Untrusted Applications Need Trusted Operating Systems *
By Paul Karger
IBM Corporation
The security issues of languages such as Java, Javascript, ActiveX, PostScript, etc.,
are not new. The desire to run untrusted applications goes back to the earliest days
of computer security. The original Anderson panel report describes an extremely
limited subset of GECOS Time-Sharing FORTRAN that was intended to encapsulate
untrusted applications and allow them to run safely on sensitive DoD computer systems.
Even though the subset eliminated most of the useful features of FORTRAN, Anderson was
still able to easily break out of the subset language, exploit a vulnerability in the
underlying operating system, and gain fully privileged status on the GE-635 computer.
This was the equivalent of gaining root access on a modern UNIX system. Except that
FORTRAN was compiled, rather than interpreted, this scenario bears a remarkable
resemblance to downloaded code running in a Java sandbox.
However, the security implications of downloading Java, PostScript, ActiveX, or
Microsoft Word programs from arbitrary Web pages are significant because such
downloaded applets could easily contain malicious code, such as trap doors,
Trojan horses, or viruses. Such malicious code could be downloaded and executed
by a simple click on a Web hypertext link, yet the innocent user might not even
know that he was downloading a program. Similar attacks are also possible from
MIME attachments to electronic mail.
The designers of Java were aware of such issues, and built a number of features
into Java to reduce the risks of downloaded applets. However, analysis by a team
from Princeton University, as well as by a number of others on the Internet, has
shown that the existing countermeasures in Java have weaknesses. It is very important
to note that Java security has received a great deal of attention precisely because
the Java designers attempted to solve the problems. No one has attempted to solve
these same problems for the other languages.
Limiting the damage potential of malicious applications is perhaps the hardest
problem in all of computer security. It is the reason that the computer security
community developed the concepts of a Trusted Computing Base (TCB), lattice
security models to enforce confinement on untrusted applications, and high levels
of assurance to avoid the problems of exploitable implementation flaws. Unfortunately,
in the rush to support downloading applications from the Web, many of these computer
security principles were overlooked by the developers of recent Web technologies.
To succeed against the highly sophisticated attackers that we see on the Internet
today, the Java sandbox needs underlying operating system support to isolate applets
from each other and to ensure that any given applet gets only access to exactly the
information that it needs to perform its task and nothing else. Such operating system
security support is unavailable in the most widely used client systems, such as DOS,
Windows 95, the Macintosh OS, or OS/2. Systems based on UNIX or Windows NT provide at
least some assistance because they support a separate user and supervisor state, file
access controls, and can limit the damage a user process can do. To take advantage of
such a system, the Java Virtual Machine (JVM) would have to be modified to run each
applet in a separate process or address space. Even stronger protection could be
afforded by a capability-based system, such as OS/400, for limiting the access rights
of an applet to exactly the information needed and no more. Similar techniques could
be used for the other languages used for downloaded applications.
To allow customized access rights, each downloaded program needs to be digitally signed
to unambiguously identify its source and to allow a decision to be made of what rights
to grant the downloaded program. However, digitally signing downloaded programs without
the corresponding operating system support provides only very limited benefits, because
one downloaded program could attack another downloaded program and steal its privileges.
The level of sophistication of the attackers on Internet has significantly grown in
recent years. This has been exacerbated by the spread of attack toolkits in the
underground that allow relatively unsophisticated attackers to carry out very complex
attacks that they could not have implemented by themselves. The types of attack
commonly seen today on the Internet are as bad as anything that the original authors
of the Orange Book envisioned as needing B3 or A1 levels of security. The days of
commercial users only needing C2 are long past. Downloaded hostile applications from
the Web can only be controlled by applying systems of such a high a level of
assurance. Unfortunately, such high assurance systems are still not generally
available, nor will they be anytime soon.
In summary, IBM is strongly committed to Java technology. We believe it offers many
benefits in the implementation of platform-independent Internet applications, and we
will offer Java in many of our products. However, IBM is also aware of the security
risks when Java applets are downloaded from the Internet. These risks are not unique
to Java, but are also present in ActiveX, Postscript, Microsoft Word macros, and many
other languages. We want to offer our customers both guidance and product features
for using Java technology wisely and securely.
* Karger, P.A. Untrusted Applications Need Trusted Operating Systems.
19th National Information Systems Security Conference, 1996. National Institute
of Standards and Technology, National Computer Security Center:
Baltimore, MD. p. 847-848.
|