Java is a new programming language from Sun Microsystems (currently in beta release). The Java language has a number of interesting properties. One property is that it is intended to be portable, even to the extent that programs can be dynamically loaded over the network and run locally. In particular, small programs called Applets can be loaded and run by a user's WWW browser while the user is ``surfing'' the Web (HotJava is such a browser written in Java, and Netscape2.0 will support Java Applets). While this idea is very powerful, it is also an invitation to security problems. The Java language and runtime system (which includes libraries, the compiler, and the bytecode interpreter) attempt to address these security issues, with the result that Sun claims Java will be secure.
This paper evaluates the security issues raised by the Java language and its intended uses in Java enabled Web browsers and Java's proposed solutions. After a brief discussion on the background of executable content, this paper moves on to discuss the potential security risks of executable content, what Java's proposed solutions are, and finally an analysis of the effectiveness of those solutions.