Avoiding Hostile Applets

How to minimize the risks of executable content.

Java promises to relieve many of the headaches developers encounter when they migrate code among different types of machines. Its built-in portability also gives rise to applets , special Java programs that can enliven a Web page. Java-savvy browsers, including Netscape Navigator and Microsoft Internet Explorer (MSIE), automatically download and "interpret" (i.e., run) any Java applet they find embedded in a Web page. Java code's ability to run on many diverse platforms makes such magic possible.

However, this technology also allows unscrupulous applet designers to invade your machine. Realistically speaking, there is no such thing as a 100 percent-secure computer system. But because Java applets are exceptionally easy to download, users might be exposed to significant risks without even knowing i t. These days, with Java applets everywhere and with millions of people using Java-enabled browsers, you need to know where you're pointing your browser.

The problem is that there is no pat solution here. The bad news: There are risks. The good news: Java's designers were well aware of these risks and did their best to limit them. For instance, the increased use of digital signatures (which authenticate code as coming from a trusted source) in JDK 1.1 helps with risk reduction.

Still, you are vulnerable, and for now there's not a lot you can do. Although Java marketing hype tends to ignore and gloss over the risks, you're better off knowing about them, even if there's little that you as a Java user can do except to limit your exposure to Java a nd other forms of executable content (e.g., ActiveX, JavaScript, Safe-Tcl, and Telescript).

What potential problems does executable content raise? There are four basic categories: attacks that modify a system, attacks that invade a user's privacy, attacks that deny legitimate use of a machine by hogging resources, and attacks that antagonize a user. (See the table "Four Classes of Attacks" .) Keep in mind that this table only gives a flavor of the kinds of things that are possible and is by no means complete.

System Modification

A programming language as powerful as Java has the ability to modify data -- whether it's in a computer's memory or in the file system. Java includes predefined classes with methods that can delete and otherwise modify files, modify memory that's in use, and kill processes and threads. This power has the potential for abuse.

System-modification attacks make up the most critical risks. Java's designers have given much thought to disallowing this class of attacks. In contrast, ActiveX has no limitations on its behavior once it's invoked.

In the most serious cases, system modification involves intrusion into the system itself. Java misuse can create an avenue of attack. Given that system crackers will use any tool available to compromise security (thus gaining entry and user privileges), Java's designers and implementers must ensure that Java does not provide new ports of entry into a machine. (Users can't do anything but be careful about their Java use.) And because Java works on many different platforms, a successful attack on, say, Solaris machines will also be successful on Windows NT machines. Never before have cross-platform attacks been such a distinct possibility.

The bad news is that using Java to break into a machine is certainly possible. Attack applets -- ones that implement system modifications -- have been demonstrated in the laboratory. Princeton University's Safe Internet Programming Team, which ha s discovered many of Java's known security holes, has created attack applets that exploit these holes. Patches have been developed that make these attacks impossible, but the possibility of other sophisticated attacks always presents a risk.

With today's mission-critical computers, system-modification attacks could corrupt financial records in a seemingly secure database, leading to financial loss and corporate bankruptcy, or modify hospital patient records, possibly leading to incorrect treatment and even death. Care must be taken not to expose critical systems to new lines of attack. Since crackers flock to the latest and greatest vulnerabilities, it's important that Java not become a cracking tool.

Invasion of Privacy

A second general type of attack discloses confidential information about a user or a host machine. For example, in Unix, access to the /etc/passwd file (which contains user names and encrypted passwords) makes it possible to mount a password-cracking at tack that can open a machine to attackers.

A system can also leak other sensitive information: Consider an unscrupulous company's being able to steal a competitor's secret business plan through corporate espionage. Individual users should consider whether they would want their private e-mail or financial records to be made public. Any confidential information that can be e-mailed or otherwise transferred over a network is subject to an invasion-of-privacy attack.

With Java, the standard mail-forging attack is much more serious because doubly forged e-mail is a possibility. The applet uses a patsy system to send fake messages, disguising its actual origin. (See the figure "Doubly Forging E-Mail with an Applet" .)

Finally, the sound capability present in many systems today opens up a new kind of eavesdropping. If an attacker can gain control of a system's microphone, it's possible for him or her to listen in on the area immediately surrounding the system. More subtle eaves dropping includes monitoring process tables and file access. A Web-based version of eavesdropping might include keeping track of which links a particular user follows.

Java successfully defends against some of these types of attacks. For example, file I/O has especially tight controls. However, this is countered by the fact that applets always have a channel over which to send back information. That's because applets can always talk back to the server where they originated. Mail forging is harder to defend against. Short of disallowing contact to a client's ports, mail-forging attacks are not likely to go away.

Denial of Service

Denial-of-service attacks make system resources unavailable for legitimate purposes. They occur when a process siphons more than the standard allotment of resources, essentially hogging the machine. There are many subcategories of denial-of-service attacks. Some examples include completely filling a file system or using up all available file pointers; a llocating all of a system's memory, creating thousands of windows -- effectively denying access to the output screen or to the window-event queue; and using all of a machine's CPU cycles by creating many high-priority threads. Although denial-of-service attacks are of real concern, Java's designers have not properly addressed them.

There is some debate over the relative importance of stopping denial-of-service attacks. In most cases, denial of service comes closer to the category of attacks that antagonize the user than to any other category. This is because recovering from a denial-of-service attack is usually easy: You just reboot the machine. Even so, denial of service for mission-critical computers can be serious; you certainly don't want to be rebooting crucial links in your system chain. For example, imagine the mayhem that would erupt if an applet clogged the machines that run the stock market: The resultant losses could be staggering.

Denial-of-service attacks are one of the most common Ja va security concerns. For live examples, see Mark La Due's Hostile Applets Home Page at http://www.math.gatech.edu/~mladue/HostileApplets.html . Implementing such an attack is not hard; however, stopping one is, because the current Java security model does not offer a good solution to this problem.

Antagonism

Less odious, but still of concern, are attacks that merely annoy a user. Playing unwanted sound files through a speaker or displaying obscene pictures on a monitor are two examples. Other seemingly antagonistic attacks can be the result of simple programming errors.

As mentioned above, some denial-of-service attacks can be classified as merely antagonistic. A window-popping attack, for example, can be just an annoyance, depending on the window manag er in use. Judging the severity and category of a particular attack is always a subjective and context-sensitive problem.

Java's Lines of Defense

To combat all four classes of attacks, Java security relies on three prongs of defense: the Byte-Code Verifier, the Applet Class Loader, and the Security Manager. Together, these prongs perform load- and run-time checks to restrict access to file-system, network, and browser internals.

Each of these prongs depends in some way on the others. For the Java security model to function properly, each part must do its job properly. (For more on the Java security model, see "Java Security and Type Safety," January BYTE.)

Using Java More Safely Now

It's all well and good to talk about classes of attacks and how the Java security model tries to protect you. But hostile applets do exist, and you can't just trust the Java security model to protect you in all cases. Things are improving, but the security model is not perfec t. What can you do in the meantime? Are there guidelines for using Java as it exists today that might result in better security?

In fact, there are several straightforward things that you can do to make your use of Java safer. Most of these involve old-fashioned common sense; others require a bit of knowledge about Java. What follows is a list of guidelines.

Administrators must take the lead in assessing risks and making policies regarding possible exposure to hostile Java applets and other executables on the Web.

Know your own Java environment. Know which vendor's Java virtual machine (VM) you're using. Netscape's security policy and implementation differ from Microsoft's. Be aware that there are many Java licensees. Some will provide better security solutions than others.

Know what Web sites you're visiting. Just as you shouldn't drive your minivan into certain dangerous neighborhoods, you shouldn't surf your browser into unfamiliar -- possibly hacker-prone -- neighborhoods on the We b. The Sun Microsystems Web site is probably OK, but think twice about visiting a site known as Vinny's Nasty Surprises Java Joyride. Like the real world, the Web is mostly safe, but it can also get dangerous in other parts. If you have critical information to protect, you should surf with Java enabled only to sites that you know and trust.

Use up-to-date browsers with the latest security updates. Security problems often get fixes only in the latest version of a browser -- and this is often a beta version. If you're using Netscape Navigator 2.0 now, you have some very serious security holes in your browser. Get a new one; your security depends on it.

Be aware of new products that attempt to fill security gaps. WebCrusader, from Gradient Technologies (Marlborough, MA), is designed to authenticate the server your browser is pointing to, according to Joe Uniejewski, Gradient's vice president of marketing. With this package, your security administrator authenticates users and internal and ext ernal servers in a registry, providing fine-grained control, according to Brian Schimpf, Gradient's director of product development. Other products, such as InterScan WebProtect (Trend Micro, Cupertino, CA), Gauntlet (Trusted Information Systems, Glenwood, MD), and SurfinGate and SurfinShield (Finjan Software, Cleveland, OH), are also claimed to block Java applets, although recent research indicates this may not be technically possible.

Keep a lookout for security alerts. One good way is to subscribe to the Computer Emergency Response Team's (CERT's) mailing list (see http://www.cert.org ). It alerts Internet users of security problems that are particularly serious. Vendors try to provide this information but are not always the best source of data. In addition, the Java Security Web site ( http://www.rstcorp.com/java-security.html ) includes a form where you can sign up for notification about our work. We use the resulting list to inform users of new Java security problems. The popular press often covers new holes as well -- when they're serious. For example, news of the Princeton Safe Internet Programming Team's work has appeared in USA Today , the Wall Street Journal , the New York Times , and a number of trade publications.

Apply drastic security measures if your information is truly critical. If it's ultracritical, get off the Internet entirely. Otherwise, stop using the Web on essential machines. Turn Java off. Don't use a Java-enabled browser on a machine containing key business data. But try not to throw the baby out with the bathwater; some degree of risk is usually ac ceptable.

Finally, assess your risks: What do you have to lose if your data is compromised?

Because everyone's situation is unique, there is no one answer to the question "Should I avoid using Java because of the possible risks that applets might pose?" Those running a business on the Internet need to think about exposing their data to possible robbery or corruption. A home user with no critical data, on the other hand, probably has no worries. But if your information is valuable or if you're highly visible, you make a good target.

---

Four Classes of Attacks

The four basic types of security attacks, ranked in order of severity. Hostile applets fall into two types: attack applets, serious system-modification attacks; and malicious applets, the three less-serious-risk classes.

Four Classes of Attacks
Attack class	Explanation	Consequences	Java defense
System modification	The most severe attack applets; seen only in labs so far.	Severe	Strong
Invasion of privacy	Malicious applets; includes mail forging.	Moderate	Strong
Denial of service	Malicious applets; can bring a machine to a standstill. Many examples on the Web. May require rebooting.	Moderate	Weak
Antagonism	Malicious applets; annoying. Most commonly encountered.May require restart of browser.	Light	Weak

---

Doubly Forging E-Mail with an Applet

illustration_link (31 Kbytes)

A malicious applet runs on a clueless host to send messages that seem to originate from that host.

---

http://www.rstcorp.com/~gem and at http://www.cs.princet on.edu/sip , respectively.