advertisement
javaboutique
Search Tips
Articles  |   Tutorials  |   Reviews  |   Tools  |   by Category  |   by Date  |   by Name  |   Submit  |   Source  |   Forums  |  
javaboutique
Browse DevX


Partners & Affiliates


advertisement

Reviews : Java Books : Beginning Java Networking :

Title: Beginning Java Networking
ISBN: 1861005601
Price: $ 49.99
£ 39.99
C$ 74.95
© Wrox Press, Ltd.

Why Security?

Don't just trust any executable code – not even when it's coming from an apparently trustworthy source. This lesson was first learned the hard way with the famous Internet worm of November 3, 1988, which effectively shut down the net. A 23-year-old student, Robert Morris, had created a program that would propagate over the network, installing a copy of itself on every computer it met along the way. But the bit of code that was supposed to ensure that each machine only got a single copy of the worm didn't work, and thousands of Internet hosts ground to a halt as they became infested with hundreds of worms each. Administrators of clean machines axed their net connections to avoid infection, and for a few days the Internet ceased to exist.

Amazingly enough, this lesson is still being learned at great cost every day. Some of the most popular e- mail applications and word processors are perfectly happy to execute macros, scripts, and active controls without any user intervention. Such executable content can gain access to the most sensitive system services, such as the hard drive or the operating system. This is possible because what little security is in place appears to be an afterthought. More than a decade after the worm, its descendants thrive. The worm was, in fact, a fairly benign creature, which had run amok due to a programming error. Most of the current crop is spread by design, and some of them have been created to cause as much damage as possible.

The Internet worm actually spread through a vulnerability in the commonly-used sendmail mail transport program. Sendmail featured a handy facility allowing programmers to debug it over the net. For the worm, this turned out to be a handy facility allowing it to run just about anything on any mail host. Clearly, it pays to be very careful about the services provided by an Internet server. Sensitive services need to be carefully protected so that only authorized users can access them. Services must also be able to handle unexpected input so they cannot be subverted.

For example, one of the most common security holes in server software is insufficient protection of memory buffers. An unprotected buffer will overflow when the input is unexpectedly long, and overwrite other memory locations. Hackers have used such carelessness to break into the most tightly secured machines. This, too, is a lesson still being learnt daily.

New vulnerabilities are being discovered every week in some of the world's most popular server software. For up to date information and security bulletins, see the website of the Computer Emergency Response Team (CERT, http://www.cert.org).

Java Security

In Java, Sun has addressed security issues from the very start:

  • The Java language ensures that array access never goes out of bounds. Any attempt to access memory beyond the array boundaries results in an ArrayIndexOutOfBoundsException. This prevents buffer overflows and underflows.
  • The pointers and unions that lie at the root of so many bugs in C and C++ are not supported. Together with garbage collection, this prevents uncontrolled memory access.
  • Casts are always checked and throw a ClassCastException if illegal. That way, code can never get around security features by casting an object to an incompatible type.
  • Before Java bytecode (that is, a .class file) is loaded as a class, the virtual machine runs a bytecode verifier to ensure that the code is valid. This makes it impossible to construct invalid bytecode that could cause the JVM to behave in unexpected ways.
  • The language does not contain any low-level constructs that would allow direct hardware access. All access has to go through the Java libraries, with the sole exception of Java Native Interface (JNI) calls.
  • The libraries enforce security by blocking Java programs from accessing the system unless they are allowed to do so. Any attempt to perform a prohibited operation will cause a SecurityException to be thrown.
  • Finally, there is extensive support for cryptography. Cryptography is essential to data protection and authentication. We will return to it in Chapter 14.

These features make Java arguably the best language to implement Internet-secure applications, although it is important to remember that there may still be security bugs in the JVM implementation itself. If we want to safely use Java networking to connect to services on the net, or to implement services made available over the net, we need to be familiar with its security support. Broadly speaking, there are two types of Java programs. Applications need to be installed by the user before they can be used. An application is typically purchased or downloaded from a trusted source. It takes an explicit action to install and run it. Traditionally, the user implicitly trusts an application with full access to the machine; later in this chapter, we will see how Java 2 refines this by allowing the user to confer specific levels of trust using certificates.

Applets, on the other hand, are primarily Java programs embedded within web pages. They can be used to make a page more interactive, or to access a server resource such as a database without the delay associated with server-side processing. They execute automatically when you view the web page that contains the applet, unless Java is disabled on the user's browser. The user does not know whether a web page contains an applet and if the applet can be trusted. Like executable content within an e-mail, an applet should be treated as if it contained malicious code.

The basic Java security model directly reflects this fundamental difference between applications and applets. Applications get full access to all system resources, while applets run in a protected environment known as a sandbox.

How to Add Java Applets to Your Site

New on the Java Boutique:

New Review:

Time Management Made Easy with the Quartz Enterprise Job Scheduler
Why not just use the Java timer API? This open source scheduling API boasts simplicity, ease-of-integration, a well-rounded feature set, and it's free!

New Applet:

Reverse Complement
Reverse Complement is a simple applet that converts DNA or RNA sequences into three useful formats.

Elsewhere on internet.com:

WebDeveloper Java
Lots of Java information on webdeveloper.com

WDVL Java
Thorough Java resource at the Web Developer's Virtual Library.

ScriptSearch Java
Hundreds of free Java code files to download.

jGuru: Your View of the Java Universe
Customizable portal with online training, FAQs, regular news updates, and tutorials.

 Intel Go Parallel Portal
 Internet.com eBook Library
 IBM Software Construction Toolbox
 Microsoft RIA Development Center
 Destination .NET
XML error: not well-formed (invalid token) at line 43
advertisement
Receive Articles via our XML/RSS feed
Receive Articles via our XML/RSS feed

JavaBytes
Internet Cyclone
This powerful, easy-to-use, internet optimizer is for Windows 95, 98, ME, NT, 2000 and XP. It's designed to automatically optimize your Windows settings, boosting your Internet connection up to 200%.

Google Hopes Chrome Will Help, Not Hurt Firefox
Remember Figlets? They're Back With Zend
Microsoft Readies an App Store Competitor?
Google: Chrome Browser Will Make Money
Sam Ramji: Microsoft's Man in Open Source
Google to Shake Up Browsers With Own Launch
Mozilla's Ubquity Mashup: For The Masses?
iPhone Users Just Want to Have Fun
Oops! I Fixed the Linux Kernel
Jim Zemlin: The New Center of Linux Gravity

Code Around C#'s Using Statement to Release Unmanaged Resources
Writing Functional Code with RDFa
BitLocker Brings Encryption to Windows Server 2008
Network Know-How: Exploring Network Algorithms
Create a Durable and Reliable WCF Service with MSMQ 4.0
The Baker's Dozen: 13 Tips for SQL Server 2008 and SSRS 2008
Book Excerpt: Microsoft Expression Blend Unleashed
Develop a Mobile RSS Feed the Easy Way
State of the Semantic Web: Know Where to Look
A 3D Exploration of the HTML Canvas Element

Advertising Info  |   Member Services  |   Contact Us  |   Help  |   Feedback  |   Site Map  |   Network Map  |   About



JupiterOnlineMedia

internet.comearthweb.comDevx.commediabistro.comGraphics.com

Search:

Jupitermedia Corporation has two divisions: Jupiterimages and JupiterOnlineMedia

Jupitermedia Corporate Info


Legal Notices, Licensing, Reprints, & Permissions, Privacy Policy.

Advertise | Newsletters | Tech Jobs | Shopping | E-mail Offers
Solutions
Whitepapers and eBooks
Intel PDF: Virtualization Delivers Data Center Efficiency
Intel eBook: Managing the Evolving Data Center
Microsoft Article: BitLocker Brings Encryption to Windows Server 2008
Symantec eBook: The Guide to E-Mail Archiving and Management
Microsoft Article: RODCs Transform Branch Office Security
Go Parallel Article: James Reinders on the Intel Parallel Studio Beta Program
 Avaya Article: Advancing the State of the Art in Customer Service
Adobe Acrobat Connect Pro: Web Conferencing and eLearning Whitepapers
Avaya Article: Avaya AE Services Provide Rapid Telephony Integration with Facebook
Go Parallel Article: Getting Started with TBB on Windows
HP eBook: Storage Networking , Part 1
MORE WHITEPAPERS, EBOOKS, AND ARTICLES
Webcasts
Intel Seminar: Efficiencies in Hardware/Software Virtualization
HP Webcast: Disaster Recovery Planning
Go Parallel Video: Performance and Threading Tools for Game Developers
 HP Video: StorageWorks EVA4400 and Oracle
HP Webcast: Storage Is Changing Fast - Be Ready or Be Left Behind
MORE WEBCASTS, PODCASTS, AND VIDEOS
Downloads and eKits
IBM TCO eKIT: Your IT Budget is Under Attack, Get in Control
IBM Energy Efficiency eKIT: Learn How to Reduce Costs
30-Day Trial: SPAMfighter Exchange Module
 Red Gate Download: SQL Toolbelt and free High-Performance SQL Code eBook
Iron Speed Designer Application Generator
MORE DOWNLOADS, EKITS, AND FREE TRIALS
Tutorials and Demos
Microsoft Article: Silverlight Streaming--Free Video Hosting for All
Featured Algorithm: Intel Threading Building Blocks - parallel_reduce
 HP Demo: StorageWorks EVA4400
MORE TUTORIALS, DEMOS AND STEP-BY-STEP GUIDES