14th Annual Computer Security Applications Conference
December 7-11, 1998
Phoenix, Arizona


Controlling Applets' Behavior in a Browser

Vesna Hassler, Oliver Then
Information Systems Institute
Technical University of Vienna
Argentinierstrasse 8/3rd floor, 1040 Vienna, Austria

In this paper we discuss methods of protecting Java-enabled Web browsers against malicious applets. Malicious applets involve denial of service, invasion of privacy and annoyance. Since system modification by applets is generally impossible because of the Java security concept, denial of service is of major concern. Invasion of privacy may be caused by applets staying resident in the browser and collecting information about a user. Annoyance may, for example, be caused by advertisment applets that constantly appear on a Web site frequently visited by the user. A general solution to confront such attacks is to have some mechanism within the browser to monitor applets' activities. This mechanism should enable manual or automatic stopping of malicious applets. To illustrate it we present a special applet, called AppletGuard, that allows the user to observe and control the applets in the browser and, based on an applet's properties, stop or suspend the applet, or just warn the user that something dangerous might be going on.