Abadi, M., Burrows, M., Lampson, B., and Plotkin, G. (1993) A calculus for access control in distributed systems. ACM Transactions on Programming Languages and Systems, 15(4):706-734, September 1993. Anderson, R. and Kuhn, M. (1996) Tamper resistance-a cautionary note. In The Second USENIX Workshop on Electronic Commerce Proceedings, pages 1-11. Also available on the Web at http://www.cl.cam.ac.uk/users/cm213/Publications/tamper.html. Badger, L. and Kohli, M. (1995) Java: Holds great potential-but also security concerns. Data Security Letter, 3:12-15. The Data Security Letter (DSL) is published by Trusted Information Systems (TIS). Boneh, D., DeMillo, A., and Lipton, R. (1997) On the Importance of checking cryptographic protocols for faults. In W. Funny (ed) Advances in Cryptology-Eurocrypt'97, Volume 1233 of Lecture Notes in Computer Science, pages 37-51, Springer-Verlag. Also available on the Web at http://theory.stanford.edu/~dabo/papers/faults.ps.gz. CERT (1996a) CA-96.05: Java applet security manager. See URL http://www.cert.org/advisories/index.html. CERT (1996b) CA-96.07: Java Security bytecode verifier. See URL http://www.cert.org/advisories/index.html. Daconta, M. (1996) Java for C++ Programmers. John Wiley & Sons, New York. Dean, D., Felten, E., and Wallach D. (1996) Java Security: From Hotjava to Netscape and beyond. In Proceedings of the 1996 IEEE Symposium on Security and Privacy, Oakland, CA. Dean, D. (1998) Formal Aspects of Mobile Code Security. Ph.D. dissertation, Department of Computer Science, Princeton University. Drossopoulou, S. and Eisenbach, S. (1998) Towards an Operations Semantics and Proof of Type Soundness for Java. A technical paper to be included in an as yet unnamed book. Available on the Web on-line at http://outoften.doc.ic.ac.uk/projects/slurp/papers.html. Erdos, M., Hartman, B., and Mueller, M. (1996) Security Reference Model fo the Java Developer's Kit 1.0.2. Available from Sun Microsystems and also as a Web document on-line at http://www.javasoft.com/security/SRM.html. Fellisen, M. and Friedman, D. (1998) A Little Java, A Few Patterns. MIT Press, Cambridge, MA. Felten, E., Balfanz, D., Dean, D., and Wallach, D. (1997) Web Spoofing: An Internet con game. In Proceedings of the 20th National Information Systems Security Conference, Baltimore, MD. An early version appeared as technical report 540-96 (revised), Department of Computer Science, Princeton University. Flanagan, D. (1997) Java in a Nutshell, second edition. O'Reilly & Associates, Sebastopol, CA. Flanagan, D. (1997) Java Examples in a Nutshell. O'Reilly & Associates, Sebastopol, CA. Friedman, D., Wand, M., and Haynes, C. (1992) Essentials of Programming Languages. MIT Press/McGraw-Hill, Cambridge, MA. Garfinkel, S. And Spafford, G. (1996) Practical Unix & Internet Security, second edition. O'Reilly & Associates, Sebastopol, CA. Ghosh, A. (1998) E-Commerce Security: Weak Links, Best Defenses. John Wiley & Sons, New York. Gong, L., Mueller, M., Prafullchandra, H., and Schemers, R. (1997) Going Beyond the Sandbox: An overview of the new security architecture in the Java Development Kit 1.2. In Proceedings of the USENIX Symposium on Internet Technologies and Systems. Monterey, CA. Gong, L. and Schemers, R. (1998) Implementing Protection Domains in the Java Development Kit 1.2. In Proceedings of the Internet Society Symposium on Network and Distributed System Security, San Diego, CA. Hastings, R. and Joyce, B. (1992) Purify: Fast detection of memory leaks and access errors. In Proceedings of the Winter USENIX Conference, ACM Press. Horstmann, C. and Cornell, G. (1997) Core Java Volume I--Fundamentals. SunSoft Press, Mountain View, CA. Hughes, L.J. (1995) Actually Useful Internet Security Techniques. New Riders, Indianapolis. Hughes, M., Shoffner, M. and Winslow, M. (1997) Java Network Programming. Manning. ISO7816 (1987) International Standards Organization, International Standard ISO 7816-1 through 7816-6 "Identification cards-Integrated circuit(s) cards with contacts". Available through ISO, New York. LaDue, M. (1996) Java Security: Whose business is it? Published by Online Business Consultants and available as a Web document on-line at http://www.rstcorp.com/hostile-applets/OBCArticle/Article.html. Lewis, T. (1996) What's wrong with Java? IEEE Software, 29(6):8. Lewis's letter to the editor was in response to Java criticism originally printed by him in The NC phenomena: Scenes from your living room, IEEE Software, 29(6):8-10. Lewis, T. (1998) Java Holy War '98. IEEE Computer, 31(3):126-128. Macgregor, R., Durbin, D., Owlett, J. and Yeomans, A. (1998) Java Network Security. Prentice Hall, Saddle River, NJ. Martin, D., Rajagopalan, S, and Rubin, A. (1997) Blocking Java Applets at the Firewall. Proceedings of the 1997 Network and Distributed System Security Symposium. San Diego, March 1997. Also available on the Web at http://www.cs.bu.edu/techreports/96-026-java-firewalls.ps.Z. McGraw, G. and Felten, E. (1996) Java Security: Hostile Applets, Holes, and Antidotes. John Wiley & Sons, New York. (The first edition of this book.) McGraw, G. (1998) Testing for security during development: why we should scrap penetrate and patch. IEEE Aerospace and Electronic Systems, 13(4):13-15, April 1998. Neumann, P. (1995) Computer Related Risks. Addison-Wesley, Reading, MA. Oaks, S. (1998) Java Security. O'Reilly & Associates, Sebastopol, CA. Rubin, A, Geer, D. and Ranum, M. (1997) The Web Security Sourcebook. John Wiley & Sons, New York Schneier, B. (1995) Applied Cryptography: Protocols, Alogorithms, and Source Code in C. John Wiley & Sons, New York. Second edition. Shimomura, T. and Markoff, J. (1996) Takedown: The Pursuit and Capture of Kevin Mitnick, America's Most Wanted Computer Outlaw-By the Man Who Did It. Hyperion, New York. Spafford, E. (1989) The Internet worm program: An analysis. Computer Communications Review, 19(1):17-57. Stata, R. and Abadi, M. (1998) A type system for Java bytecode subroutines. In Proceedings of the 25th ACM Symposium on Principles of Programming Languages, pages 149-160, January 1998. Sun Microsystems (1995) The Java language: An Overview. Available from Sun and also as a Web document on-line at http://java.sun.com/docs/overviews/java/java-overview-1.html. Sun Microsystems (1996b) The Java Virtual Machine specification. Web document at URL http://www.javasoft.com/docs/books/vmspec/html/VMSpecTOC.doc.html. Available as a book by Lindholm and Yellin from Adison-Wesley. Sun Microsystems (1996c) Low-level security in Java. Web document at URL http://www.javasoft.com/sfaq/verifier.html/ by Frank Yellin. Sun Microsystems (1997) Java card 2.0 programming concepts revision 1.0 final. Web document at URL http://www.javasoft.com/products/javacard/index.html. Venners, B. (1998) Inside the Java Virtual Machine. McGraw-Hill. New York. Voas, J. and McGraw, G. (1998) Software Fault Injection: Inoculating Programs Against Errors. John Wiley and Sons. New York. See the Web site at http://www.rstcorp.com/books/sfi/. Wallach, D., Balfanz, D., Dean, D. and Felten, E. (1997) Extensible Security Architectures for Java. In Proceedings of the 16th Symposium on Operating Systems Principles (Saint-Malo, France), October, 1997. Wallach, D. and Felten, E. (1998) Understanding Java Stack Inspection. In Proceedings of the 1998 IEEE Symposium on Security and Privacy, Oakland, CA. Wallach, D. (1998) A New Approach to Mobile Code Security. Ph.D. dissertation, Department of Computer Science, Princeton University. Young, Boebert, and Kain (1985) Article in an IEEE Tutorial on Computer Network Security. IEEE Press.
All of the following links can be found on a page of the companion Web site for this book at www.securingjava.com.
Java Developer's Kit (JDK) available free from Javasoft. Also other official Java information. Javasoft's Frequently Asked Questions: Applet Security Security Tradeoffs: Java versus ActiveX. Princeton Safe Internet Programming FAQ. Also see Appendix A. JavaScript Problems I've Discovered. John LoVerso's JavaScript Security site. developer.com, an on-line publication for Java developers. JavaWorld, an on-line publication for Java enthusiasts and developers. MindQ, an on-line training company specializing in Java. Yahoo! An excellent starting point for Web surfing. A large Web index. AltaVista. One of the top search engines on the Web. Java Security Hotlist. Also see Appendix B. Princeton's Secure Internet Programming Team. Includes the Java Security FAQ. The Java Books list. An extensive list of all books published about Java (way too many). The Java Security Web Site. This book's companion Web site. Includes the Java Security Hotlist.
Sun's document explaining the security API change.
DigiCrime (disable Java and JavaScript before you surf this site) The Java Security Hotlist: Hostile Applets and Other Toys Digicrime's Blue Screen of Death page. The actual byte code of the bluescreen applet. Ahpah Software makes the SourceAgain decompiler. Earthweb's Java applet database. Sun Microsystem's Frequently Asked Questions - Java Security Princeton's Java Security: Frequently Asked Questions (included as Appendix A) Princeton's Security Tradeoffs: Java vs. ActiveX (included as Appendix A) The Java Security Web Site, companion Web site for this book
Javasoft's Frequently Asked Questions: Java Security Princeton Secure Internet Programming Team's Java Security FAQ. Also see Appendix A. Major Malfunction and Ben Laurie explain the security holes they discovered Princeton's Secure Internet Programming Team University of Washington's Kimera Project Type safety problems discovered in Sun's Verifier by the Kimera Project Ben Mesander's applet WhereDoYouWantToGoToday
Formalizing the JVM at Computational Logic, Inc. Javasoft's Security Reference Model for JDK 1.0.2 The Jasmin byte code assembler Ahpah Software sells the SourceAgain Java Decompiler Mark LaDue takes on Finjan again Cult of the Dead Cow produces the Back Orifice exploit Princeton Secure Internet Programming Team's Java Filter Class Loader International Computer Security Association Marcus Ranum discusses firewall certification Mark LaDue's Hostile Applet Mutation Generator
Martin et al.'s paper Blocking Java Applets at the Firewall
Javasoft: Java Card Technology, specifications for Card Java can be found here Boneh, DeMillo, and Lipton's On the Importance of Checking Cryptographic Protocols for Faults Anderson and Kuhn's Tamper Resistance-A Cautionary Note Crptography Research, Inc. information on Differential Power Analysis
Chapter... Preface -- 1 -- 2 -- 3 -- 4 -- 5 -- 6 -- 7 -- 8 -- 9 -- A -- B -- C -- Refs
Copyright ©1999 Gary McGraw and Edward Felten. |
