How does Java relate...
Home Up

 

How does Java relate to Information Security?

Background on Executable Content

Executable content is the idea of sending around data that is actually code to be executed. This is exciting because it proves to be powerful and claims expressiveness. Since the use of the World Wide Web has exploded tremendously, there have been many attempts to retrofit applications to the Web. The ability to have users locally run a program written in a full-fledged programming language allows applications to be used directly over the Web.

Problems raised by executable content / What can be affected

Running programs on a computer typically gives that program access to certain resources on the host machine. In the case of executable content, the program that is running is untrusted. If a web browser that downloads and runs Java code is not careful to restrict the access that the untrusted program has, it can provide a malicious program with the same ability to do mischief as a hacker who had gained access to the host machine. If one desires to have useful and secure executable content, access to the resources needs to be carefully controlled.

Four types of attacks

Identifying the resources and then providing some type of limited access to these resources is a part of creating a safe environment. There are four types of attacks associated with this topic:
Divulgence of information about a user or the host machine
Denial of service attacks make a resource unavailable for legitimate purposes
Damaging or modifying data
Annoyance attacks

We can further break down these attacks by classifying them into different categories. These include:
Integrity attacks
Deletion or modification of files
Modification of memory that is currently in use
Killing processes/threads
Availability attacks
Allocating large amounts of memory
Creating thousands of windows
Creating high priority processes/threads
Disclosure attacks
Mailing information about your machine
Sending personal or company files to an opponent or competitor through the network
Annoyance attacks
Displaying obscene pictures on your screen
Playing unwanted sounds over your computer

Now that we have analyzed the concepts of executable content and its potential dangers, we will now explore how the Java language is used as providing a mechanism for executable content and assuring its safety to its users.

Cost analysis of Java

In order to have effective security, this involves constantly reinforcing security mechanisms and policies by training and periodically adapting to account for new threats. By doing so, security protects and extends competitive advantage. But there are costs associated with all security procedures and these costs must be weighed against the value of the assets protected by those measures and the potential harm which could be caused by the loss of that asset. The cost of implementing security mechanisms is a very crucial factor too. If a new technology makes it easier or cheaper to obtain the same level of security as an existing system, it would be very engaging. But, if it increases the security with a corresponding increase in cost, the organization must weigh the cost against the risks being averted. Usability is an important factor as well when it comes to calculating security costs. If security mechanisms are too time-consuming or difficult to use, productivity can decrease. Users who find the policies difficult to follow may ignore the policies or implement them haphazardly.

Java is able to provide transparent security mechanisms, which do not require any knowledge or action on the part of the end user. This is possible because Java's security model is meant to protect the end-user from hostile applets from untrusted sources.

 

DS420 Project
Team Tchaikovsky
Cathy Malabunga

 
Home    Digital Certificates    Firewalls    Cryptography    SSL    JAVA