What is the applet sandbox?
It is important for both programmers and users of applets to realize that, unlike CGI applications, applets are downloaded and executed on the client machine. Clearly, there are security concerns in allowing webmasters a mechanism to run arbitrary code on a user's computer, so the sandbox was invented. The sandbox gives the applet access to certain features of the host system and, more importantly, prevents the applet from accessing features that could potentially compromise the security of the host machine. Applets running within the sandbox have the following restrictions:
- They may not access the host file system.
- They may not open network connections, except to the host that they were downloaded from.
- They may not start new processes on the host machine (including starting other programs).
- They may not load native libraries (such as DLLs).
- They may not define native methods used to access the client JVM directly.
- They may not access certain system properties, including the user name of the user running the applet and the current working directory.
What are signed applets?
The delivery mechanism that applets use can be very convenient for developers. Applets provide the ability to distribute applications over the Web without having to perform installation or maintenance on the host machine. There is, however, a problem in the form of the security restrictions placed upon applets by the applet sandbox. These restrictions, while being very sensible when applied to unsolicited code, can be a problem for developers who are building applets that may require access to the local file system or broad access to the network. Therefore, a mechanism to allow the user of the host machine to trust the applet code to allow it to run outside of the sandbox was required. The solution was for the developer to 'sign' the applet using a digital certificate and to present the details of the certificate to the user of the host machine while asking them if they are happy to allow the applet to run outside of the sandbox.
What is a digital certificate?
When an individual or organization wants to create a digital certificate they use a tool (such as the one provided with the Java development kit) to create a file that contains some specific information about themselves or their organization. This file requires signing to validate its authenticity. There are several organizations, known as certificate authorities, that can sign certificates. Certificates signed by well-known certificate authorities are generally accepted as valid certificates. It is also possible for the creator of the certificate to sign it themselves, this will lower the level of trust implied in the certificate as it has not been verified by a trusted third party.
Putting it all together
So, the developer finishes work on a new applet that requires access to the host machine file system. The developer creates a certificate using information about the organization to which he belongs and the domain on which the applet will be hosted. The developer then sends his newly created certificate to a well-known certificate authority for validation. Once the developer receives the signed certificate back from the certificate authority, he uses a tool provided with his development kit to apply the certificate to his applet code. The applet is then placed on the web server and a page created that includes the applet.
When a user navigates to the page containing the applet, the applet container running within the browser will begin loading the applet. The applet container will detect that the applet has been signed and inspect the data provided in the certificate. The user will then be presented with a dialog which provides details about the certificate such as the organization information, if a trusted certificate authority signed the certificate, and if the certificate has expired or not. At this point, the user is presented with a choice on whether or not they wish to trust the applet to execute outside of the sandbox on their machine. Clicking yes will allow the applet to run outside of the sandbox, access the local file system, and make arbitrary network connections.
Summary
Applets that do not ask for permission to run in your browser are generally considered safe from a security perspective. Barring the exploitation of a bug within the sandbox, they will not be allowed to perform any actions that could compromise the security of the host machine.
Applets that do ask for permission to run have the potential to seriously compromise your security. They may access your file system and upload information to an arbitrary location. It is even possible for them to install software on your machine. Users should think very carefully about how well they trust the website they are loading a signed applet from before clicking yes and allowing the applet to run outside of the normal restrictions.
This article was originally published by CyberArmy.net in the CyberArmy Library.
|
|