http://www.spinellis.gr/pubs/Breview/1999-CR-JavaSec/html/review.html This is an HTML rendering of a working paper draft that led to a publication. The publication should always be cited in preference to this draft using the following reference:
|
Diomidis Spinellis
University of the Aegean
"Securing Java" provides an accessible overview of the Java-related security issues. The first chapter of the book provides an introduction to problems related to mobile code security and approaches based on the sandbox model and code signing for dealing with them. The second chapter details the base Java security model describing the differences between trusted and untrusted code, as well as the components of the Java security architecture. The authors distinguish two classes of attack applets: those that gain limited access to the machine to institute denial of service or breach of privacy attacks, and the more threatening ones which gain unlimited access to all host resources. A chapter is devoted to each applet class describing one-by-one the known corresponding exploits. Many of the 15 listed vulnerabilities that provide unlimited access to a host are dated as they apply to old browsers such as Netscape 2.0. However, their description is useful, because it serves as a reminder of typical security-related pitfalls. Chapter six surveys with a critical eye commercial products that provide solutions to Java security problems. In an application area where a number of snake oil solutions are being offered the authors are to be commended for clearly identifying risks that can not be addressed by current technology. Prescriptive guidelines for using Java securely and for writing secure programs in it are the subject of Chapter 7 - a must-read for developers or end-users who want a quick tutorial on practical aspects of Java security. The final two chapters offer us a view of the future. Java has been touted as a suitable vehicle for embedded applications. Chapter 8 describes an area where security is of paramount importance: the use of Java in smart cards. The final chapter provides a list of the lessons learned concerning the security of Java and examines the future of Java security. Three appendices complement the book: the first contains Princeton's frequently asked questions document concerning Java Security and a comparison with ActiveX, the second contains pointers to other relevant written and on-line material, while the third one is a tutorial on signing Java code.
The book is mainly addressed towards those who are exposed to Java applets (practically anyone with a modern Web browser) or want to utilize Java technology and want to be educated on the features and failures of Java's security model. It is evident that the authors have tried very hard to make the book accessible to a wide, non-expert audience. Most concepts like the Internet domain name system, the Java linking process, and type compatibility are explained at the point they are needed. This is supposed to help novice readers, but sometimes distracts from the normal flow of text. The simplified explanations also result in superficial coverage of some attacks and in occasional minor inaccuracies. In addition, because many Java-related concepts are not spelled out - such elucidation could easily double the book's content - an in-depth knowledge of Java is needed in order to understand the intricacies of some attacks. The book can also serve researchers and implementors of Java infrastructure (developers of virtual machines, compilers, and Web browsers) as a survey on the security attacks exploiting Java technology and the current state of the art of protection mechanisms.
The developments in Java technology and new sophisticated attack methods have made the author's original work on Java security [1] somewhat dated. This book updates and expands the contents of the older work up to and including the introduction of Java 2. Although non-Java security concepts, such as Microsoft's Active X, are discussed, anyone seriously interested in Web application security should complement this book with the work by Rubin et al. [2].
Given the book's probable audience the authors cover its subject area in sufficient depth and breadth. The diverse material presented in some chapters could be better organized in subsections, while a different content structure might have eliminated a large number of forward references. Two other quibbles concern an occasionally overly breezy writing style and the over-use bullet-type lists; both sometimes impede the generally smooth flow of text. The book contains a large number of well-drawn diagrams which aid in explaining difficult concepts such as attack methods, protocol sequences, and network configurations. Although icons and diverse shapes are used to make them accessible, this goal might be better served by utilizing a standard notation such as the Unified Modeling Language. The book benefits from a thorough index, a companion website (www.rstcorp.com/java-security.html), and an annotated Java Security hotlist contained in an appendix. I would recommend the book to anyone wishing to get a complete overview on the current state of the art on Java security.