Re: Mobile Code Security???

From: Steve Bellovin (smbat_private)
Date: Wed Apr 29 1998 - 14:30:57 PDT

Next message: Todd Radermacher: "RE: Lloyds to offer hacker insurance"

Previous message: Marcus J. Ranum: "Re: How do we do our job? (was Re: Network Security"
Maybe in reply to: Todd Radermacher: "Mobile Code Security???"
Next in thread: James Burton: "RE: Mobile Code Security???"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

	 How is it different, from 30,000 feet, to download a java applet
	 from my site and run it, than to download linux and run it? Or
	 to buy a copy of Windows NT?

The essential difference, I think, is one of scale.  On the average,
I probably don't buy new programs more than once every few weeks (if
that often).  Corporate machines get even less new software.  But applets?

A quick glance at my .netscape/cache directory shows about 200 files,
roughly 2/3 of which are pictures.  None of the files are more than
18 hours old.  Given the desire of the commercial world for
dancing pig advertisements, we can, I think, assume that a fair
percentage of the 65-odd html files would have some active content.
20%, perhaps?  That works out to about 8 applets per *day*.
(My usual daytime machine isn't showing any applet-bearers in the
cache right now, but that may be because it's mostly pages from one
site.  A check of two other machines I use shows an applet percentage
of 10-33%)  That's at least 2 orders of magnitude more foreign code
than I normally see.  I don't think our mental or our technical
trust models scale that well.

	 UNIX has had
	 its share of flaws in its sandbox, just like the flaws in
	 Java's sandbox: weird parameters to certain system calls could
	 step on uid values in kernel space, etc.

Actually, remarkably few UNIX bugs have been in the kernel.  Most have
either let outsiders in, or have been in setuid programs.
	 
	 Anyhow - downloadable content? I think ActiveX is dead/dying.
	 Java is in trouble, and Javascript isn't in great shape, either.
	 Something else will come along soon and it'll probably have
	 lame security, too. :) All things being equal, I wish that the
	 browser boys had thought to just download C code, then do an
	 on-the-fly compilation and link against a "sandbox" shared
	 library. It'd have been easier, every bit as portable, and
	 fast. Live'n'learn.

A better run-time library can't protect C; you need kernel support for
that.  It's a good question what form it should take.

Next message: Todd Radermacher: "RE: Lloyds to offer hacker insurance"
Previous message: Marcus J. Ranum: "Re: How do we do our job? (was Re: Network Security"
Maybe in reply to: Todd Radermacher: "Mobile Code Security???"
Next in thread: James Burton: "RE: Mobile Code Security???"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:57:44 PDT