Sources of Information about Java Security

This appendix contains information about Internet resources and interesting Java security sites. It is in two parts: the first covers companies involved in Java development, and the second contains sites which are maintained at educational establishments. This section also contains interesting sites which are maintained by individual experts within the educational establishments.

The purpose of this appendix is to give you an insight into where we have obtained some of our information and to give you the opportunity to look at other resource sites to obtain a view of Java security from different angles. This also gives you the opportunity to keep on top of new developments via the Web.

Companies

There are many companies which maintain Java Security sites; it would be an impossible task to list them all. For this reason we have decided to concentrate on the few companies who are at the cutting edge of the Java phenomenon.

JavaSoft

The main JavaSoft URL is:

http://www.javasoft.com

This is an excellent Web page and one to keep a regular check on, because it has many links to various topics related to Java. Many of these are not directly related to security, but have a bearing on it, for example, new versions of the JDK and standarization activity. There is also a page dedicated to security:

http://www.javasoft.com/security

This page contains lots of links to downloads and documentation for the latest JavaSoft Java security packages. These documents are very well constructed and easy to follow; however, they assume a high level of knowledge from the user. As an example of this, there are manual pages for UNIX commands which are not easy if you are not a UNIX user.

This page also contains links to specifications pages which, in general, describe various parts of Java specifications such as the Java cryptographic architecture. The core of this is in three guides linked from the page: Security API Overview, Java Cryptography Architecture API Specification and Reference, and How to Integrate Your Cryptography Algorithms into Java Security.

One especially interesting link is the JDK 1.1 Security Tutorial:

http://java.sun.com/docs/books/tutorial/security1.1/index.html

This tutorial claims, "You will learn the definitions of various cryptography terms, and see an overview of the Java Security API and its core classes. You will then learn how to produce "digital signatures" for data, and how to verify the authenticity of such signatures." The author of the tutorial is Mary Daegforde.

The JavaSoft Security page contains a lot besides the items already mentioned, such as links to FAQs, white papers and other articles.

Finally, you may wish to refer to the JavaSoft archives. These archives date back to November 96 and contain a massive amount of information about problems encountered in the development of the various Java tools since that time.

Sun

The Sun home page URL is:

http://www.sun.com

As the originator and prime mover behind Java, you would expect it to feature in many parts of the Sun site. So, for example, the Sun news highlights include many Java-related developments. The URL for the main page for specifically Java-related issues is:

http://www.sun.com/java

This page has links to a lot of Java-related topics and it also leads you back to the JavaSoft site.

Microsoft

The Microsoft home page URL is:

http://www.microsoft.com

Although late to join the Java fold, Microsoft now offer a range of products for developing and running applications written in Java.

The URL of the main page for Java-related issues is:

http://www.microsoft.com/java

This page has links to a lot of Java-related topics such as news, issues and trends, technical information and the Microsoft SDK for Java. There are also many related topics, which change frequently, such as information about bugs found in beta version of products which can be downloaded from the Microsoft site.

The URL for the main page about Java security is:

http://www.microsoft.com/java/security

This page at first appears to be for a user who knows very little or nothing at all about Java security, but there are some very good links to more technical information. We found that a more effective way to get the required information from the Microsoft site was to use the internal search function. Searching for Java security produced more than 50 hits, although a number of them were for material that is only available to members of the Microsoft Developers Network.

IBM

The IBM home page URL is:

http://www.ibm.com

There are many links from this page, including a fair proportion of Java-related pages. The URL of the main page for Java information is:

http://www.ibm.com/java

This page has a number of links to various pages but the easiest way to approach it is to link to the site index page:

http://www.ibm.com/Java/siteindex.html

This page lists all of the Java-related topics on this site in alphabetical order.

Reliable Software Technologies

RST performs research and consultancy in all aspects of the security, safety, and testability of computer systems. They work closely with academics, in particular the Princeton Safe Internet Programming team (see below).

http://www.rstcorp.com

Universities

There are many universities which maintain Java sites and Java Security sites; it would be an impossible task to list them all. For this reason, we have decided to concentrate on the universities who's pages we found most useful and informative. There is also a brief list at the end of this section which contains some other Java sites which you may find interesting.

Princeton

Princeton University is the leading center for Java security research. The main Java security page is:

http://www.cs.princeton.edu/sip

This page contains a lot of information and links about Java security.

The purpose of this site is to study the security of widely used Internet software, especially mobile code systems like Java, ActiveX, and JavaScript. They try to understand how security breaks down, and to develop technology to address the underlying causes of security problems.

This Web site has the following sections: news, people, partners, research, publications, FAQ and a miscellaneous section. There are also links to many publications about Java security

Yale

There are a number of Java security sites at Yale, for example:

http://pantheon.yale.edu/~dff/java.html

This site is mainly a collection of links to various Java security sites.

Another Yale site worth visiting is:

http://daffy.cs.yale.edu/java/java_sec/java_sec.html

This site gives a good breakdown of Java security and some good guidelines for security measures to take.

Finally:

http://pantheon.yale.edu/help/programming/jdk1.1.1/docs/api

This site gives a list of many topics, including some good Java security papers produced by the university.

Georgia Institute of Technology

This is the home of Mark LaDue, who has written a number of hostile applets, illustrating the capacity for cycle-stealing attacks in Java. His page of increasingly vicious attack applets is now hosted by Reliable Software Technologies Corporation:

http://www.math.gatech.edu/~mladue/HostileApplets.html

The second page of interest is:

http://voreg.cc.gatech.edu/gvu/user_surveys/survey-10-1996/graphs/author/Knowledge_Of_Java_Security.html

This page contains some statistics about how many professionals have Java knowledge all over the world. Well worth a look.

Finally:

http://shannon.math.gatech.edu/~mladue/java_was_1.html

This page is Mark LaDue's report on how the difference between the capabilities of Java and bytecode leads to some of the flaws in the Java virtual machine.

Others

The following pages are from other university sites which have some good information and links :

A page of information put together by Patricia Evans (a grad student at the University of Victoria):

http://gulf.uvic.ca/~pevans/java.html

David Hopwood, a student at Oxford, discovered some of Java's flaws that led to attack applets. His page has good information, though it is now aging:

http://ferret.lmh.ox.ac.uk/~david/java/bugs/public.html

A list of Java security resources provided by Steven H. Samorodin of the UC Davis Security lab:

http://seclab.cs.ucdavis.edu/~samorodi/java/javasec.html

Gene Spafford of Purdue University's security hotlist entry for Java security. A bit out of date, but the rest of the list is amazing:

http://www.cs.purdue.edu/homes/spaf/hotlists/csec-body.html#java00

A page at the University of Utah, devoted to Java Security. Includes pointers to talk slides, and a few pointers to related Web sites.

The URL for this site is:

http://www.cs.utah.edu/~gback/javasec

Compiling Functional Programs to Java Byte-Code, by Gary Meehan at the University of Warwick:

http://lite.ncstrl.org:3803/Dienst/UI/2.0/Describe/ncstrl.warwick_cs% 2fCS-RR-334?abstract=

A research group at the University of Washington implementing a new Java security architecture based on factored components for security, performance, and scalability. See their Security Flaws in Java page:

http://kimera.cs.washington.edu

University of Arizona's Sumatra Project, research on mobile code. See especially the Java Hall of Shame:

http://www.cs.arizona.edu/sumatra

JAWS (Java Applets With Safety) is an Australian National University project using theorem-proving technology to analyze safety and security properties of Java Applets. Java down under:

http://cs.anu.edu.au/people/Tony.Dekker/JAWS.HTML