Java Applet Security Problems


1) Introduction:


For most people, their first exposure to the Java programming language was in late 1995, when Netscape Navigator began running apples, small Java programs that ran within a World Wide Web browser,


At the time, this was a revolutionary development for the Web, because applets were the first interactive content that could be delivered as part of a Web page. Although you can do similar things with Macromedia Flash, Microsoft ActiveX, and other technology today, Java remains an effective choice for Web- based programming.


Many claims have been made for the security of Java. A lot of these claims have been rather exaggerated, but underlying them is the fact that security was designed-in at an early stage in the development of the language. Saying that Java has strong security is like challenging the world to find the holes in it, which is exactly what has happened. Some very clever (and very devious) people have been applying their brain-power to the problem of breaking down the Java defenses.


In this Report I will give a view of how Java defends itself and then summarize the different ways in which it can be attacked.


2) Creating Applets:


þ How Applets and Applications Are Different


The difference between Java applets and applications lies in how they are run.


Applications are run by loading the applications remain class file with a Java interpreter, such as the java tool in the Java 2 SDK.


Applets, on the other hand, are run on any browser that supports Java. This includes current versions of Netscape Navigator, Microsoft Internet Explorer, Opera, and Sun\' Hot Java browser.


For an applet to run it must be included on a Web, page using HTML tags in the same way images and other elements are presented.


When a user with a Java-capable browser loads a, Web page that includes an applet, browser downloads the applet from a Web server and runs it on the Web user\'s own system using a Java interpreter.


Applets do not have a main ( ) method that automatically is called to begin the program. Instead, there are several methods that are called at different points in the execution of an applet.


þ Including an Applet on a Web Page


After you create the class or classes that compose your applet and compile them into class files, you must create a Web page on which to place the applet.


Applets are placed on a page by using the <APPLET> tag, an HTML markup tag.


<applet code=\'Watch.class" height="50" width="345">


This program requires a Java-enabled browser.


</applet>


3) The applet security


When the word wide web was composed of static HTML and GIF JPEG Graphics, there was a little concern for security of the browsers. Later Sun Microsystems popularized the applet that run inside the web browser. Such a remote code raises serious security issues. Since its introduction in 1995, Java has become one of the most popular development platforms on the planet.


Java security is important to a number of distinct sets of people:


· Web users, including my 89-year-old grandmother, need to understand the risks of using a Java-enabled browser.


· Developers of Java code that lives and works on the Internet need to keep security in mind when they are writing programs.


· System administrators need to think carefully about how mobile code, including Java, impacts the security of the systems they run.


· Business people need to understand what Java security risks are so they can make informed business decisions based on fact and not fiction.


A. Applet Default Settings:


In general, applets loaded over the net are:


· Prevented from reading and writing files on the client file system.


· Prevented from making network connections except to the originating host (The computer that hosts the web page that contains an applet).


· Prevented from starting other programs on the client.


· Prevented from loading libraries, or to define native method calls. If an applet could define native method calls that would give the applet direct access to the underlying computer.


There are other specific capabilities denied to applets loaded over the net, but most of the applet security policy is described by those two paragraphs above. Read on for the gory details.


B. Java Security Mechanisms:


Tin HotJava-Alpha the access controls were done, and the beta