h55638 s 00001/00001/00131 d D 1.8 97/06/20 10:47:55 wegis 9 8 c Update e s 00001/00001/00131 d D 1.7 97/06/10 17:22:43 wegis 8 7 c Update e s 00001/00001/00131 d D 1.6 97/06/10 17:07:18 wegis 7 6 c Update e s 00000/00000/00132 d D 1.5 97/06/10 16:55:50 wegis 6 5 c Update e s 00001/00001/00131 d D 1.4 96/06/21 14:58:43 rmg 5 4 c Replaced bogus footer comments with good ones. e s 00002/00002/00130 d D 1.3 96/06/21 12:12:25 rmg 4 3 c Replaced bogus footer comments with good ones. e s 00001/00002/00131 d D 1.2 96/05/21 12:27:50 mrm 3 1 c remove Geddis e s 00000/00000/00000 d R 1.2 96/05/10 22:06:33 Codemgr 2 1 c SunPro Code Manager data about conflicts, renames, etc... c Name history : 1 0 sfaq/denialOfService.html e s 00134/00000/00000 d D 1.1 96/05/10 22:06:32 mrm 1 0 c date and time created 96/05/10 22:06:32 by mrm e u U f e 0 t T I 1 Denial of service I 3 E 3

Java Security


Denial of service

May 10, 1996


Hostile Applet web pages have been compiled and published on the web. These are collections of Java applets that consume resources in rude or malicious ways, so that either all the CPU or memory resources of your computer are consumed, or, you are tricked into thinking a dangerous attack has been launched on your computer. These hostile applets are exercising what is known as a denial of service attack.

For example, one attack displayed from Ladue's Georgia Tech site is an applet that paints huge black windows on your screen, in such a way that you can't access other parts of the screen. The applet then displays a fake name/password dialog box, instructing you to enter your name and password in order to restart the browser securely. (This is a deliberate attempt to cull name/password pairs from people on the internet, and people should not enter their name/password.) Instead, one way to recover from this applet is to kill the browser running on your computer. On a unix system, one way to accomplish this is to remotely log into your computer from another computer on your local network, use "ps" to find the process ID that matches the hijacked browser's process ID, and issue a "kill -9 PID."

Three sites that contain collections of denial-of-service applets are

Malicious or rude people might place hostile applets on web pages without labeling the web page as hostile, of course, and it's this realization that makes people nervous. The threat, or exposure, of visiting a page that contains hostile applets is that the applets might

We are actively investigating ways to better monitor and control resource consumption by applets. It is hard to automatically tell the difference between an MPEG decompressor and a hostile applet! However, there might be good ways to let both the browser and the user specify resource limits on downloaded applets. For example, the browser could enforce some automatic limits, and the user could selectively override the built-in limits. We recognize the importance of providing people with some mechanism to help them deal with hostile applets.

The problem of an applet interfering with the threads of execution of another applet is an implementation bug in the security check for thread access. The security policy for downloaded applets is that applets should not be able to access threads outside their own thread group.


Frequently Asked Questions About Java Security

D 4 E 4 I 4 E 4

D 9

Copyright © 1996 Sun Microsystems, Inc., 2550 Garcia Ave., Mtn. View, CA 94043-1100 USA. All rights reserved.

Contact the Java developer community via the newsgroup comp.lang.java
or JavaSoft technical support via email to java@java.sun.com.

Send questions or comments about this web site to
webmaster@java.sun.com.

E 9 I 9

Copyright © 1996 Sun Microsystems, Inc., 2550 Garcia Ave., Mtn. View, CA 94043-1100 USA. All rights reserved.

Contact the Java developer community via the newsgroup comp.lang.java
or JavaSoft technical support via email to java@java.sun.com.

Send questions or comments about this web site to
webmaster@java.sun.com.

E 9

D 5  Java Powered E 5 I 5 D 7  Java E 7 I 7 D 8  Java E 8 I 8  Java E 8 E 7 E 5

D 4 E 4 I 4 E 4 E 1