Why Security?
Don't just trust any executable code – not even when it's coming from an apparently trustworthy source.
This lesson was first learned the hard way with the famous Internet worm of November 3, 1988, which
effectively shut down the net. A 23-year-old student, Robert Morris, had created a program that would
propagate over the network, installing a copy of itself on every computer it met along the way. But the
bit of code that was supposed to ensure that each machine only got a single copy of the worm didn't
work, and thousands of Internet hosts ground to a halt as they became infested with hundreds of worms
each. Administrators of clean machines axed their net connections to avoid infection, and for a few days
the Internet ceased to exist.
Amazingly enough, this lesson is still being learned at great cost every day. Some of the most popular e-
mail applications and word processors are perfectly happy to execute macros, scripts, and active
controls without any user intervention. Such executable content can gain access to the most sensitive
system services, such as the hard drive or the operating system. This is possible because what little
security is in place appears to be an afterthought. More than a decade after the worm, its descendants
thrive. The worm was, in fact, a fairly benign creature, which had run amok due to a programming
error. Most of the current crop is spread by design, and some of them have been created to cause as
much damage as possible.
The Internet worm actually spread through a vulnerability in the commonly-used sendmail mail
transport program. Sendmail featured a handy facility allowing programmers to debug it over the net.
For the worm, this turned out to be a handy facility allowing it to run just about anything on any mail
host. Clearly, it pays to be very careful about the services provided by an Internet server. Sensitive
services need to be carefully protected so that only authorized users can access them. Services must also
be able to handle unexpected input so they cannot be subverted.
For example, one of the most common security holes in server software is insufficient protection of
memory buffers. An unprotected buffer will overflow when the input is unexpectedly long, and
overwrite other memory locations. Hackers have used such carelessness to break into the most tightly
secured machines. This, too, is a lesson still being learnt daily.
New vulnerabilities are being discovered every week in some of the world's most popular server
software. For up to date information and security bulletins, see the website of the Computer Emergency
Response Team (CERT, http://www.cert.org).
Java Security
In Java, Sun has addressed security issues from the very start:
-
The Java language ensures that array access never goes out of bounds. Any attempt to access
memory beyond the array boundaries results in an
ArrayIndexOutOfBoundsException.
This prevents buffer overflows and underflows.
-
The pointers and unions that lie at the root of so many bugs in C and C++ are not supported.
Together with garbage collection, this prevents uncontrolled memory access.
-
Casts are always checked and throw a
ClassCastException if illegal. That way, code can
never get around security features by casting an object to an incompatible type.
-
Before Java bytecode (that is, a
.class file) is loaded as a class, the virtual machine runs a
bytecode verifier to ensure that the code is valid. This makes it impossible to construct invalid
bytecode that could cause the JVM to behave in unexpected ways.
-
The language does not contain any low-level constructs that would allow direct hardware
access. All access has to go through the Java libraries, with the sole exception of Java Native
Interface (JNI) calls.
-
The libraries enforce security by blocking Java programs from accessing the system unless
they are allowed to do so. Any attempt to perform a prohibited operation will cause a
SecurityException to be thrown.
-
Finally, there is extensive support for cryptography. Cryptography is essential to data
protection and authentication. We will return to it in Chapter 14.
These features make Java arguably the best language to implement Internet-secure applications,
although it is important to remember that there may still be security bugs in the JVM implementation
itself. If we want to safely use Java networking to connect to services on the net, or to implement
services made available over the net, we need to be familiar with its security support.
Broadly speaking, there are two types of Java programs. Applications need to be installed by the user
before they can be used. An application is typically purchased or downloaded from a trusted source. It
takes an explicit action to install and run it. Traditionally, the user implicitly trusts an application with
full access to the machine; later in this chapter, we will see how Java 2 refines this by allowing the user
to confer specific levels of trust using certificates.
Applets, on the other hand, are primarily Java programs embedded within web pages. They can be used
to make a page more interactive, or to access a server resource such as a database without the delay
associated with server-side processing. They execute automatically when you view the web page that
contains the applet, unless Java is disabled on the user's browser. The user does not know whether a
web page contains an applet and if the applet can be trusted. Like executable content within an e-mail,
an applet should be treated as if it contained malicious code.
The basic Java security model directly reflects this fundamental difference between applications and
applets. Applications get full access to all system resources, while applets run in a protected
environment known as a sandbox.
New on the Java Boutique:
New Review:
Time Management Made Easy with the Quartz Enterprise Job Scheduler
Why not just use the Java timer API? This open source scheduling
API boasts simplicity, ease-of-integration, a well-rounded feature
set, and it's free!
New Applet:
Reverse Complement
Reverse Complement is a simple applet that converts DNA or RNA
sequences into three useful formats.
Elsewhere on internet.com:
WebDeveloper Java
Lots of Java information on webdeveloper.com
WDVL Java
Thorough Java resource at the Web Developer's Virtual Library.
ScriptSearch Java
Hundreds of free Java code files to download.
jGuru: Your View of the Java Universe
Customizable portal with online training, FAQs, regular news updates, and tutorials.
