Page 303 - StudyBook.pdf
P. 303
Communication Security: Web Based Services • Chapter 5 287
used in executing it.The JVM uses a built-in Security Manager, which controls
access by way of policies.
As is the case with most of the other Internet programming methods discussed
in this section, Java runs on the client side. Generally, this means that the client,
rather than the Web server, will experience any problems or security threats posed
by the applets. However, if the client machine is damaged in any way by a malicious
applet, the user will only know that they visited the site and experienced a problem
and is likely to blame the administrator for the problem.This will have an impact on
the public perception of the site’s reliability and the image of the company.
An important part of Java’s security is the JVM.The JVM is essentially an emu-
lator that translates the Java byte-code and allows it to run on a PC, Macintosh, or
various platforms.This byte-code does not have direct contact with the OS. It must
be filtered through the VM before it can do any operations directly to the OS.
Since the code is run through a virtual machine, restrictions can be placed on what
the code is allowed to do under different circumstances. Normally, when a Java
program is run off a local machine, it has the ability to read and write to the hard
drive at will, and send and receive information to any computer that it can contact
on a network. However, if the code is programmed as an applet that is downloaded
from the Internet, it becomes more restricted in what it can do.Applets cannot
normally read or write data to a local hard drive, meaning that in theory a user is
perfectly safe from having data compromised by running an applet on his or her
system.Applets may also not communicate with any other network resource except
for the server from which the applet came.This protects the applet from contacting
anything on an internal network and trying to do malicious things.
Major issues with Java can occur when there are problems with the Virtual
Machine used by browsers on different OSes. Such problems have occurred on sev-
eral occasions, and are easily remedied by applying the latest patches and upgrades.
For example, installations of Microsoft Virtual Machine prior to version 3810 had a
vulnerability that could be used by a hacker to execute code on a person’s
machine.The vulnerability involved the ByteCode Verifier, which didn’t check for
certain malicious code when applets were being loaded.This allowed hackers to
create malicious code in their applets that could be downloaded from a Web site or
opened through an e-mail message, allowing the hacker to execute code using the
same privileges as the user. In other words, if the person running the applet had
administrator privileges on the machine, they would have the same access to run-
ning code and causing damage as an administrator.
Despite several holes in the implementation of the JVM by Microsoft and
Netscape, as the products mature, they become more solid. For the most part, Java
www.syngress.com
