Understanding the keys to Java security -- the sandbox and authentication

A detailed look at the latest security features in Java -- and the recently discovered code-signing hole

1 2 Page 2
Page 2 of 2

In brief, by exploiting this hole, an attack applet can get a list of all signers known to the local system, determine which if any of those signers is trusted, and then relabel itself so it appears to have been signed by a trusted signer. The result is that the applet can completely evade Java's security mechanisms.

JavaSoft says the flaw will be fixed in the next release (1.1.2) of the JDK. A patch has been created and sent to the various Java licensees. Since neither Netscape nor Microsoft support JDK 1.1 code signing in their current browsers, they are not vulnerable. Interestingly, Netscape Communicator will have a completely different model of code signing. See the Princeton technical report "Extensible Security Architectures for Java" (available on the Princeton Web site) for details.

Assessing the latest security hole

JavaSoft states correctly that this bug "represents minimal exposure to users" since it affects neither of the popular browsers. It is important to note that HotJava is completely susceptible to this problem unless code signing is entirely disabled -- which fortunately is an option. If you use HotJava, you should do this immediately.

So is this bug serious? Yes. It provides yet another example of how complicated systems can break down in unexpected ways. "This is another instance of an old RISKS story -- a surprisingly large portion of the entire infrastructure must be trustworthy, including pieces you might not have realized were critical," says Peter Neumann, moderator of comp.risks and noted security expert. "That statement is perhaps best thought of as a corollary to Les Lamport's classic statement, `A distributed system is one in which the failure of a computer you didn't even know existed can render your own computer unusable.'"

In the future...

Java is bound to move beyond the sandbox. Support for signed applets should appear soon on consumer desktops. This is good news for developers who want less restriction placed on their applets. But with code signing comes a host of new risks to manage -- most notably, the risks that the implementation will have holes and that security policies will get too complicated to understand. The usual computer security lesson: Educate yourself about the risks and manage them appropriately.

Gary McGraw, Ph.D., is a research scientist at Reliable Software Technologies (http://www.rstcorp.com) (Sterling, VA). Edward Felten, Ph.D., (http://www.cs.princeton.edu/~felten) is an assistant professor of computer science at Princeton University, where he leads the Safe Internet Programming Team (http://www.cs.princeton.edu/sip) . McGraw and Felten are the authors of Java Security: Hostile Applets, Holes, and Antidotes (http://www.rstcorp.com/java-security.html) published by John Wiley and Sons, and the Java Security CD-ROM from MindQ (http://www.mindq.com).

Learn more about this topic

1 2 Page 2
Page 2 of 2