Untrusted Applications Need Trusted Operating Systems *

By Paul Karger
IBM Corporation

The security issues of languages such as Java, Javascript, ActiveX, PostScript, etc., are not new. The desire to run untrusted applications goes back to the earliest days of computer security. The original Anderson panel report describes an extremely limited subset of GECOS Time-Sharing FORTRAN that was intended to encapsulate untrusted applications and allow them to run safely on sensitive DoD computer systems. Even though the subset eliminated most of the useful features of FORTRAN, Anderson was still able to easily break out of the subset language, exploit a vulnerability in the underlying operating system, and gain fully privileged status on the GE-635 computer. This was the equivalent of gaining root access on a modern UNIX system. Except that FORTRAN was compiled, rather than interpreted, this scenario bears a remarkable resemblance to downloaded code running in a Java sandbox.

However, the security implications of downloading Java, PostScript, ActiveX, or Microsoft Word programs from arbitrary Web pages are significant because such downloaded applets could easily contain malicious code, such as trap doors, Trojan horses, or viruses. Such malicious code could be downloaded and executed by a simple click on a Web hypertext link, yet the innocent user might not even know that he was downloading a program. Similar attacks are also possible from MIME attachments to electronic mail.

The designers of Java were aware of such issues, and built a number of features into Java to reduce the risks of downloaded applets. However, analysis by a team from Princeton University, as well as by a number of others on the Internet, has shown that the existing countermeasures in Java have weaknesses. It is very important to note that Java security has received a great deal of attention precisely because the Java designers attempted to solve the problems. No one has attempted to solve these same problems for the other languages.

Limiting the damage potential of malicious applications is perhaps the hardest problem in all of computer security. It is the reason that the computer security community developed the concepts of a Trusted Computing Base (TCB), lattice security models to enforce confinement on untrusted applications, and high levels of assurance to avoid the problems of exploitable implementation flaws. Unfortunately, in the rush to support downloading applications from the Web, many of these computer security principles were overlooked by the developers of recent Web technologies.

To succeed against the highly sophisticated attackers that we see on the Internet today, the Java sandbox needs underlying operating system support to isolate applets from each other and to ensure that any given applet gets only access to exactly the information that it needs to perform its task and nothing else. Such operating system security support is unavailable in the most widely used client systems, such as DOS, Windows 95, the Macintosh OS, or OS/2. Systems based on UNIX or Windows NT provide at least some assistance because they support a separate user and supervisor state, file access controls, and can limit the damage a user process can do. To take advantage of such a system, the Java Virtual Machine (JVM) would have to be modified to run each applet in a separate process or address space. Even stronger protection could be afforded by a capability-based system, such as OS/400, for limiting the access rights of an applet to exactly the information needed and no more. Similar techniques could be used for the other languages used for downloaded applications.

To allow customized access rights, each downloaded program needs to be digitally signed to unambiguously identify its source and to allow a decision to be made of what rights to grant the downloaded program. However, digitally signing downloaded programs without the corresponding operating system support provides only very limited benefits, because one downloaded program could attack another downloaded program and steal its privileges.

The level of sophistication of the attackers on Internet has significantly grown in recent years. This has been exacerbated by the spread of attack toolkits in the underground that allow relatively unsophisticated attackers to carry out very complex attacks that they could not have implemented by themselves. The types of attack commonly seen today on the Internet are as bad as anything that the original authors of the Orange Book envisioned as needing B3 or A1 levels of security. The days of commercial users only needing C2 are long past. Downloaded hostile applications from the Web can only be controlled by applying systems of such a high a level of assurance. Unfortunately, such high assurance systems are still not generally available, nor will they be anytime soon.

In summary, IBM is strongly committed to Java technology. We believe it offers many benefits in the implementation of platform-independent Internet applications, and we will offer Java in many of our products. However, IBM is also aware of the security risks when Java applets are downloaded from the Internet. These risks are not unique to Java, but are also present in ActiveX, Postscript, Microsoft Word macros, and many other languages. We want to offer our customers both guidance and product features for using Java technology wisely and securely.


* Karger, P.A. Untrusted Applications Need Trusted Operating Systems. 19th National Information Systems Security Conference, 1996. National Institute of Standards and Technology, National Computer Security Center: Baltimore, MD. p. 847-848.



JavaTM is a trademark of Sun Microsystems, Inc.
Other companies, products, and service names may be trademarks or service marks of others.

Copyright    Trademark



  Java Feature Java Education Java Home  
IBM HomeOrderEmployment