|
|
|
|
Sponsored Link •
|
|
Advertisement
|
Java's security model, while far-reaching, does not address all potential threats posed by mobile code. For example, two potential activities of malicious mobile code that are not currently addressed by Java's security model are:
These kinds of attacks are called denial of service, because they deny the end-users from using their own computers. The Java security model does not currently offer ways to limit the usage of threads or memory by untrusted code. The difficulty in attempting to thwart this kind of hostile code is that it is hard to tell the difference, for example, between a hostile applet allocating a lot of memory and an image processing applet attempting to do useful work. Nevertheless, this kind of attack is a serious concern in certain situations, such as mission critical servers that run Java servlets.
Another area not currently incorporated into the security model is the idea of awarding permissions to principals on whose behalf code is being executed. A familiar example of this kind of access control is the UNIX operating system, which controls access to files based on a user ID that can only be obtained via an correct login name and password. As this kind of access control will be important in distributed systems such as those made possible by Jini, Sun is actively working to add this kind of user-centric security functionality to Java. The aim of the Java Authentication and Authorization Service (JAAS) is to enable access control to be based not just on the permissions granted to codebases and signers, but also on permissions granted to principals: the users who execute the code.
To be effective, a computer or network security strategy must be comprehensive. It cannot consist exclusively of a sandbox for running downloaded Java code. For instance, it may not matter much that the Java applets you download from the internet and run on your computer can't read the word processing file of your top-secret business plan if you:
The nice thing about Java's security model is that once you set it up, it does most of the work for you.
You don't have to worry about whether a particular program is trusted or not--the Java runtime will
determine that for you; and if it is untrusted, the Java runtime will protect your assets by encasing the
untrusted code in a sandbox. The trouble is that, even though the designers of Java's security infrastructure
did a good job of keeping things as simple as possible, the high degree functionality and flexibility offered
by the security infrastructure demands a significant degree of complexity. As mentioned in the
answer.txt file, which class Stranger so very much wanted
to read in the AccessController examples given earlier in this chapter, complexity
itself can represent a threat to security. The more complicated a security infrastructure becomes, the more
likely parties responsible for configuring security will either make mistakes that open up security holes or
avoid using the security infrastructure altogether.
End-users of Java software cannot rely solely on the security mechanisms built into Java's architecture. They must have a comprehensive security policy appropriate to their actual security requirements. Similarly, the security strategy of Java technology itself does not rely exclusively on the architectural security mechanisms described in this chapter. For example, one aspect of Java's security strategy is that anyone can sign a license agreement and get a copy of the source code of Sun's Java Platform implementation. Instead of keeping the internal implementation of Java's security architecture a secret "black box," it is open to anyone who wishes to look at it. This encourages security experts seeking a good technical challenge to try and find security holes in the implementation. When security holes are discovered, they can be patched. Thus, the openness of Java's internal implementation is part of Java's overall security strategy. Besides openness, there are several other aspects to Java's overall security strategy that don't directly involve its architecture. For more information about Java's overall security strategy, visit the resources page.
For more information about Java and security, see the resources page:
http://www.artima.com/insidejvm/resources/.
|
Sponsored Links
|