References

Garfinkel and Spafford, Web Security and Commerce
chapter 3 Java and Javascript (security)

Denial of Service attacks

Java security is not proof against denial of service attacks.

Denial of service

means the excessive consumption of resources: screen, CPU, memory, processes, interrupt handlers, socket connections, etc.
by an offending process
to the exclusion of other (desirable) process's use of these limited computing resources.

Some use of resources is intended for any process.. how much is excessive?

A faulty or malicious applet can run away with resources doing apparently nothing or trivial things.

• flood of method calls tie up nearly all CPU for little effect
• allocation of larger and larger objects can tie up all of memory, thrash virtual memory, exclude activity from the rest of system
• popping up multiple screen windows - each is often very expensive operation and high priority

Denial of service possibility is serious in Java etc. because authors did not consider this form of attack: the JVM interpreter is not built to exclude it;

PC operating systems are not as independently robust as old batch or multi-user mainframe systems.

Solutions:

• not the browser security model: can't simply block operations, can't tell in general whether user wants this effect or not, can't compare to other use of resources in system
• a good operating system, a good browser:
  will be fair in use of resources between threads and processes, so that even a runaway process cannot lock out others
  - may include more checking of excess activity (limit memory space used etc.)- some time penalty even if no offence

- will allow the user back into control.

Java security - summing up

security obtained by enbedding a security policy into the runtime environment in the elements:

• security manager
• class loader
• trust certificates

No theoretical base for the security model:
not as secure as encryption systems with mathematical/computational complexity theory and years of open published literature examination as basis for belief in security

but may be strengthened in future with automated proof systems on applets
[ANU research]

Vulnerabilities

Advantage of Java model is that greater level of simple security comes with the same effort (running in sandbox vs running in the open)

No silver bullets:

web-based systems must be openly accessable to many new opportunities of applications (change or wither away!) in information dissemination, computer mediated communications, distributed applications, electronic commerce...

always opportunites to spam, skim, scam

always a dynamic balance between social desires for privacy and open information, equal access rights.

Other active content technologies - Javascript

A product defined by Netscape

not the same as Java

Embeds script commands within HTML pages using javascript tag.

Script is not compiled: human readable form is interpreted directly

hence larger code size for equivalent function as Java bytecode.

Well suited to simple Web page activity.

More secure than Java:

Security holes: in first version (fixed in latest)

• can send email
• can access browser history

therefore

• can send fake emails from user to anywhere
• can snoop - capture history/preferences of user and send to snooper

Denial of service - yes.

Other active content technologies - ActiveX, tclets..

Microsoft technology.

downloadable executables - dynamic plug-ins - associated with Visual Basic controls, etc.

may be written in target (client) native machine code - hence execute quickly once downloaded (no easy way to get security at browser end)
- or may be written in Java, download as Java bytecode

processor and system dependent (unlike Java and scripting languages)

Security - certificate only - full privileges when executing native code (no sandbox model)

tclets

derived from tcl/tk scripting language - tk graphics toolkit controls

require tcl-enabled browser - safe tcl

basically similar to Javascript, more powerful
(full tcl is equivalent to a shell command language in expressiveness and power)

Data flow diagram - Web server and browser

Data flow diagram - Web browser (simplified)