Risks with web programming technologies. Steve Branigan Lucent Technologies



Similar documents
APPLETS AND NETWORK SECURITY: A MANAGEMENT OVERVIEW

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

SOFTWARE ENGINEERING 4C03. Computer Networks & Computer Security. Network Firewall

IMPLEMENTATION OF INTELLIGENT FIREWALL TO CHECK INTERNET HACKERS THREAT

allow all such packets? While outgoing communications request information from a

Semantic based Web Application Firewall (SWAF V 1.6) Operations and User Manual. Document Version 1.0

N-CAP Users Guide Everything You Need to Know About Using the Internet! How Firewalls Work

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

Remote Access and Control of the. Programmer/Controller. Version 1.0 9/07/05

Cisco Secure PIX Firewall with Two Routers Configuration Example

Firewall VPN Router. Quick Installation Guide M73-APO09-380

M2M Series Routers. Port Forwarding / DMZ Setup

CMPT 471 Networking II

Multi-Homing Dual WAN Firewall Router

Oracle Discoverer 4i Plus Firewall and SSL Tips. An Oracle White Paper February 2002

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

FIREWALL POLICY November 2006 TNS POL - 008

Elluminate Live! Access Guide. Page 1 of 7

CheckPoint FireWall-1 Version 3.0 Highlights Contents

Network Defense Tools

Cisco PIX vs. Checkpoint Firewall

REQUIREMENTS AND INSTALLATION OF THE NEFSIS DEDICATED SERVER

E-Commerce Security. The Client-Side Vulnerabilities. Securing the Data Transaction LECTURE 7 (SECURITY)

INTERNET SECURITY: THE ROLE OF FIREWALL SYSTEM

Overview - Using ADAMS With a Firewall

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

Overview - Using ADAMS With a Firewall

Spam Marshall SpamWall Step-by-Step Installation Guide for Exchange 5.5

PN Connect:Enterprise Secure FTP Client Release Notes Version

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

Elluminate Live! Access Guide. Page 1 of 7

Microsoft Labs Online

Intro to Firewalls. Summary

GoToMyPC Corporate Advanced Firewall Support Features

Installation Guide For Choic Enterprise Edition

Law Conferencing uses the Webinterpoint 8.2 web conferencing platform. This service is completely reservationless and available 24/7.

IP Link Best Practices for Network Integration and Security. Introduction...2. Passwords...4 ACL...5 VLAN...6. Protocols...6. Conclusion...

Configuring Security for FTP Traffic

Internet Firewall CSIS Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS net15 1. Routers can implement packet filtering

Troubleshooting AVAYA Meeting Exchange

Guidance Regarding Skype and Other P2P VoIP Solutions

BlackShield ID Agent for Terminal Services Web and Remote Desktop Web

TECHNICAL CONDITIONS REGARDING ACCESS TO VP.ONLINE. User guide. vp.online

THE IMPORTANCE OF CODE SIGNING TECHNICAL NOTE 02/2005

Secure Software Programming and Vulnerability Analysis

Stateful Inspection Technology

S y s t e m A r c h i t e c t u r e

Novell Access Manager SSL Virtual Private Network

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

Firewall Design Principles Firewall Characteristics Types of Firewalls

Comprehensive Anti-Spam Service

CS 640 Introduction to Computer Networks. Network security (continued) Key Distribution a first step. Lecture24

PLATO Learning Environment System and Configuration Requirements. for workstations. April 14, 2008

Volume SYSLOG JUNCTION. User s Guide. User s Guide

How To Understand The Architecture Of An Ulteo Virtual Desktop Server Farm

Architecture. The DMZ is a portion of a network that separates a purely internal network from an external network.

End User Guide The guide for /ftp account owner

DreamFactory Security Whitepaper Customer Information about Privacy and Security

Error Code Quick Reference Guide Updated 01/28/2015

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

Web Conferencing Version 8.3 Troubleshooting Guide

What is Web Security? Motivation

Overview. Firewall Security. Perimeter Security Devices. Routers

W3Perl A free logfile analyzer

Campus VPN. Version 1.0 September 22, 2008

HOW TO CONFIGURE PASS-THRU PROXY FOR ORACLE APPLICATIONS

Test Run Analysis Interpretation (AI) Made Easy with OpenLoad

RemotelyAnywhere Getting Started Guide

Hack Your SQL Server Database Before the Hackers Do

Topics in Website Testing. [Reading assignment: Chapter 14, pp ]

Initial Setup of Mozilla Thunderbird with IMAP for OS X Lion

Checklist for Web Application Testing

Proxy Blocking: Preventing Tunnels Around Your Web Filter. Information Paper August 2009

White Paper. Java Security. What You Need to Know, and How to Protect Yourself

Wireless Security: Secure and Public Networks Kory Kirk

Password Reset PRO INSTALLATION GUIDE

CS 665: Computer System Security. Network Security. Usage environment. Sources of vulnerabilities. Information Assurance Module

Step-by-Step Configuration

Firewalls. configuring a sophisticated GNU/Linux firewall involves understanding

Connecting with Computer Science, 2e. Chapter 5 The Internet

IBM Web Conferencing: Troubleshooting Guide

A typical router setup between WebSAMS and ITEd network is shown below for reference. DSU. Router

Introduction to Mobile Access Gateway Installation

Transport Layer Security Protocols

Remote Console Installation & Setup Guide. November 2009

Tunnels and Redirectors

NATIONAL SECURITY AGENCY Ft. George G. Meade, MD

OS/390 Firewall Technology Overview

FAQ. How does the new Big Bend Backup (powered by Keepit) work?

Backup & Disaster Recovery Appliance User Guide

Web Application Security

Steelcape Product Overview and Functional Description

Architecture and Data Flow Overview. BlackBerry Enterprise Service Version: Quick Reference

Citrix Access on SonicWALL SSL VPN

DB2 Connect for NT and the Microsoft Windows NT Load Balancing Service

Transcription:

Risks with web programming technologies Steve Branigan Lucent Technologies

Risks with web programming technologies Abstract Java applets and their kind are bringing new life to the World Wide Web. Through the use of web programming technologies developers can make web pages interactive. Developers can now allow web pages to learn about the user and the user s system in order to operate more efficiently. These web applications are transported to the user s workstation through the magic of the hypertext transport protocol (http). The major web browsers are capable of receiving and running these web applications on the local system. Of course, this ability to download code over the network and run it on a local system is inherently dangerous. With most of the programming technologies, source code is not delivered to the user s system. A compiled program is delivered to the system, which the user has to either trust or not trust, without being able to inspect the code. The paper will examine some of the dangers that exist with the web based programming languages in today s Internet. This paper will focus primarily on Java, ActiveX and JavaScript. These three technologies deal with code that is downloaded and executed on a user s behalf from an unknown and/or untrusted party.

Risks with web programming technologies The basics Of the web programming technologies, Java and JavaScript are basically platform independent programming languages. (ActiveX uses Windows API calls.) For example, a single Java application (known as a Java applet) will run on a Windows95 architecture just as it will run on any UNIX architecture. Well, this is pretty exciting to the development community, which has been struggling for years with platform dependent issues in creating software. First, we will examine Java in some detail throughout this paper. Java appears to have been developed with security constructs in mind. For example, Java programs run inside a Virtual Machine that is designed to allow very limited functionality to the underlying operating system. Further, compiled Java code is run through a byte code verifier, insuring that the code is type safe. Java uses type safety in part to ensure security, by attempting reduce the stack overflow problems that we see in security arena today. Java applets are only allowed to communicate with the web server that delivers the Java code. Finally, Java is providing support for digital signatures, which will allow for a more robust trust model in the future. For the web programming technologies that are available, one could argue that Java is the most advanced in the arena of security. Java applets are platform independent, allowing a single compiled applet to execute on a variety of computing architectures. Java accomplishes platform independence through two major mechanisms; a Java compiler that turns Java source code into Java byte codes, and a Java virtual machine which translates Java byte codes into the native operating system calls specific to the hardware/software where the Java applet is currently running. (Pretty slick, huh?) In order to develop a Java applet, a software engineer needs to obtain a Java Development Kit (JDK) specific for his/her hardware and software architecture. For example, in the research for this paper, I downloaded a JDK specific for the Windows95 architecture. This allowed me to compile Java applets right on my own system. These applets can run on any architecture where Java can run. In order for a user to run Java applets directly from the Internet, he/she needs to obtain a web browser that is Java enabled. A web browser that is Java enabled has a Java virtual machine coded into the browser itself. Common examples of Java enabled browsers are the latest releases of Netscape s Navigator, Microsoft s Internet Explorer and Sun s HotJava Browser. (Of course, this is not a complete list of all the web browsers that are Java enabled.) The only other step that a user needs to take is to visit a site on the World Wide Web that contains a Java applet. If a web user visits a site that is Java enabled, a Java applet contained in the web page will start to execute automatically. The user is not asked for permission to start a specific applet, just notified that a Java applet is running. A web browser can be configured to disable Java and JavaScript execution. However, by default, Java and JavaScript execution is enabled on most browsers. (Digital signatures are starting to be used to verify applets come from trusted sources, which will be helpful in determining which applets are more trust-worthy.)

In staying with our focus on Java for the moment, let s examine exact how a Java applet is invoked. Sample Applets TicTacToe The JDK includes quite a few sample Java applets. The first of these applets that we will examine is the TicTacToe Java applet. This applet displays a tic-tac-toe board inside a web page. The Java applet actually plays a game against the user, responding to the user s moves and sometimes winning. A Java applet is started for a user through a simple html file. For this applet, the html file is called example1.html. <title>tictactoe </title> <applet code=tictactoe.class width=120 height=120> </applet> A pretty simple file. Note the <applet > and </applet> entries in the file. These are referred to as applet tags in the html file. When a web browser sees these applet tags, it knows to expect a Java binary to be transported over the network. In this case the browser will execute the file TicTacToe.class, which is the Java applet file. SortDemo The Java applet SortDemo displays the multi-threaded capabilities of the Java virtual machine. The applet demonstrates the differences in the efficiency of three different sorting algorithms, bubble sort, bi-directional bubble sort, and quicksort. All three sorting algorithms are contained in a single applet, called SortItem.class. These three sorting algorithms can be started independently of the others, and complete independently. Inside the Java Virtual Machine, a thread manager handles the task of assigning CPU time to each thread. Reasons for concern Many corporations are configuring their networks to allow http traffic to be transported to the desktop. This is being done to allow users access to the wealth of information that exists on the web today. In addition to the traditional information on the World Wide Web that can now reach the user s desktop, so too can web programming technologies reach a user s desktop. Imagine that you are responsible for maintaining the network security of a corporation. Now imagine that someone told you that your configuration suddenly allows untrusted computer programs to be downloaded and executed in your corporate network from anywhere on the Internet. These programs have the ability to run on any and every user s desktop that is connected to the corporate network. As frightening as this may sound, it is quickly becoming the current state of affairs with the Java, JavaScript and ActiveX technologies.

These technologies are transported through firewall configurations by the magic of the hypertext transport protocol. Firewalls, of course, are the systems that are assigned the task of screening out bad traffic from the Internet, while allowing the good traffic in to the corporate network. By using a firewall, a corporation can make use of the benefits of worldwide connectivity that the Internet has to offer, while protecting the internal network from the bad traffic on the Internet. When a corporation adopts this type of configuration, it can bring the services of the Internet straight to the desktop of the corporate workers. This is the case in most corporations today with two very popular Internet services, electronic mail and World Wide Web access. This is done by allowing the smtp protocol and the http protocol access through the firewall. Another variation that is becoming very common is a configuration where the http, or World Wide Web traffic, is delivered to a proxy server after it passes the corporate firewall. This is done for security and auditing reasons, and performance reasons. The Firewall Web programs such as Java applets are difficult to screen at a firewall. Firewalls make their screening decisions based upon connection information, not on content information. For example, many corporate firewalls are configured to reject telnet connections that are coming into the firewall from the Internet. However, these same firewalls are configured to accept smtp (electronic mail) traffic that originates from the Internet. The firewall makes these decisions based upon the source address, destination address, source and destination port, and various flags in the packet header. Since Java applets are transported after a connection is allowed, as part of the message content, it is difficult for a firewall to screen out Java. (Similar for JavaScript and ActiveX). Firewalls are not aware of the contents of a network connection. The firewall knows how to screen telnet traffic, but it does not know how to process telnet traffic. This is an important point, since Java applets are part of the content of an http connection. The firewall will know how to screen http traffic, but doesn t know how to parse http traffic. reaches. does understand http traffic, and can be designed to monitor the contents of an http http session. program from being downloaded and executed over the http link. This stems from the encrypted. Interesting how one security technology defeats another.) Currently, the types of attacks that can be mounted through Java and other web

The denial of service (demonstrated through the noisybear, wasteful and triplethreat Java applets). The spoofing attack (demonstrated through the penpal and login screen Java applets). The gathering of information (demonstrated through the Netscope attack). Denial of service attacks In looking at the denial of service types of attacks, let us first turn our attention to the Java applet called Wasteful. The simple goal of this applet is to consume of the CPU resources on a system, without performing any useful work. (This is the first of a couple of hostile Java applets that we will examine. All of the hostile applets that we will be examining come from Mark D LaDue. He authored these applets in February of 1996, while at Georgia Tech University in the United States.) To stop the applet, the user generally will need to actually terminate the browser where the applet is running. This applet was tested on a Windows95 system, with Netscape Navigator 4.0 running the Java applet. (This is the standard configuration for all of the tests documented in this paper.) The applet caused severe impact to the Navigator process, and could only be stopped by invoking the task manager and forcefully terminating the process. Another interesting denial of service applet is the Java applet called Triplethreat. Once invoked, it creates window after window, until memory is exhausted. On the Windows95 system that it was tested on, it created a mess. The task bar on the Windows95 system filled with new buttons, until a scroll bar appeared! To shut down the Triplethreat applet, our old friend the task manager needed to be invoked again. The final denial of service applet to discuss is the Noisybear applet. This Java applet is designed to play a sound over and over. It will keep play this sound even after the browser has stopped running the applet. The only way to stop the sound from playing is, of course, to stop the browser. (Surprised?) The Spoofing Attack A Java applet has been created that lies to collect information. This Java applet, called Ungrateful, looks to connect user ids and password information. The way that this Java applet operates is clever. Once the applet is invoked, it operates on a time delay. After about 5-30 seconds, the applet starts. It displays a large black window that completely covers the entire screen. In the window, it states that Netscape encountered a security exception. In order to regain access to your browser, you must login again. Once the applet collects this information, it is shipped over tcp port 7000 (the default) to another Java applet that is collecting the ip address, user id and password information. Of course, the applet does not allow the user to regain access to the system. This applet failed to operate on the Windows95 architecture. However, it did operate quite well on a Linux architecture running OpenWindows. (Platform independence?)

Information gathering The web site Fehler! Textmarke nicht definiert. is a very good place to visit to understand how much information a browser can yield about its system and user. Information is collected on the originator of the http connection, with surprising results. The anonymizer site can not, however, gather network information about systems that are behind http proxies. This is due to the fact that the http proxy appears to the anonymizer (and other web sites) as the originator of an http request. When testing the anonymizer site from behind an http proxy, the anonymizer displays information about the http proxy, but not about the actual source system. Enter the site at Fehler! Textmarke nicht definiert.. (Major Malfunction and Ben Laurie have created this site.) The Java code at this site is able to determine the system names and network addresses of systems that are behind the firewall and http proxies. A Java applet executing on a local system can determine information about local system, such as the system name and ip address. The Java applet can communication with the web server. Since the information is transported through http, it is delivered right through the firewall and the http proxy. While an http proxy is able to screen out the anonymizer, it does not block this attack. An http proxy could block this type of attack if it were to disable Java from entering the network. However, with the current state of the technology, a proxy that blocks Java blocks Java for everyone behind the proxy. The options It should now be fairly clear that Java and the Java like technologies are exciting in the way they are changing the World Wide Web. Along with these new technologies, however, come new challenges in practicing safe networking. If you allow http traffic into your network, you have to evaluate how you handle this issue. It is a difficult challenge since it is up to the end user to determine whether or not they will run Java once http has been allowed into the network. In order to protect against some of the problems that these new technologies may allow, consider the following recommendations. Disable all Java at the desktop through the browser. Most browsers are capable of disabling Java and JavaScript. Educate the user community to disable these technologies when visiting untrusted web sites, to minimize risk. Disable Java based upon source address on a network level. If not available already, hopefully it will be available in http proxies. Disable Java based upon source address by the JavaFilter. This new program, available for the Secure Internet Programming group at Princeton University, adds new functionality to the Netscape browser. Hopefully it will soon be available for other browsers. Disable http access. This is a drastic recommendation, but it will limit the risk to a network based upon these new technologies.

References: The following text provided great information on the hostile Java applets and how to protect yourself. Java Security: Hostile Applets, Holes and Antidotes. Gary McGraw and Edward W. Felten. John Wiley and Sons, New York, 1996 In keeping with the fact that this topic is an Internet topic, most of the material for this topic came from many valuable web pages. Below are listed the web pages that provided valuable information on the web programming technologies. Fehler! Textmarke nicht definiert. - Provided information about the Java programming language, the Java virtual machine, and the byte code verifier. Fehler! Textmarke nicht definiert. - Provided information about hostile Java applets. Also, provided code and examples on the JavaFilter product. Fehler! Textmarke nicht definiert. - Provided information on how Java can be used to obtain information on a web browser that is resident behind a firewall and http proxy. Fehler! Textmarke nicht definiert. Provided information on some of the exploits possible with Java and JavaScript technologies. All trademarks referenced in this document are owned by their respective companies. All opinions expressed in this document are my own, and are not necessarily the opinions of Lucent Technologies, Inc.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information