This Article 
 Bibliographic References 
 Add to: 
Secure Execution of Java Applets Using a Remote Playground
December 2000 (vol. 26 no. 12)
pp. 1197-1209

Abstract—Mobile code presents a number of threats to machines that execute it. We introduce an approach for protecting machines and the resources they hold from mobile code and describe a system based on our approach for protecting host machines from Java 1.1 applets. In our approach, each Java applet downloaded to the protected domain is rerouted to a dedicated machine (or set of machines), the playground, at which it is executed. Prior to execution, the applet is transformed to use the downloading user's web browser as a graphics terminal for its input and output and so the user has the illusion that the applet is running on her own machine. In reality, however, mobile code runs only in the sanitized environment of the playground, where user files cannot be mounted and from which only limited network connections are accepted by machines in the protected domain. Our playground thus provides a second level of defense against mobile code that circumvents language-based defenses. The paper presents the design and implementation of a playground for Java 1.1 applets and discusses extensions of it for other forms of mobile code, including Java 1.2.

[1] H. Abdel-Wahab and M. Feit, "XTV: A Framework for Sharing X Window Clients in Remote Synchronous Collaboration," Proc. TriComm 91: Comm. for Distributed Applications&Systems, IEEE Press, New York, 1991, pp. 159-167.
[2] V. Anupam and A. Mayer, “Security of Web Browser Scripting Languages: Vulnerabilities, Attacks, and Remedies,” Proc. Seventh USENIX Security Symp., pp. 187–199, Jan. 1998.
[3] G. Back, P. Tullmann, L. Stoller, W.C. Hsieh, and J. Lepreau, “Java Operating Systems: Design and Implementation,” Technical Report UUCS-98-015, Univ. of Utah, Aug. 1998.
[4] D. Balfanz and E.W. Felten, “A Java Filter,” Technical Report 567-97, Dept. of Computer Science, Princeton Univ., Oct. 1997.
[5] D. Balfanz and L. Gong, “Experience with Secure Multiprocessing in Java,” Proc. 18th Int'l Conf. Distributed Computing Systems, May 1998.
[6] W. Cheswick and S. Bellovin, Firewalls and Internet Security. Reading, Mass.: Addison-Wesley, 1994.
[7] D.B. Chapman and E.D. Zwicky, Building Internet Firewalls. O'Reilly&Associates, Sept. 1995.
[8] G. Czajkowski and T. von Eicken, “JRes: A Resource Accounting Interface for Java,” Proc. ACM OOPSLA Conf., Oct. 1998.
[9] D. Dean, E. Felten, and D. Wallach, "Java Security: From HotJava to Netscape and Beyond," Proc. IEEE Symp. Security and Privacy, IEEE Computer Soc. Press, Los Alamitos, Calif., 1996.
[10] E.W. Felten, D. Balfanz, D. Dean, and D.S. Wallach, “Web Spoofing: An Internet Con Game,” Proc. 20th Nat'l Information Systems Security Conf., Oct. 1997.
[11] D. Flanagan, Java in a Nutshell, second ed. O'Reilly&Associates, 1997.
[12] L. Gong, "Java Security: Present and Near Future," IEEE Micro, Vol. 17, No. 3, May/June 1997, pp. 14-19.
[13] L. Gong, M. Mueller, H. Prafullchandra, and R. Schemers, “Going Beyond the Sandbox: An Overview of the New Security Architecture in the Java™Development Kit 1.2,” Proc. USENIX Symp. Internet Technologies and Systems, Dec. 1997.
[14] J. Hartman, L. Peterson, A. Bavier, P. Bigot, P. Bridges, B. Montz, R. Piltz, T. Proebsting, and O. Spatscheck, “Joust: A Platform for Communications-Oriented Liquid Software,” Technical Report TR97-16, Dept. of Computer Science, Univ. of Arizona, Nov. 1997.
[15] C. Hawblitzel, C. Chang, G. Czajkowski, D. Hu, and T. von Eicken, “Implementing Multiple Protection Domains in Java,” Proc. Usenix Ann. Technical Conf., June 1998.
[16] A. Herbert, “Secure Mobile Code Management: Enabling Java for the Enterprise,” May 1997, http:/
[17] J.H. Howard, M.L. Kazar, S.G. Menees, D.A. Nichols, M. Satyanarayanan, R.N. Sidebotham, and M.J. West, "Scale and performance in a distributed file system," ACM Trans. Comp. Sys., vol. 6, no. 1, Feb. 1988.
[18] M. Ladue, “Pushing the Limits of Java Security,” Tricks of the Java Programming Gurus, G. Vanderburg, ed., Publishing, 1996.
[19] T. Lindholm and F. Yellin, The Java Virtual Machine Specification, Addison-Wesley, Reading, Mass., 1997.
[20] G. McGraw and E.W. Felten, "Java Security: Hostile Applets, Holes, and Antidotes," John Wiley&Sons, New York, 1997.
[21] D. Malkhi, M. Reiter, and A. Rubin, “Secure Execution of Java Applets Using a Remote Playground,” Proc. IEEE Symp. Security and Privacy, pp. 40–51, May 1998.
[22] M.S. Manasse and G. Nelson, “Trestle Reference Manual,” Research Report 68, Digital Corp. SRC, 1991.
[23] D. Martin, S. Rajagopalan, and A.D. Rubin, “Blocking Java Applets at the Firewall,” Proc. Internet Soc. Symp. Network and Distributed System Security, pp. 16–26, Feb. 1997.
[24] D. Mosberger and L. Peterson, "Making Paths Explicit in the Scout Operating System," Proc. Second Symp. Operating System Design and Implementation, 1996, pp. 153-167.
[25] G. Necula, “Proof-Carrying Code,” Conf. Record 24th Symp. Principles of Programming Languages, pp. 106–116, Paris, ACM Press, Jan. 1997.
[26] C.M. Woodside and Y. Li,“Performance Petri net analysis of communications protocol software by delay-equivalent aggregation,” Fourth Int’l Workshop Petri Nets and Performance Models, pp. 64-73,Melbourne, Australia, Dec.2-5, 1991.
[27] Sun Microsystems, Inc., Java Object Serialization Specification, Revision 1.2, Dec. 1996.
[28] Sun Microsystems, Inc., Java Remote Method Invocation Specification. 1997.
[29] T. Richardson, “Teleporting—Mobile X Sessions,” Proc. Ninth Ann. X Technical Conf., Jan. 1995.
[30] Z. Rosberg, B. Berg, and J. Wille, “IBM Explains How to Use the Remote Abstract Windowing Toolkit (RAWT),” AS/400 Network Expert Newsletter, pp. 26–30, Jan./Feb. 1999.
[31] D. Wallach et al., "Extensible Security Architectures for Java," Proc. 16th ACM Symp. Operating Systems Principles, ACM Press, New York, 1997; available at.
[32] K.R. Wood, T. Richardson, F. Bennet, A Harter, and A. Hopper, “Global Teleporting with Java: Towards Ubiquitous Personalised Computing,” Technical Report 96.2, Olivetti Research Ltd., Cambridge, England.

Index Terms:
Java, mobile code, security, remote method invocation.
Dahlia Malkhi, Michael K. Reiter, "Secure Execution of Java Applets Using a Remote Playground," IEEE Transactions on Software Engineering, vol. 26, no. 12, pp. 1197-1209, Dec. 2000, doi:10.1109/32.888632
Usage of this product signifies your acceptance of the Terms of Use.