h(steps)g(ar)o(e)f(taken)g(every)g(time,)h(the)0 1297 y(attacker)e(can)i(cycle)f(ar)o(ound)g(the)h(loop,)h(gaining)f(access)f(to)h(each)g(and)f(every)g(po