Java Security in Parallel Universes 1

We describe a gap in Java's security model that allows a pure Java library to infer information to which it should not have access. The security violation exploits two pieces of public information: 1. The stack trace: Every Java exception object contains a string representation of the stack trace that is usually used for debugging purposes. Access to this stack trace is public. 2. The class les: Every Java program (application or applet) is composed of class les. Access to the class les is usually public, e.g., they are sent over the network, and they have a standard format. By putting together these two pieces of information, a malicious Java library can sometimes construct a parallel universe in which Java security rules are not enforced. In particular , the parallel universe contains copies of private variables which can be accessed by any Java class. We explain the problem in the current security model, analyze the parallel universe attack, and discuss ways to provide better security assurance for Java. 1 This paper expands on a earlier technical report 11].