Java的安全特性分析及安全代码开发

Java语言是基于类型安全的类型语言，它通过Java语法和Java语义规定Java类型，并保证Java程序的安全性，从JDK1．0到JDK1．1再到从JDK1．2，Java的安全性不断得到加强和完善。然而，安全是相对的，要设计出安全性好的Java程序，就必须深入理解Java的安全特性和安全机制，文章分析了上述问题。     

Java动态类加载机制分析及其应用

Java 虚拟机(JVM)中的类加载机制可以在 Java 应用程序运行期间动态加载类文件, 而不影响其它功能模块的正常运行. 通过对 Java 类加载器的层次体系结构, 动态类加载机制原理、实现过程进行分析, 将Java动态类加载机制应用到高校网站管理平台的文件发布模块中, 使得设计好的静态网页和后台管理系统相关联, 通过自定义加载器来加载加密过的Java类文件. 这样以可插拔的方式快速的部署二级网站, 增强了网站管理平台的灵活性和可扩展性.     

Java安装与配置技巧

Java的核心是JDK（Java Development Kit）。JDK不仅包含了java的开发工具和基础类库,还包括了java的运行环境JRE（Java Runtime Environment）。目前使用的JDK的版本都是在JDK1．2版本之上的J2SDK（Java2 Software Development Kit）,而通常学生实验所使用的JDK是J2SE（Java2 Platform,Standard Edition）。本文在实践的基础以J2SE1．4．2版本为例详述了Java及相关软件的安装与配置技巧。     

Java应用程序的动态加载与字节码文件解密过程的讨论

通过对Java应用程序的执行过程和Java类加载器的加载机制的分析,探讨了如何在Java类的显示加载和通过自定义类加载器进行加载两种方式下,让一个Java应用程序通过动态加载并执行另一个Java应用程序的具体过程,并对之进行了深入的讨论。     

Java动态类加载机制研究及应用

为了在Java应用程序运行期间动态加载类文件,而不影响其它功能模块的正常运行,在Java虚拟机(JVM)机制上给出了Java动态类加载的实现方法。通过对Java类加载器的体系结构,动态类加载机制原理、实现过程和实现方法的分析,在网络教学环境下实现了一个基于C/S结构模式的动态的从数据库中获取Java源代码并编译运行的学生实验教学系统,并结合反射机制为Java作为动态语言提出一种应用的途径,充分展现了Java语言的灵活性、安全性,使它在代码安全保护和网络环境下有广阔应用前景。     

Java动态类加载分析

动态类加载是Java的一个重要功能,它支持Java在运行时安装程序组件。Java的动态加载具有惰性加载、用户自定义加载策略以及动态名字空间等新特征。本文详细讨论了Java的动态加载机制,研究了动态加载与Java平台安全性之间的关系,分析了针对类加载的典型攻击,讨论了形式化验证的方法和存在的相应问题,最后总结全文并指出进一步研究的方向。     

基于FJ的多版本类动态更新演算

针对面向对象软件在动态更新中遇到类型安全问题,定义了一个多版本类的动态更新演算(MCUFJ演算(multi-version class dynamic updamble calculus based on FJ calculus))来描述类动态更新.MCUFJ演算以FJ(featherweight Java)演算为核心,通过增加update操作表示类的动态更新,运用多版本技术使动态更新可以在保持新旧对象共存的情况下完成,讨论了类的数据域和方法进行增加、删除、修改以及类型变化对程序类型安全性的影响,并且指出MCUFJ上类型安全的动态更新需要满足的约束.定义了类的可动态更新限制,并且证明了在该条件下多版本类的动态更新在类型上的安全性.该演算可以用于指导Java语言和面向对象程序语言的类动态更新.     

Java动态类加载机制研究及应用

随着科学技术的快速发展,各种软件也在不断研发和完善当中,Java动态类加载机制就是在这种条件下产生的,因为其具备显著的优势,所以得到了广泛应用。Java动态类加载机制相对于其他同类型的技术来说能够最大程度减少对内存空间的占用量,而且可以随时下载所需要用到的功能,不会影响其他功能的使用。所以,加大对Java动态类加载机制的研究力度,使其应用到更多领域中成为当前相关研究人员最为重视的工作内容。为此笔者主要介绍了Java动态类加载机制的相关内容,希望能够使更多人进一步了解Java动态类加载机制。     

Java异常处理与自定义异常

Java程序运行期间发生的错误称为异常.异常产生后,应有相应的异常处理机制来捕获异常或抛出异常。JDK平台为我们提供了丰富和完整的异常类,通过它们来处理程序运行中的错误,防止错误对程序造成影响,确保程序能够安全运行。当这些异常类不能捕获实际应用中的异常时．就需要用户自定义异常。异常处理和用户自定义异常的正确与灵活运用：将有效地增强程序的交互性。增加程序的完整性。     

Java安全体系结构研究

从JDK1.0到JDK1.4,Java的安全体系结构不断演变发展,Java的安全性也在不断的得到加强。本文针对Java 2的安全体系结构框架,从保护域的概念入手,对许可权限、安全策略、访问控制机制、算法、类的装载以及安全管理等方面进行分析,并对现在Java安全体系结构存在的问题及未来的发展方向进行展望。     

Secure Java class loading

The class loading mechanism, central to Java, plays a key role in JDK 1.2 by enabling an improved security policy that is permission-based and extensible. The author concludes that JDK 1.2 has introduced a powerful and secure class loading mechanism. It not only enforces type safety and name space separation but also has a significant role in the new security architecture that supports fine grained, permission based access control. The new class loading mechanism's flexibility-through its delegation scheme and the rich set of class loader classes-gives Java applications and applets greater freedom to customize and specify how, when, and from where classes are loaded. Because the class loading mechanism is central to both the correctness and the security of the Java runtime system, we would like to model and define this mechanism, perhaps in a formal verification system. We can then obtain a formal specification and prove (or disprove) that the mechanism as currently designed is sufficient for security     

Formalization and Analysis of Class Loading in Java

Since Java security relies on the type-safety of the JVM, many formal approaches have been taken in order to prove the soundness of the JVM. This paper presents a new formalization of the JVM and proves its soundness. It is the first model to employ dynamic linking and bytecode verification to analyze the loading constraint scheme of Java2. The key concept required for proving the soundness of the new model is augmented value typing, which is defined from ordinary value typing combined with the loading constraint scheme. In proving the soundness of the model, it is shown that there are some problems inside the current reference implementation of the JVM with respect to our model. We also analyze the findClass scheme, newly introduced in Java2. The same analysis also shows why applets cannot exploit the type-spoofing vulnerability reported by Saraswat, which led to the introduction of the loading constraint scheme.     

A semantic model of confinement and Locality Theorem

Confinement is required in object-oriented programming in order to protect sensitive object references. Recently a range of confinement schemes have been proposed to achieve object encapsulation by defining static type systems, but unavoidably, with strong restrictions. On the other hand, no similarity in concepts makes assessing of these schemes a difficulty. We build in this paper a semantic model for confinement in μJava, a subset of sequential Java that offers most objectoriented features. This model has limited restriction for programs. From a semantic view, confinement is defined with respect to a given context that specifies partition of the object pool and confinement constraint among them. Moreover, we present the main Locality Theorem for checking well confinement of programs locally. By applying this Theorem, we have solved a security breach problem from Java JDK 1.1.1, and furthermore, proved the soundness of two widely used confinement schemes: confined types and ownership types.     

A semantic model of confinement and Locality theorem

Confinement is required in object-oriented programming in order to protect sensitive object references. Recently a range of confinement schemes have been proposed to achieve object encapsulation by defining static type systems, but unavoidably, with strong restrictions. On the other hand, no similarity in concepts makes assessing of these schemes a difficulty. We build in this paper a semantic model for confinement in μJava, a subset of sequential Java that offers most object-oriented features. This model has limited restriction for programs. From a semantic view, confinement is defined with respect to a given context that specifies partition of the object pool and confinement constraint among them. Moreover, we present the main Locality theorem for checking well confinement of programs locally. By applying this theorem, we have solved a security breach problem from Java JDK 1.1.1, and furthermore, proved the soundness of two widely used confinement schemes: confined types and ownership types.     

JDK6 HotSpot虚拟机在龙芯平台上的研究与移植

研究了JDK6 HotSpot虚拟机,主要分析了JDK6 HotSpot虚拟机的结构和运行机制。针对龙芯平台上的应用,研究了将JDK6 HotSpot虚拟机移植到龙芯处理器平台系统上的关键技术,给出了相应的移植方案。通过初步的移植,使得龙芯平台通过移植后的JDK6 HotSpot虚拟机能在console端支持Java运行环境。最后,分析了移植后的HotSpot虚拟机的性能瓶颈,并给出了优化的方法。     

Toward an understanding of bug fix patterns

Twenty-seven automatically extractable bug fix patterns are defined using the syntax components and context of the source code involved in bug fix changes. Bug fix patterns are extracted from the configuration management repositories of seven open source projects, all written in Java (Eclipse, Columba, JEdit, Scarab, ArgoUML, Lucene, and MegaMek). Defined bug fix patterns cover 45.7% to 63.3% of the total bug fix hunk pairs in these projects. The frequency of occurrence of each bug fix pattern is computed across all projects. The most common individual patterns are MC-DAP (method call with different actual parameter values) at 14.9–25.5%, IF-CC (change in if conditional) at 5.6–18.6%, and AS-CE (change of assignment expression) at 6.0–14.2%. A correlation analysis on the extracted pattern instances on the seven projects shows that six have very similar bug fix pattern frequencies. Analysis of if conditional bug fix sub-patterns shows a trend towards increasing conditional complexity in if conditional fixes. Analysis of five developers in the Eclipse projects shows overall consistency with project-level bug fix pattern frequencies, as well as distinct variations among developers in their rates of producing various bug patterns. Overall, data in the paper suggest that developers have difficulty with specific code situations at surprisingly consistent rates. There appear to be broad mechanisms causing the injection of bugs that are largely independent of the type of software being produced.

Internationalization support in Java

This article presents new technology in Java that gives developers the power to produce commercial-grade internationalized software. The Java environment, that is, the Java programming language, VirtualMachine, and Java Development Kit (JDK), provides a more elegant, robust, comprehensive scheme for creating global software than any other platform in widespread use today     

JavaAWT的结构概览与实现

主要介绍ＪＤＫ１．１上ＪａｖａＡＷＴ的一些有代表性非常关键的类以及这些类之间的相关系。     

融合信息检索和深度模型特征的软件缺陷定位方法

构建自动化的缺陷定位方法能够加快程序员利用缺陷报告定位到复杂软件系统缺陷代码的过程.早期相关研究人员将缺陷定位视为检索任务,通过分析缺陷报告和相关代码构造缺陷特征,并结合信息检索的方法实现缺陷定位.随着深度学习的发展,利用深度模型特征的缺陷定位方法也取得了一定效果.然而,由于深度模型训练的时间成本和耗费资源相对较高,现有基于深度模型的缺陷定位研究方法存在实验搜索空间和真实情况不符的情况.这些研究方法在测试时并没有将项目下的所有代码作为搜索空间,而仅仅搜索了与已有缺陷相关的代码, 例如DNNLOC方法,DeepLocator方法,DreamLoc方法.这种做法和现实中程序员进行缺陷定位的搜索场景是不一致的.致力于模拟缺陷定位的真实场景,本文提出了一种融合信息检索和深度模型特征的TosLoc方法进行缺陷定位.TosLoc方法首先通过信息检索的方式检索真实项目的所有源代码,确保已有特征的充分利用;再利用深度模型挖掘源代码和缺陷报告的语义,获取最终定位结果.通过两阶段的检索,TosLoc方法能够对单个项目的所有代码实现快速缺陷定位.通过在4个常用的真实Java项目上进行实验,本文提出的TosLoc方法能在检索速度和准确性上超越已有基准方法.和最优基准方法DreamLoc相比,TosLoc方法在消耗DreamLoc方法35%的检索时间下,平均MRR值比DreamLoc方法提高了2.5%,平均MAP值提高了6.0%.