David Wheeler, Adam Conyers, Jane Luo, Alex Xiong
The Java (TM) Virtual Machine is being used more frequently as the basic engine behind dynamic web services. With the proliferation of network attacks on these network resources, much work has been done to provide security for the network environment. Continuing work on firewalls, intrusion detection, and even access control have provided numerous insights and capabilities for protecting web resources. Java itself has received much attention in the security arena, and the Java 2(TM) Architecture has provided considerable in-roads to providing security services. However, this research has operated under the assumption that attacks only occur through the network, and not with direct access to the web server through a valid login. Little effort has been placed on securing a Java web server where the attacker has a valid login to the host machine. This paper describes specific security extensions developed for a Java Virtual Machine that provide assurance of correct system operation and integrity even in the presence of successful attacks on the underlying operating system.
Keywords: java, java security, security policy, bootstrap, bootstrap JVM, java vulnerabilities, copy protection, secure class file format, malicious code protection
Read Paper (in PDF)