Security Features of Applets in JDK1.2


Shannon Newbold

Project Proposal

With the growing populatity of Java as a programming language to build applications and applets we need to analyze the security features of the language, especially when building applets. Java applets are downloaded by host computers via a web browser and executed. The java virtual machine creates a secure processes space for each applet to run in. This secure space is know as the "Java Sandbox." The applet is restricted to run within the sandbox and cannot go outside the "box" to access any of the resources on the host machine. From a security standpoint this, policy does not allow mallicious java applets wreak havoc on host machines. From the standpoint of a legitimate applet developer, this policy is much to restrictive.

As a solution to this problem, browser developers, such as Microsoft and Netscape are pushing for applets that can be granted capabilities, by the host user, to access resources on the host machine. With the release of Java1.2 Netscape has released a Capabilities API for java. Microsoft is working on there own version. In a sense this new API is giving applets the ability to play outside the "sandbox" created by the virtual machine.

The goal of this paper is to explore what Netscape and Microsoft are trying to accomplish with there new API's and are they violating Sun's Java security policy. Does this also open the door for new class of "applet" viruses.

Send email to

Department of Computer Science
University of California at Davis
Davis, CA 95616-8562

Page last modified on 4/23/2000