Abstract
JAVA is claimed to be a system programming language having a number of advantages over traditional programming languages. These advantages stem from the fact that it is a platform - independent language, thus promising truly network oriented computing as long as a nearly universal system for distributing applications. On the other hand, although being an interpreted, much simpler, scripting language, Safe-Tcl was proposed as an executable contents type of MIME and thus as the standard language for executable contents within email. Consequently, both languages claim to be suitable for transmitting executable content over the Internet, in other words manipulating mobile code. However, the ability to download, integrate, and execute code from a remote computer raises serious concerns about JAVA's as well as Safe-Tcl's effect on network security. In this paper, the potential security risks of mobile code are discussed, a brief introduction to both programming languages is given, and the details of each of the proposed security mechanisms are presented. Finally a comparison of the two security models is given, centered upon the efficiency and flexibility of current implementations as well as upcoming extensions.
- {Balfanz, 1997a} D. Balfanz, L. Gong, (1997) "Secure Multi-Processing in Java".Google Scholar
- {Balfanz, 1997b} D. Balfanz, E. W. Felten, (1997) "A JavaFilter", available at http://www.princeton.cs.edu/sipGoogle Scholar
- {Bank, 1995} "Java Security", available at http://www-swiss.ai.mit.edu/~jbank/javapaper/javapaper.htmlGoogle Scholar
- {Borenstein, 1993} Borenstein N, Rose M. T., (1993) "MIME Extensions for Mail-Enabled Applications: application/Safe-Tcl and multipart/enabled-mail"Google Scholar
- {Felten, 1997} E. W. Felten, D. Balfanz, D. Dean, D. S. Wallach, (1997) "Web Spoofing: An Internet Con Game", Proceedings of the 20th National Information Systems Security Conference.Google Scholar
- {Goldstein, 1996} Goldstein T., (1996) "The Gateway Security Model in the Java Electronic Commerce Framework", JavaSoft, available at http://www.javasoft.com/products/commerce/jectf_gateway.psGoogle Scholar
- {Gong, 1997a} L. Gong, M. Mueller, H. Prafullchandra, R. Schemers, (1997) "Going Beyond the Sandbox: An Overview of the New Security Architecture in the Java Development Kit 1.2", Proceedings of the USENIX Symposium on Internet Technologies. Google ScholarDigital Library
- {Gong, 1997b} L. Gong, (1997) "New Security Architectural Directions for Java", Proceedings of IEEE COMPCON. Google ScholarDigital Library
- {Gritzalis, 1991} Gritzalis D., (1991) Information Systems Security, GCS Publications (in Greek).Google Scholar
- {Martin, 1997} Martin D., Rajagopalan S., Rubin A., (1997) "Blocking Java Applets at the Firewall", Proceedings of the SNDSS 1997 Symposium on Network and Distributed System Security, pp. 123-133, IEEE Computer Society Press. Google ScholarDigital Library
- {McGraw, 1996} McGraw G., Felten E., (1996) "Java Security Hostile Applets, Holes and Antidotes", J. Wiley & Sons Inc. Google ScholarDigital Library
- {Ousterhout, 1996} Ousterhout J. K., (1996) "The Safe-Tcl Security Model".Google Scholar
- {Ousterhout, 1997} Ousterhout J. K., (1997) "Scripting: Higher Level Programming for the21st Century".Google Scholar
- {Scheneier, 1996} Scheneier B., "Applied Cryptography", J. Wiley & Sons.Google Scholar
- {Sun, 1997a} Sun Microsystems, (1997) Frequently Asked Questions - Applet Security, at http://java.sun.com/sfaq/Google Scholar
- {Sun, 1997b} Sun Microsystems, (1997) "Secure Computing with Java: Now and the Future", at http://java.sun.com/marketing/collateral/security.htmGoogle Scholar
- {Sun, 1997c} "The Java Virtual Machine Specification", (1997) available at http://java.sun.com/docs/books/vmspec/Google Scholar
- {Sun, 1997d} "Jacl and Tcl Blend", (1997) available at http://sunscript.sun.com/java/Google Scholar
- {Thorn, 1997} Thorn T., (1997) "Programming Languages for Mobile Code".Google Scholar
- {Venners, 1997} Venners B., (1997) "Java's security architecture", available at http://www.javaworld.com/javaworld/jw-08-1997/jw-08-hood.htmlGoogle Scholar
- {Wallach, 1997} D. S. Wallach, D. Balfanz, D. Dean, E. W. Felten, (1997) "Extensible Security Architectures for Java", Proceedings of the 16th Symposium on Operating Systems Principles. Google ScholarDigital Library
- {Weiss, 1996} Weiss M., Johnson A., Kiniry J., (1996) "Security Features of Java and HotJava".Google Scholar
- {Yellin, 1995} Yellin F., (1995) Low Level Security in Java, at http://java.sun.com/sfaq/verifier.htmlGoogle Scholar
- {Zhang, 1997} X. N. Zhang, "Secure Code Distribution", (1997) IEEE Computer, June 1997, pp.76-79. Google ScholarDigital Library
Index Terms
- Security issues surrounding programming languages for mobile code: JAVA vs. Safe-Tcl
Recommendations
Programming languages for mobile code
Sun's announcement of the programming language Java more that anything popularized the notion of mobile code, that is, programs traveling on a heterogeneous network and automatically executing upon arrival at the destination. We describe several classes ...
Addressing Security Issues in Programming Languages for Mobile Code
DEXA '98: Proceedings of the 9th International Workshop on Database and Expert Systems ApplicationsThe services offered to the Internet community have been constantly increasing the last few years. This is mainly due to the fact that mobile code has matured enough in order to provide the Internet users with high quality applications that can be ...
Semantics of programming languages
A semantic specification of a programming language can be relevant for programmers to understand software written in the language, as well as for the implementers of a language to understand the intentions of its designers. In the early 1980s, Jan ...
Comments