Security Issues and Java'sModel
-
Sound security policy is needed because there are untrusted
applets in Web
-
Applets must be allowed to pass through a firewall, increasing
vulnerability of an Intranet
-
But there's a tradeoff in cost vs security.
-
How valuable are the assets being protected?
-
What is the cost of protecting them?
Security Metrics
-
Effectiveness
-
Cost efficiency
-
Usability (users ignore hard-to-follow policies)
Security Fallacies
-
You can eliminating all risks and vulnerabilities
-
Piecemeal security works
-
Arises in corporations when different departments are responsible
for different aspects of security
-
Securing small pieces of a computer or network won't make
system as a whole secure
-
Example at Virginia Tech:
Computing Center tries to make its systems secure, but
a user in another dept. that uses .rhosts defeats security.
-
Steel doors and grass huts
-
A flaw in new technology prompts owner to exert great effort
to patching security hole.
-
But does the hole exist in other systems being used?
Java's Approach
-
Sandbox Model:
-
Subset of user's computer resources dedicated to running
an applet
-
Applet is allowed to do anything within its sandbox
-
Boundaries of the sandbox defined by:
-
Language Features (e.g., avoids pointer abuse)
-
ClassLoader (First link in security chain -- enforces name
space)
-
Bytecode Verification (Second link - checks conformance to
Java language spec)
-
SecurityManager (when applet performs potentially dangerous
operation [e.g., write a file], decides whether it's ok)
How Intriniscally Secure is Java?
-
Most security problems found so far are not due to
language itself, but to
-
implementation errors
-
unexpected interaction of browser features
-
differences between Java and bytecode semantics
-
However, Java language has no formal semantics or formal
description of Java's type system, yet its security relies on soundness
of Java's type system.
