[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Java insecurity - long - argumentative - you are warned.



On Mon, 6 Nov 1995, Dr. Frederick B. Cohen wrote:

> WARNING - THIS MESSAGE CONTAINS INFORMATION THAT MIGHT BE CONSIDERED AS
> A FLAME BY SOME READERS - IT IS LONG AND TEDIOUS - YOU ARE WARNED!

> > 4.2 Security in the Java Environment
> > 
> > Security commands a high premium in the growing use of the Internet
> > for products and services ranging from electronic distribution of
> > software and multimedia content, to "digital cash". The area of
> > security with which we're concerned here is how the Java compiler and
> > run-time system restrict application programmers from creating
> > subversive code.

[long list of important questions deleted ...]

Essentially, I think that all of this will distill to a single issue,
vis-a-vis Java or any other paradigm which wishes to represent itself as
*secure*.

Where is the security review role placed within the project development
life cycle?? 

Is it at Design Concept?  Or during Application Development?  Or is it
done last, after design completion, after all of the programming is
complete and the production people are involved in operational turnover. 

Or is it done at all?

This concept is not new, and should not present any problems to anyone in
the industry.  Even John Q. Public will understand it, if we use a simple
construction analogy. 

If you want to build a secure house, your security doesn't start AFTER the
house is built.  It has to start at a very early stage.  It starts before
the blueprints are made, when you specify that you want a concrete
windowless box located on a quiet street at the end of a cul-de-sac.  

That is simple and obvious. 

You certainly don't have *security* if after building a glass house on
Main Street, if after the design is finished, the footings have been
poured, and the key is about to be turned over to the occupant; if then,
as an afterthought you put a single strong deadbolt on the front door to
"secure" it. 

Anyone who can't or won't quite grasp this idea is either willfully
attempting to steer gullible individuals astray, or is congenitally
stupid. 

It's time to call a spade a spade. 

> What exactly does this mean?
> 
> > While all this checking appears excruciatingly detailed, by the time
> > the byte code verifier has done its work, the Java interpreter can
> > proceed knowing that the code will run securely. Knowing these
> > properties makes the Java interpreter much faster, because it doesn't
> > have to check anything. 

Yikes!!  I'll leave this for someone else to address.  This sounds to me
like a variation on virus scanning.  I think that there are far more
reputable virus experts than I who can comment and expand on *flaws* with 
that approach. 

> No runtime checking whatsoever.  Get past the supposed verifier, and you
> have free run of the machine.  A single verifier bug or inadequacy, and
> the world is unsafe for electronic commerce. 

As someone who *vividly* remembers October, 1987 and the near economic
meltdown which was BARELY averted by the Fed, a near meltdown which
occurred because of the interactions of systems far less intelligent or
complex than those we routinely utilize today, systems which directly
interface not only to each other, but have undocumented, non-predictable
interactions with "soft and wet" systems, I might have some serious
concerns. 

Then again, it is _only_ the economy, isn't it? 

> ASBESTOS SUITS MAY NOW BE REMOVED - FLAME OFF.
> 
> P.S.
> 
> When: Tuesday, November 7, 8AM
> Where: The Hilton, Washington D.C. (the CSI conference)
> The talk: 50 Ways to Attack Your World Wide Web Systems
> 
> If you want a chance to heckle - be there.

Drat ... I don't think that I'll be able to attend.  I've already got
a local presentation that I've pencilled in for tomorrow morning at
some god awfully early hour.  Then again, D.C. isn't quite my circuit.

I was hoping though for some clarification.  Are you THE Dr. Frederick
B. Cohen??  The one who originally coined the phrase "computer virus"
and who maintains the computer virus FAQ?

Are you THAT Dr. Frederick B. Cohen, and are you speaking publically
in Washington, tommorow as one of the keynote speakers?

If you are, I'd be interested as to whether you'll talk about the
recent gaping security hole in the existing installed Navigator code
base which I detailed to this list's subscribers. 

The one posted this last Friday the Thirteenth, that questioned
Netscape's wisdom in creating an experimental MIME object which does
not follow the usual HTTP request/response paradigm, but instead
allows a server to open and maintain a bi-directional communications
channel from server to client.

Effectively a non-password protected telnet into the heart of any
system, a open exploitable connection which penetrates proxy servers
and firewalls, and acts as an enhanced bi-directional
delivery/recovery mechanism?

I'd be very interested in the comments around that, especially since both
Netscape and AT&T (who distributes the softwre under its own brand name) 
have made an explicit "no comment".

I'd especially be interested in any post-session transcript. 

I also think that Elaine Garzarelli might be interested.  Especially since
she'll be addressing the nation and the public via the public television
airwaves this Friday evening. 

Or at least ... uhmmm ... I _think_ that's when her electronic daytimer
has her pencilled in ...




Alice de 'nonymous ...

                                  ...just another one of those...


P.S.  This post is in the public domain.
                  C.  S.  U.  M.  O.  C.  L.  U.  N.  E.