Securing Java: Getting Down to Business with Mobile Code / Edition 2 available in Paperback
- Pub. Date:
Information Security/Java "This book is mandatory reading for every user and developer of Webware." -Peter G. Neumann, Moderator of the Risks Forum, from his review of the first edition Securing Java Java security is more important now than ever before. As Java matures and moves into the enterprise, security takes a more prominent role. But as Java evolves, its security issues and architectures get more complicated. Written by the world's leading experts on mobile code security, this updated and expanded edition of the groundbreaking guide to Java security includes lessons for Web users, developers, system administrators, and business decision-makers alike. This book navigates the uncharted waters of mobile code security and arms the reader with the knowledge required for securing Java. It provides in-depth coverage of:
• The base Java security sandbox, made up of the Verifier, Class Loaders, and the Security Manager
• Code signing, stack inspection, and the new Java 2 security architecture
• The pros and cons of language-based enforcement models and trust models
• All known Java security holes and the attack applets that exploit them
• Techniques commonly used in malicious applets
• Twelve rules for developing more secure Java code, with explicit examples
• Hard questions to ask third-party Java security tools vendors
• Card Java security, smart card risks, and their impact on e-commerce security
On the companion Web site www.securingjava.com you'll find:
• The Java Security Hotlist: Over 100 categorized and annotated Java security-related Web links
• An e-mail list to keep subscribers abreast of breaking Java security news
• A complete electronic edition of this book
|Product dimensions:||7.50(w) x 9.27(h) x 0.76(d)|
About the Author
GARY McGRAW is Vice President and Senior Research Scientist with Reliable Software Technologies and an international authority on Java security. Dr. McGraw is the author of over 50 peer-reviewed technical publications, consults with major e-commerce vendors including Visa, and is the principal investigator on several U.S. government research grants. EDWARD W. FELTEN is Professor of Computer Science at Princeton University where he leads the world-renowned Secure Internet Programming team. Professor Felten discovered many of Java's security holes and is actively involved in designing more secure approaches to mobile code.
Read an Excerpt
Chapter 4: Malicious Applets
Chapter 2, "The Base Java Security Model: The Original Applet Sandbox," and Chapter 3, "Beyond the Sandbox: Signed Code and Java 2," explain how Java 2's security system works. This chapter and the next explain how it doesn't. Unfortunately, it is entirely possible to (mis)use Java, especially in its applet form, as a vehicle for attacking systems. Language-based security controls like those found in Java make writing a hostile applet more difficult than it might be otherwise, but they don't make it impossible. (Recall that Java security stacks up favorably against competing mobile code systems like ActiveX, as we discussed in Chapter 1, "Mobile Code and Security: Why Java Security Is Important.") Applets that misbehave and do something that their users don't want to happen are called hostile applets.
There are two varieties of hostile applets: malicious applets and attack applets. The names of the two classes make it clear which is the more serious variety. Fortunately, attack applets are not commonly encountered on the Web; in fact, no attack applets have been seen to date in the wild (that is, outside the labs in which they were created). That's not to say that attack applets are not real. They are. Attack applets are real applets, written in everyday Java, that work against popular browsers such as the one you use. Attack applets have been created and extensively tested in the laboratory. (We return to the subject of attack applets in Chapter 5, "Attack Applets: Exploiting Holes in the Security Model.") There is, however, another more pervasive kind of hostile applet, notas serious a security concern, but still worthy of attention-the malicious applet.
Unlike their attack applet cousins, malicious applets have escaped the lab. Such realities make it necessary for all users of Java-enabled browsers (and their trusty system administrators) to be aware of Java security threats. Simply surfing over to a Web page containing a hostile applet allows it to invade your machine with its malicious code. This chapter explores many malicious applets, ranging from the merely annoying to the more seriously disturbing.
Near the beginning of Chapter 2, classes of potential Java threats were discussed. The four classes of attacks named were system modification attacks, invasion of privacy attacks, denial of service attacks, and antagonistic attacks Java is a powerful enough language that, without security constraints placed on applets, it is possible to implement all four such classes of attacks. The Java security model was designed to thwart those threats perceived to be the greatest dangers.
Much ado has been made over Java security problems, and there have in fact been a number of serious flaws. We detail the truly serious problems in Chapter 5. Such problems result in intrusions that allow arbitrary system modification (effectively, unlimited access). An attack applet based on one of these strategies constitutes a cracker breaking into your machine.
It is true that the very serious attacks of the next chapter require an in-depth understanding of both Java and the Internet. It has been argued that we should feel fairly confident that few people will be able to exploit such esoteric vulnerabilities. That position is a dangerous one to take. One instance of a cracker discovering a novel attack applet will change such statements considerably. Once loose, attack applet information would quickly spread throughout the cracker community. Our job as security researchers is to find security holes and plug them before they are used by dishonest people. Security researchers also work to create such a secure model that holes are very rare. Fortunately, none of the serious attacks have shown up in the form of attack applets, although the possibility looms ominously.
Don't breathe a sigh of relief yet. Tampering with Java security does not always require wizardry. In fact, writing Java code to breach security can be easy. This chapter discusses some simple Java applets gone bad. Such applets are known on the Net as malicious applets. Entire collections are available for anyone interested to see, to adapt, and to use. See, for example:
The Hostile Applets Home Page at www.rstcorp.comlhostile-applets
DigiCrime at www.digicrime.com
The Java Security Hotlist: Hostile Applets and Other Toys at www.rstcorp.com/javasecurity/applets.html
The best first defense against these sorts of applets is to learn about them.
What Is a Malicious Applet?
A malicious applet is any applet that attacks the local system of a Web surfer using one of the three less-serious classes of attacks discussed in Chapter 2. Malicious applets involve denial of service, invasion of privacy, and/or annoyance. Malicious applets are written by researchers, crackers, and Net miscreants to harass, annoy, and damage Java users. They can even seriously damage a Java user's machine. Any applet that performs an action against the will of the user who invoked it should be considered malicious.
It is important to emphasize again that use of the term Java user applies equally to Java developers and people surfing the Web with a Java-enabled browser. Using Java does not require any programming, or even possession of the JDK; it is enough to use a Java-enabled browser. Under this definition, most people who surf the Web with Java on are Java users.
Malicious applets exist on the Web today that do the following bad things:
- Forge mail from you to whomever the evil applet's author chooses, saying whatever they wish while masquerading as you
- Steal your CPU cycles to perform their own work while your legitimate processes languish
- Crash your local system by using all available system resources
These activities are both impressive and daunting, and we have only scratched the surface.
There are also malicious applets created simply to annoy. These applets go only a bit too far, lingering at the edge of respectability. These sorts of applets do things like play sound files continuously, set up threads that monitor your Web use, and display unwanted graphics on your screen....
Table of Contents
Mobile Code and Security: Why Java Security Is Important.
The Base Java Security Model: The Original Applet Sandbox.
Beyond the Sandbox: Signed Code and Java 2.
Malicious Applets: Avoiding a Common Nuisance.
Attack Applets: Exploiting Holes in the Security Model.
Securing Java: Improvements, Solutions, and Snake Oil.
Java Security Guidelines: Developing and Using Java More Securely.
Java Card Security: How Smart Cards and Java Mix.
The Future of Java Security: Challenges Facing Mobile Code.