1

Mobile Code Java Review

– Java code is platform independent and runs within a “sandbox”, or a set of restrictions that keep downloaded applets from accessing resources that they should not be able to. (Local files, for example.)

– Java has the capability to be digitally signed, to prove who the source of the applet is. These signed bundles of code can be packaged into “JAR”s, and downloaded to the browser.

» With the addition of code signing, Netscape added the capabilities classes, so that applets can request additional privileges that are approved by the user.

2

Mobile Code JavaScript Review

– JavaScript is an interpreted scripting language embedded into HTML pages, and is interpreted when the page is loaded.

– A code signing and bundling facility has been added to JavaScript as well, allowing sites to distribute cryptographically authenticated scripts.

» Netscape added the capabilities classes to JavaScript as well, which allows JavaScript more control over page layout and design.

3

Mobile Code ActiveX - Overview

– ActiveX is a name that covers a fairly broad category of items, on a Microsoft operating system. Originally MS provided OLE as a way of encapsulating and interacting with the operating system. Although these programs were not specific to an application, they were specific to the OS as well as the processor

– As ActiveX is a derivative of OLE, it has these same limitations; restricted to Microsoft operating systems and the Intel processors.

4

Mobile Code ActiveX - Overview (continued)

– ActiveX was designed with a deep understanding of security in mind, and therefore used advanced cryptographic techniques to ensure security in all areas of its design. The security model can be described as follows:

» ActiveX controls are digitally signed to authenticate the author. The user must decide if they trust the sender, and if they do, the control is allowed to execute.

5

Mobile Code ActiveX - General Problems

– ActiveX is machine native code and does not run under any restrictions on the client machine. The code does not even necessarily need to draw anything on the screen; it can simply download and perform arbitrary actions on the client machine without necessarily being detected.

– The code has no limits on what it can do when it executes. There is no sandbox, no limits on network connections, or file access.

» NT could enforce some restrictions on where a user writes, but by default the permissions are almost completely open.

6

Mobile Code ActiveX - Trust Issues

– The reliance of ActiveX on the digital signatures is troubling. You, as a user, must place complete trust in the author that:

» The code they write will not purposefully attack your machine, network, transmit your files, or perform other operations on your machine that you don’t wish.

» That the code does not accidentally (via a bug or a side effect) do any of the above operations.

» The code signers keep their keys safe and secure, and that nobody who leaves the company has the keys with which to sign code.

– This is not reasonable.

7

Mobile Code ActiveX - Example Exploit

– One exploit that was demonstrated was the combination of a signed ActiveX control and the Quicken financial management software. Quicken has access to bank account information and can electronically manage the money in these accounts. The data is encrypted, but pending requests reside in a queue so that the next time the application is connected, it will perform these operations.

– An ActiveX control was written that was silently downloaded, looked for quicken, and inserted a transfer of money into the attackers account.

8

Mobile Code JScript

– JScript is mentioned for the sake of completeness. It is a derivative of JavaScript, and performs some of the same operations, and some additional operations that JavaScript cannot.

– How JScript inter-operates with different components within Internet Explorer is not well defined, and has not been as studied as Netscape’s LiveConnect. It is quite possible that there are privacy and information migration issues with this variant of JavaScript.

9

Mobile Code VBScript - Overview

– VBScript is a subset of Visual Basic (VB), designed to operate similarly to JavaScript or JScript, in that it is an interpreted scripting language embedded in HTML pages. This, obviously, is a Microsoft technology and is not found in other browsers and platforms.

– VBScript also adds certain functionality for manipulating the web interface and environment not found in the standard Visual Basic Distribution.

10

Mobile Code VBScript - Issues

– VBScript is not well studied in the way that it manages data and inter-operates with other components. It is possible for VBScript to trade information with Java applets and ActiveX controls, so the possibility of a user gaining access to information that they should not have is quite possible. This environment is very similar to the Netscape LiveConnect mechanism, where different components have different security models, and this leads to unforeseen consequences.

11

Mobile Code As we have discussed, mobile code is any

code that migrates between machines and is executed. This is not limited to web-based applets and additions. Many other applications and systems have been extended with programmatic control, without security concerns. These include:– Printing– Application Documents

12

Mobile Code PostScript - Overview

– In an effort to make a platform and device independent language for describing a graphic page layout, Adobe invented PostScript. PostScript is an interpreted and stack based language with much of the functionality of a normal language. (Functions, loops, etc)

– One interesting aspect of PostScript is that it can be used for more than printing. Other things that people have done are:

» Fractal Generation, Mathematical Equation Solving, etc.

– Some people, quite obviously, have too much free time.

13

Mobile Code PostScript - Issues

– One of the options available within PostScript is file IO. This allows a PostScript document, when run within an interpreter that does not place restrictions upon the scripts actions, to read or write users files.

» This could be used in an attack where a users .rhosts file is overwritten with the “+ +” that we talk about so often.

– Many interpreters will offer some level of security and not allow this access. (Very similar to the Java sandbox model)

14

Mobile Code Microsoft Word - Overview

– Microsoft Word has macro capabilities, that is, commands and sets of commands can be scripted and added to a document to perform some action. These macros are saved with the document so that they will be available when the user next loads it.

– As these macros are performing actions at a users request, no restrictions are placed upon them. They may do search and replace operations, add content to the document, or anything else a person would do when writing and managing a document.

15

Mobile Code Microsoft Word - Issues

– The biggest problem with this macro capability is the fact that macros can be automatically executed upon document load, without prior authorization from the user. This means that a malicious user could give somebody a Word file with a macro that would delete words or sentences, modify content, or write itself into other documents.

– Macros that will write themselves into other documents are called Word or Macro viruses. They are the most prevalent form of viruses at this time, due to the heavy sharing of documents in networked enterprises.

16

Mobile Code Microsoft - Other

– One point to be made is that the Macros are not limited to Word documents, and other Microsoft products are vulnerable to this. Excel spreadsheets, for example, will allow these macro viruses just as easily.

– The main limiting factor in the other products is the limited scope of sharing other document formats. People do not normally download spreadsheets from the net, but may download a Word document to read about a new product.

17

Mobile Code Other

– Mobile code is mainly dealing with small encapsulated programs that are quickly and easily transported between machines. With the web, however, and the ease in which people can download and install whole applications, the problem of trojan horses and viruses is getting worse.

– It is getting to the point where all applications can be considered mobile to a certain extent, and must be considered when looking at the security of a system.

18

Mobile Code Review

– Code signing does not adequately protect users from malicious code. If a trusted site is compromised and the keys stolen, the user looses all assurance that the code is “safe”.

– Code needs to have restrictions placed upon it by default, and only with the user permission should it be allowed to perform other actions.

– Code should not automatically be executed in any circumstance, users should have the option of allowing or disallowing the code.

19

Mobile Code Summary

– Mobile code is only increasing as users and systems become more connected. Netscape and Microsoft are racing too tie users desktops into web interfaces, and the line between a remote network site and a users system will continue to get more vague. Security is increasing slowly, but basic problems* with trading code between systems will always exist.

*Users