Re: Java Implentations (inside servers)

David Brownell (db@Eng)
Wed, 16 Sep 1998 10:30:54 -0700

Chad Schieken wrote:
>
> Hello,
>
> I've done a little research and it appears that to date most Java
> implementations have had some problems with regard to security flaws. The
> most popular examples are the Netscape and Microsoft browser
> implementations.
>
> Is your team aware of problems with problems (past or present) with
> implementations inside of web servers? For example the Netscape
> Enterprise server allows the installation of Java applications/serverlettes
> to handle specific web requests.

That's "servlets" ... not "serverlets" or "server side applets" ;-)

There's also JavaServer Pages -- files ("*.jhtml", "*.jsp") which
literally embed Java code inside the HTML, and which are compiled
transparently into a servlet. Fast interactive development model.

> Other webservers use similar technology. My concern is that my
> web developers may fall into a false sense of security by writing
> server side applets and not take the appropriate steps to protect the
> applet from hostile input. I'm looking for an example of a Web server
> implementation that is flawed to prove that even with Java, with
> strict bounds checking, and immutable strings, exploits are possible
> due to weaknesses in the implementation.

I suggest you then do an audit of some commercial products. Sun's
business model has so far been that we provide the technology to be
incorporated into those products, rather than securing them or even
offering security evaluations ourselves.

Also: since most servlets need to run "outside the sandbox" (access
files, databases, the network, etc) the security enforcement task is
the responsibility of the servlets, not the hosting server. That
means you must audit the servlets, instead !!

> I understand that this case is somewhat different from browsers where
> foriegn code is executed.

Not necessarily, since the server might be configured to permit
foreign servlets to be downloaded. That's why there's a common
signed code infrastructure, permitting developers to construct
systems that download "foreign" code and execute it within a
sandbox, and selectively grant it permissions. (Or, typically,
execute it outside the sandbox, granting "All" permissions.)

But it's true that most server administrators won't support that
sort of "foreign download". They'll only permit locally controlled,
and "fully trusted, all permissions", code to run. It's the same
model that most web servers provide -- whether the code runs inside
the server (NSAPI, ISAPI, PERLMOD, Servlets) or in another process
(CGI etc).

- Dave

> Thanks for any help you might be able to provide.
>
> Thanks,
> Chad
>
> +---------------------------------------------------------------+
> |Chad Schieken | Voice: 609.987.7659 |
> |Advanced Systems Consulting, Inc.| Fax: 609.987.7615 |
> |Marlton, NJ 08053 |E-mail: chad@advsys.com |
> +---------------------------------------------------------------+