Next: Scenarios
Up: Analysis
Previous: Writing Secure Libraries
In analyzing the effectiveness of Java security, it is necessary to
check if there are adequate methods of controlling each of the
resources specified in Section 2.1.
- File system - Access to the file system is well
protected, with specific SecurityManager checks for read and write access to a given
file. This allows flexible policies such as access control lists to
be fairly easily implemented.
- Network - Access to the network is well protected.
There are SecurityManager checks on the methods necessary for both accepting and
creating of sockets, as well as protection of calls to other network
related methods. Again, these methods are flexible, allowing access
controls.
- Random Memory - Protection of memory is done by
the language specification itself. There is protection against access
to the already allocated memory, but there is no protection against an
Applet allocating all of the current memory available (by creating
objects).
- Output Devices - One protection provided for
output devices is that any Applet windows can be forced to have a
special marking noting that they are unsafe. Additionally, an Applet
cannot directly access devices, instead it must use the mechanisms
provided by the Java libraries.
- Input Devices - An Applet can only access the
keystrokes or mouse clicks of the user when the Applet's window has been
selected. Currently other input devices are not supported, although
one would assume that any access to devices such as camera's or
microphones would be through a Java library which could add security
checks. Currently there are no explicit security checks involving
input.
- Process Control - Access to control of threads is
fairly limited. There are SecurityManager checks of access the
threads and threadgroups. Additionally, the maximum priority of
threads can be set to make sure an Applet's thread does not
dominate.
- User Environment - Access to environment variables
is protected by SecurityManager checks. Additional access control to
the Java language environment is provided by the languages access
control mechanisms for classes.
- System Calls - The SecurityManager checks any
attempted system calls, including attempts to exit.
The control of a few of these resources stand out. First, the current
SecurityManager does not have a method for controlling the creation of
top level windows (aside from forcing them to be marked as unsafe), or
control of what can be displayed or played back audibly. Second,
there is no mechanism for controlling an Applet's access to user
input. There are certainly situations it would be desirable to have a
more specific security policy regarding various input devices.
Finally, an Applet can currently allocate an arbitrary amount of
memory by creating new objects. The problem of allocating memory is
difficult because it does not provide a very direct threat; there is
no single operation or set of operations that can be controlled. The
problem is not horrible since the browser can limit the amount of
memory available to Java. The browser could also provide a method of
killing the current Java Applet, causing the memory to be recovered.
Next: Scenarios
Up: Analysis
Previous: Writing Secure Libraries