Corporate.Net
internetRx
By Dan Backman
and
Chris Lewis
Q:
Should I be checking downloaded Java applets for viruses or other potential security violations?
A:
Users downloading applications of unknown origin (which are then installed and run on local hard drives) is a major concern. Luckily, Java applets are becoming less of a security issue, since the Java security model is generally adequate for most systems' needs. The Computer Emergency Response Team (CERT) has issued two alerts regarding Java, both of which have been addressed by the major browser software vendors (see www.cert.org). These alerts are identified by CERT as 96.05.java_applet_security_manager and CA-96.07.java_ bytecode_verifier.
 Java applets run in th
eir own space within the Java Virtual Machine (JVM), which is referred to as the "sandbox." Specifically, applets within the sandbox are forbidden to use any local code for direct system resources access, connect to a network server (other than the one it was loaded from), create a process, or perform a read/write to the local drive. Because Java applets are written in interpreted code--rather than compiled binaries--it is easier to make checks prior to execution, so the applet will not perform security breaches.
Your complete security relies on the security of the sandbox. The sandbox consists of several parts, including language features, the JVM and separate security managers executed from within the applet.
The first potential security problem occurs when an applet is downloaded. To secure this process, a browser executes the Java applet class loader. This loader retrieves the applet code, set
s it up in its own name space and stops the applet from accessing system-level functions or creating its
own loading system.
Once the code is loaded, a byte-code verifier examines it, confirming that the applet code adheres to all Java language rules. This verifier stops applets from circumventing access restrictions, forging memory pointers and overwriting common memory areas.
Once the system loads the applet code, the Java security manager watches and restricts the applet's behavior. The security manager oversees the creation of processes and sockets, as well as access to other applications, the operating system and protected data. For more information on this process, see java.sun.com/sfaq, www.javasoft.com/security or www. javasoft.com/marketing/collateral/security.html.
Planning on using JavaScript? Don't be concerned by the fact that JavaScript does not operate within the sandbox. It is not used to create applets or standalone applications, but it can link HTML form elements to Java applets. JavaScript resides within an HTML script and delivers interactive features to a Web page without the nee
d for a Common Gateway Interface (CGI). Noteworthy references for JavaScript include home.netscape.com/eng/ mozilla/3.0/handbook/javascript and www.danny.com/javascript/ index.html.
LDAP: The Internet's Next Great Protocal Experiment
By Dan Backman
Tektronix's NC Line Heads Down the I-Way
By Dave Molta
Updated September 24, 1997
|
REPORTS
ANALYTICS
Follow 
