JAVA security 'hole'
This is the original posting from November 1999
Lane Friesen has stumbled across something very interesting, a 'hole' in the JAVA security system that appears to enable a new class of very powerful web applications.
Developers, is this for real? Post your comments about this article in the JavaBoutique Forum.
JAVA security 'hole'
"I have discovered a 'hole' in the JAVA security system that appears to enable a new class of very powerful web applications.
The 'hole' is not one between the JAVA system and the rest of the computer, but rather a kind of channel using JAVA - between one HTML page and another, which allows a JAVA-based program or ActiveX object to 'live' and to change its form from page to page, for as long as a browser is running, and to store and alter whole megabytes of data within a client computer, in response to events that occur from page to page.
One can do things with ordinary HTML, and do them very easily, that in normal cases would require complex active server pages, frames, or an extensive use of cookies.
Some things, such as a database cache, are probably impossible to do any other way.
Memory goes beyond name-value pairs, as with cookies, to include JAVA classes such as self-extending Vectors, or very long Strings.
I formed a database cache as a String, for instance, and was able to use optimized JAVA String search functions and the client processor for easy and essentially instantaneous access, from page to page.
To allow an evaluation of the potential of this technique, I have built a shopping cart that works with an ordinary HTML page, and requires only a dumb server for the merchant's account.
No use is made by the shopping cart of cookies, frames, or active server pages.
The shopping cart program includes an optional database which is cached on the client computer, so that accesses, from page to page, use client computing power, and client memory, and require no client-server communication other than an initial download.
Purchases are also remembered, in client memory, so that decisions made on one page can be altered on another page.
The shopping cart is so independent of the server that it can be run offline.
The program is 14K in size.
It is activated by the inclusion of 6 lines of 'boilerplate code' in an HTML page.
Other than the inclusion of these lines, there are no design restrictions or limitations.
The shopping cart program can be viewed here.
I stumbled on this technique experimentally, and still have an imperfect understanding of exactly why it works.
I do know that it appears to be a very universal and stable channel I have used it in both applets and ActiveX JAVA-based objects, and on most browsers and a number of different machines.
You may test it for yourself, on different machines, by using the shopping cart program.
The memory appears to be a kind of 'terminate and stay resident' system that is linked to a table of pointers connected to JAVA abstract classes, such as interfaces.
Persistence is generated by 'hanging' objects onto this table.
I have provided sample code, that demonstrates precisely how this is done, in the hyperlink at the bottom of this page.
Two things appear to conspire together to form this table of pointers into a kind of memory.
It turns out that if the same JAVA program the name must be the same and it must be located in the same directory - is loaded by more than one page, then it will be RE-ASSIGNED the address space that it had on a previous HTML page.
I suppose this is done so that a RELOAD takes place more smoothly.
The second is that if some JAVA program ever attempts to initialize some link in this table which has previously been connected to some other object, the initialization is ignored.
I would imagine that the latest value is more 'local' and thus takes precedence.
Suppose that an HTML page loads the same applet or ActiveX JAVA-based object as was loaded on a previous page.
Since the program is re-assigned the same address space, it is automatically able to access values which were 'hung onto' the table in a previous incarnation.
It will attempt to re-initialize these links, for it is an exact copy of the previous code, but what is remembered by the table is either the FIRST initialization, OR ELSE the latest value set as a result of processing in some PREVIOUS incarnation, but NEVER any current attempt at RE-initialization.
Thus, there is memory.
And it requires only a very small change to an HTML page just enough to load the applet or object, and to set up communication between it and the HTML.
If the JAVA code base address that is loaded by the HTML is different from that loaded previously, then a new address space is generated, even though the code may be identical.
As it turns out, the old address space is not removed until its memory is actually required.
This feature is used by the shopping cart program to create separate accounts, on the same browser, for different merchants.
One can move back and forth between various accounts, and distinct address spaces simply by accessing appropriate web pages, or even by hitting the BACK and FORWARD button.
Since memory is virtual, overuse of client memory is not a problem JAVA is always there to protect the system.
The fact that the same program is loaded repeatedly means that similar code is being placed on each page.
This makes it very easy to use this technique.
In the shopping cart, as was said, the simple insertion of six lines of unchanging 'boilerplate code' is all that is needed to transform any normal HTML page into a commercial page.
Since data is saved, but the program itself must be regenerated in each page, flags can be set to force a 'morphing' of the program code from one page to the next.
Discarded segments those which have been detached from the abstract table - are swept up continually by the garbage collector.
The shopping cart program, for instance, instantiates only a stub of itself, in each page, until a purchase has been made.
If the cart is cleared, then the program reverts again to a stub.
My question to systems experts is whether this behavior could be exploited by current JAVA microchips to create a kind of 'web-based operating system.'
Since both Explorer and Navigator browsers are built on top of Windows, this new operating system, if it were feasible, would be compatible with Windows, and would in fact operate transparently within it.
Since memory is virtual, it is possible that there might be a kind of bandwidth issue.
If too many programs on the net used this technique, then the effectiveness for all might be somewhat diminished.
To retain the option of control, should this be necessary, and assuming that the technique is judged by those with experience to be a useful one, I have filed for a provisional patent on the technique (Provisonal Application Number 60/153,232, dated September 13, 1999).
This low-level document is merely a kind of legal placeholder it puts no current restrictions on the use of this technique by anyone, until such a time as a patent is actually granted, and this requires a further application, and could take several years.
I would appreciate an evaluation of this technique, and its usefulness, by those with the theoretical background to examine it properly.
Is it a bug?
Is it a normal aspect of JAVA that has thus far not been used?
Is it likely to be plugged?
How far could one go in developing this kind of programming?
Probably the best way for experts to get a genuine feel for the technique and its implementation in the shopping cart is to look at the patent, located here.
It includes sample programs that demonstrate precisely where the 'hole' (channel?) in JAVA is located, and how to generate persistence.
Next ->.
Lane Friesen
lanelise@dowco.com
New on the Java Boutique:
New Review:
Time Management Made Easy with the Quartz Enterprise Job Scheduler
Why not just use the Java timer API? This open source scheduling
API boasts simplicity, ease-of-integration, a well-rounded feature
set, and it's free!
New Applet:
Reverse Complement
Reverse Complement is a simple applet that converts DNA or RNA
sequences into three useful formats.
Elsewhere on internet.com:
WebDeveloper Java
Lots of Java information on webdeveloper.com
WDVL Java
Thorough Java resource at the Web Developer's Virtual Library.
ScriptSearch Java
Hundreds of free Java code files to download.
jGuru: Your View of the Java Universe
Customizable portal with online training, FAQs, regular news updates, and tutorials.
