[3590] in WWW Security List Archive
(fwd) Paper on Java risks to firewalls
daemon@ATHENA.MIT.EDU (Prentiss Riddle)
Tue Nov 19 18:58:45 1996
From: Prentiss Riddle <riddle@is.rice.edu>
To: www-security@ns2.rutgers.edu
Date: Tue, 19 Nov 1996 09:34:24 -0600 (CST)
Errors-To: owner-www-security@ns2.rutgers.edu
Forwarded from RISKS Digest 18.61:
| Date: 15 Nov 1996 15:24:20 -0500
| From: David Martin <dm@cs.bu.edu>
| Subject: Good Java security doesn't imply good network security
|
| Many researchers have noted security flaws in existing Java implementations
| as well as fundamental weaknesses in Java's security model. Examples of the
| former include attacks that confuse Java's type system, ultimately allowing
| applets to execute arbitrary code with the full permission of the user
| invoking the browser, and examples of the latter include the lack of audit
| trails and Java's single-line-of-defense strategy. Dean, Felten, and
| Wallach's paper "Java Security: From HotJava to Netscape and Beyond" brought
| most of these issues to light, sending shock waves throughout the computing
| community. (See http://www.cs.princeton.edu/sip).
|
| Until now users and system designers have been content to consider these
| problems transient, confident that bugs will be mended quickly enough to
| limit any damage. Netscape, for instance, has been admirably quick in
| responding to the most serious problems.
|
| However, the giant installed base of Java-enabled browsers---each inviting
| an adversary to determine the browser's actions---gives reason to suspect
| some kind of fallout even in "secure" implementations of Java. Our paper,
| available at http://www.cs.bu.edu/techreports/96-026-java-firewalls.ps.Z,
| describes attacks on firewalls that can be launched from legal Java applets.
| In certain firewall environments, a Java applet that finds itself running in
| a browser behind the firewall can cause the firewall to allow incoming
| telnet (or other TCP) connections to that host. In some cases, the applet
| can even use the firewall to access arbitrary hosts supposedly protected by
| the firewall.
|
| The weaknesses exploited by these attacks are neither in the Java
| implementation nor in the firewall as such, but rather in the composition
| of the two---and in the security model that results when browsers give
| adversaries such ready access to "protected" hosts.
|
| Our paper also describes methods for preventing applets from crossing a
| firewall; this is one way to prevent such attacks. In any case we strongly
| recommend that managers of firewalled sites containing Java-enabled browsers
| take a good look at the issues involved and make appropriate policy
| decisions.
|
| David Martin <dm@cs.bu.edu>, Computer Science, Boston University
| Sivaramakrishnan Rajagopalan <sraj@bellcore.com>, Bellcore
| Avi Rubin <rubin@bellcore.com>, Bellcore
