Re: Java "security holes'

• To: jlowry@bbn.com (John Lowry)
• Subject: Re: Java "security holes'
• From: Adam Shostack <adam@bwh.harvard.edu>
• Date: Tue, 12 Mar 1996 13:13:31 -0500 (EST)
• Cc: ekr@terisa.com, dhudes@panix.com, mrm@doppio.Eng.Sun.COM, www-security@ns2.rutgers.edu
• In-Reply-To: <199603112221.RAA03522@dave.bbn.com> from "John Lowry" at Mar 11, 96 05:21:39 pm

John LowryK wrote:

| Is is possible to have a "Java Properties" table in the application
| that specifies the kind of behaviors allowed to an applet ?  Such a
| property table must be under control of the user.
| 
| I could imagine two dimensions initially, properties applied on
| a source basis, and properties applied transitively, e.g. from
| one applet to another perhaps based on the "least permissive" set
| of properties...  Almost sounds like inheritance  ;-)

	The decision about what behaviors to allwo must be under the
control of the organization, who may choose to delegate some portion
of it to users.  This delegation could happen at the firewall, which,
while proxying, could send back information about what its willing to
allow.

	Given that behaviors should be controlled by the organization,
the obvious means of control is not source, but authorship or vetting.
A 'code certification authority' can be allowed certain privledges.
For example, code signed only by Netscape might be forbidden at all
times, whereas code signed by the banks code development group would
have free access to disk and network resources.



| > From: mrm@doppio.Eng.Sun.COM (Marianne Mueller)
|
| > We're working on adding a signed class loader to the system, to allow
| > for the scenario where some authenticated class can be allowed more
| > functionality.
| > 
| > The hard part is the policy, that is, once you have an applet that you
| > *know* comes from Walmart, so what?  Does that mean you allow that
| > applet to make connections to other Walmart applets, or does that mean
| > you allow that applet to access the Walmart shopping cart which is
| > implemented as a file on the client file system?

	Thats a decision for the local security people to make.  Just
be sure to offer a means of specifying the ACL.  (Applets should have
read access to the relevant parts of the ACL, so that an applet can
say 'I won't run the credit check unless you let me talk to our
shopping cart.'

Adam


-- 
"It is seldom that liberty of any kind is lost all at once."
					               -Hume

• Re: Java "security holes'
• From: John Lowry <jlowry@bbn.com>

• Previous: Netscape && FTP sites
• Next: Re: Java "security holes'
• Index(es):
  • Index
  • Thread