ebook img

Java and ActiveX Security Concerns PDF

18 Pages·2016·0.48 MB·English
by  
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Java and ActiveX Security Concerns

Global Information Assurance Certification Paper Copyright SANS Institute Author Retains Full Rights This paper is taken from the GIAC directory of certified professionals. Reposting is not permited without express written permission. Interested in learning more? Check out the list of upcoming events offering "Security Essentials: Network, Endpoint, and Cloud (Security 401)" at http://www.giac.org/registration/gsec GSEC Security Essentials Java and ActiveX Security Concerns Tod Williamson Java and ActiveX Security Concerns Tod Williamson Abstract There is an increasing number of Internet websites that use Java and ActiveX. Websites that use Java or ActiveX can provide additional functionality that cannot be accomplished by standard html (hypertext markup language). . Anyone who uses the Internet will eventually access websites thast contain mobile t code. Any code that is transmitted across private or public netwhorks and g executed remotely is considered mobile code. Java, ActiveX, Macromedia Flash i and Shockwave can be classified as the popular mobile codre types. l l u As mobile code continues to evolve, Internet users have to decide whether to f allow, block or scan it. This paper will describe the se curity concerns of mobile s n code and discuss ways to minimize the risks. i a t e r r o h t u A , 4 0 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 0 2 e t u t i t s n I S N A S © 1 © SANS Institute 2004, As part of GIAC practical repository. Author retains full rights. GSEC Security Essentials Java and ActiveX Security Concerns Tod Williamson Brief History of the Internet During the early 1990’s the Internet was exclusively text based. Colleges and Universities used the Internet for transferring files and sending email. The Internet has evolved from its text-based roots, into an avenue for sending images, sound files, and mobile code. . s t Websites have also evolved from static web pages, to dynamich content. Web g pages can be built with mobile code technologies to enhance the user’s i experience. This evolution from static content to multimediar content was enabled by the use of mobile code. “Java by far is the most populalr implementation of l u Web-based mobile code used today.” [1] f s History of Java n i a t Sun Microsystems with the help of Patrick Naugehton, Mike Sheridan and James r Gosling started development of Java, which was originally called “Oak” during r the early 1990’s. The primary objective was to develop software technologies o that would work with a wide range of deviches, specifically consumer devices and computers. t u A One of the earliest devices to use Ja va was the Star 7 device. The Star 7 device , was a small hand held device built 4for home entertainment with an animated 0 Ktoeuyc hfi nsgcerrepernin.t =O AneF 1o9f FthAe2 p7 r2imF9a4ry 9 9g8oDal sF DofB t5h eD EJa3vDa F d8eBv5e 0lo6pEm4 eAn1t6 w9 a4sE t4o6 run on 0 processor-independent devices2. For example, you could develop software applications using Java and deeploy to just about any platform: Macintosh, Unix or t Windows based systems. u http://java.sun.com/peoplte/jag/green/ [2] i t s n I How Java Works S N Java can be broken down into three major components. A S 1. Byte Code © 2. Java Virtual Machine 3. Execution Environment The Byte Code is a programming language used to compile code that will run on any platform. The Java Virtual Machine (JVM) executes the byte code, which then uses the Execution Environment to run the code, which contains base java class files. [1] 2 © SANS Institute 2004, As part of GIAC practical repository. Author retains full rights. GSEC Security Essentials Java and ActiveX Security Concerns Tod Williamson Most of the current browsers, Netscape, Internet Explorer and Opera have Java Virtual Machines or JVM plug-ins installed from their default installations. Microsoft Internet Explorer 6.0 will download Microsoft’s version of the JVM automatically from a file server at Microsoft, if the web page that is being viewed has an applet embedded in the page. The Java Virtual Machine is a software-based application that can be . downloaded for free from www.java.sun.com. Most operating sysstems come with t Java Virtual Machine, or can be installed from most operating shystem installation g disks. i r Applications that are written in Java can be executed on alny machine that has l u JVM installed. Granted, some Java applications are written specifically for f certain versions of the JVM. If an application has byte code written specifically s n for version 1.4.0, the application may not work properly if executed on an older i version of the JVM. a t e r For interactive websites, developers will code web pages with Java “Applets” r embedded in them. Anyone with a Java enabled browser can now download and o run these applets within the browser. Somhe of these Java based applications allow users to access databases remotetly over the Internet, or even view u geographic maps. A , Internet is being used to distribute 4more public record information. It’s becoming 0 Keaesyi efirn, gfearsptreinr ta =n dA Fm1o9r eF Ae2ff7ic 2ieFn9t4 t o9 9a8cDc eFsDsB p5u DblEic3 Dre cFo8rBd5s 0o6vEe4r tAh1e6 I9n 4teEr4n6et. Java 0 enabled browsers and web pag2es with Java applets make this possible. In this example, we are going to acceess a public website that contains Java. The t website will allow you to vieuw different geographic maps in Wisconsin. Try accessing the website: t i t s n I S N A S © 3 © SANS Institute 2004, As part of GIAC practical repository. Author retains full rights. GSEC Security Essentials Java and ActiveX Security Concerns Tod Williamson http://www.bayfieldcounty.org/LandRecords/mapviewer_start.htm [3] For example, consider you are thinking about purchasing land in Wisconsin for the dream summer vacation home. You see an ad in the Wall Street Journal™ that someone is selling a 3-acre plot of land in Northern Wisconsin. Ten years ago, you would have a tedious task to find the courthouse telephone number, . obtain a parcel number of the land, etc. With a Java enabled webs browser and t access to the Internet, you obtain this information in a few secohnds. By g accessing this public website, you can check if the vacation property is on a flood i plain. r l l u f s n i a t e r r o h t u A , 4 0 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 0 2 e t u t i t s n I Figure 1. S N By right clicking on the far left column of the page and selecting view source, you A can verify this page is using Java. You can either scroll through the source code, S or use the s earch function to find .class. Notice the html tags representing the © applet codebase as mapplet and the mapplet.class files in Figure 2. Figure 2. 4 © SANS Institute 2004, As part of GIAC practical repository. Author retains full rights. GSEC Security Essentials Java and ActiveX Security Concerns Tod Williamson Java Security model There are two approaches in securing Java. The two techniques are called Sandboxing and Code Signing. [1] The Sandbox security model is a method of restricting access to a limited amount . of resources or files on an end user’s computer. The mapplet.classs displayed in t Figure 1, would be considered as running inside the Java “Sanhdbox”. The g mapplet.class code is used for displaying maps from a vendor’s webserver. It i does not try to create or delete files, nor does it try to copy orr email files to unknown locations. l l u f The code signing security model is based upon a third party company who will s n “sign” the code. This process could be compared to a notary public, who stamps i and verifies a person’s signature. One of the mosat popular code signing t companies is Verisign. e r r There are several types of code signing options. Typically, class 2 ID’s are o designed for individuals. Class 3 ID’s are hCommercial ID’s for companies, especially companies who use the Interntets as a means for business. Verisign u will run a background check on the coAmpany or individual who is requesting their code to be signed. The goal is to pr ovide a level of trust and guarantee the , identity of the remote computer. 4 0 Khtetpy :f//iwngwewrp.rvinetr i=s igAnF.1c9o mFA/p2r7o d2Fu9c4ts 9/s9i8gDni nFgD/cBo5d DeE/ [34D] F8B5 06E4 A169 4E46 0 2 One of the most popular usees of code signing is secure SSL (secure socket t layer) within e-business weub based applications. Within an SSL session, the network connection from ta client’s web browser to the webserver is encrypted. i t The certificate will ensusre the code has not been tampered with. You can view n the details of a certificate by clicking the padlock icon within the browser during I an SSL session, as shown in figure 3. The SSL certificate will display the details S of the code signinNg as displayed in figure 4. A S Figure 3. © 5 © SANS Institute 2004, As part of GIAC practical repository. Author retains full rights. GSEC Security Essentials Java and ActiveX Security Concerns Tod Williamson . s t h g i r l l u f s n i a t e r r Figure 4o. Hostile Java Applets h t u Some developers find the Java sandbAox too restrictive. They may decide to code Java applications, which run ou tside of the Java sandbox. For example, a , 4 Java Applet could scan the computer’s file system, modify files, access memory, 0 Kore yo pfienng eortphreinrt a=p AplFic1a9t iFoAns2.7 2F940 998D FDB5 DE3D F8B5 06E4 A169 4E46 2 Hostile Java Applets can be eclassified into four categories as show in figure 5: t Category u Details of Attack Severity t System Modification i Modifies or deletes data, or High t operating system files s Invasion of Privacny Copies or sends information, High I possible stored in cookies, S files, workstation settings and N sends them to remote A computers Denial ofS Service Cause the computer or the Minimal browser to freeze. Could © consume CPU resources and waste productivity Annoyance Most hostile applets fit into the Minimal annoyance category. May cause a reboot, or have popup ads that keep annoying you ( Figure 5. Felton, E., and McGraw, G) [1] Hostile Java applets, which modify files, are a high-risk security concern. There are specific websites that demonstrate all four techniques. You can execute 6 © SANS Institute 2004, As part of GIAC practical repository. Author retains full rights. GSEC Security Essentials Java and ActiveX Security Concerns Tod Williamson examples of hostile mobile code by accessing http://www.finjan.com/mcrc/sec_test.cfm [5] ActiveX According to Microsoft, “ActiveX and Java are complementary, not competing, technologies.” Microsoft has it’s own flavor of the Java Virtual Machine. After a long court battle with Sun Microsystems, Microsoft will no longer support . Microsoft JVM after January 2004. [6] ActiveX when first releaseds didn’t work on t Macintosh or Unix based systems, nor was it supported in Netshcape browsers. g Netscape users would have to download a special browser plug for ActiveX i controls. r http://msdn.microsoft.com/archive/default.asp?url=/archivle/en- l u us/dnaractivex/html/msdn_faq.asp f [7] s n i Generally, ActiveX can be classified into three cataegories t e r ActiveX Controls r ActiveX Documents o ActiveX Scripting h t u ActiveX controls are used in web pagAes for display animation, audio, and video. There are literally thousands of Activ eX controls. ActiveX controls are also , persistent. If a user downloads an A4ctiveX control it can be stored in the browser 0 Kcaecyh fein, goerr pornin tth =e AhaF1rd9 dFrAiv2e7. 2OFn9c4e 9 d98oDw nFlDoaBd5e Dd,E i3t Dca Fn8 Bbe5 a06cEce4s As1e6d9 b 4yE o4t6her 0 applications. 2 e t One advantage of ActiveX uis the ability to reuse existing ActiveX controls to build web-based applications. Tthese ActiveX controls can be purchased from software i t developers or downloasded from websites. This website has ActiveX controls n which can be downloaded for free. http://www.sevillaonline.com/ActiveX/ I S ActiveX Documents are a set of active viewers that can display Microsoft Office N documents within a web browser. If the end user has the Microsoft Office Suite, A a web page with an ActiveX viewer can automatically launch an application like S PowerPoint and display it within the web browser. If the user doesn’t have © PowerPoint, the ActiveX control could download the correct plug in from Microsoft and install it in the browser. This could be accomplished behind-the- scenes without any user intervention. ActiveX Scripting allows ActiveX supported browsers like Internet Explorer to run Java Applets. http://www.geocities.co.jp/HeartLand-Gaien/3046/activex/features.html) [8] 7 © SANS Institute 2004, As part of GIAC practical repository. Author retains full rights. GSEC Security Essentials Java and ActiveX Security Concerns Tod Williamson ActiveX Security Model Unlike Java, there is not a security “Sandbox” for ActiveX controls. ActiveX relies on end users ability to make security decisions whether to execute the ActiveX control. Microsoft also works with Verisign to use a code signing security model. This method is referred to as Authenticode. Authenticode is based upon digital signatures. . Authenticode supports multiple file formats. Including, PE format sfiles, Java t applets, ActiveX controls, plug-ins, executables, and cabinet filehs. Signed g ActiveX controls will verify the code has not been tampered with. If the code has i not been digitally signed, browsers like Internet Explorer carn be configured to block execution of the control. l l u f It’s important to point out that Authenticode does not g uarantee that signed s n software components, in the form of Java or ActiveX controls is without software i flaws. Depending on the complexity of the Java Aapplets, or ActiveX controls, t there is a chance that it may cause problems, eeven if the code is signed by a r third party. r http://www.tutorialbox.com/tutors/J++/ch23.htm#IntroductiontoCodeSigning o [9] h t u Java and ActiveX security solutionsA , Block Java and ActiveX 4 0 K ey fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 0 From a security standpoint, the2re are strategies to address Java and ActiveX. When Java and ActiveX weree in infancy stages, blocking mobile code from the t Internet was common pracutice. Like most new technologies, Java and ActiveX had security issues whent first released. i t s n However, in today’s world of interactive, multimedia, business and information I websites this techn ique of blocking all Java or ActiveX websites is becoming less S of an option. TheN option to block is rather easy to implement. Using a Gauntlet 6.0 firewall, as shown in figure 6, blocking Java and ActiveX is a simple process. A Checking the deny buttons in the http proxy configuration will block the mobile S code at the perimeter. Most popular firewalls have the option to block Java and © ActiveX. Firewalls search for the embed tags and will remove the code between the opening and closing embed tags. The end user will experience a blank or incomplete page which had the <embed> tag data removed. Macromedia Flash or Shockwave websites will be blocked too, because these technologies also use <embed> tags. 8 © SANS Institute 2004, As part of GIAC practical repository. Author retains full rights. GSEC Security Essentials Java and ActiveX Security Concerns Tod Williamson . s t h g i r l l u f s n i a t e r r o h t u Figure 6. A , Important Note: Firewalls cannot4 block Java applets or ActiveX controls within 0 Kane yS fSinLg esrepsrsiniot n=. A SFS19L F(sAe2c7u 2reF 9s4o c9k9e8Dt l aFyDeBr)5 e DnEcr3yDp tFs8 tBh5e 0d6aEta4 bAe1t6w9e 4eEn4 t6he client 0 and web server. Firewalls can2not decrypt the data and inspect for Java and ActiveX. This is an easy waye to circumvent firewalls that block Java and ActiveX. t Create a website that usesu SSL and then embed Java and ActiveX within your web page. The only defetnse would be a properly configured browser with i correct security settingst. s n I The following chart (figure 7) can outline security options for mobile code. The S easiest solution is to block all mobile code from the Internet. However, you will N also block Java websites that have java class files that would run safely in the A sandbox. Your enterprise may not be able to conduct business with external S websites tha t have Java or ActiveX websites. The trade off is security versus © functionality. 9 © SANS Institute 2004, As part of GIAC practical repository. Author retains full rights.

Description:
Websites that use Java or ActiveX can provide additional functionality that cannot “Java by far is the most popular implementation of. Web-based
See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.