Ok, for today Miss Sansan will try to explain about Java Applet. Is it considered as security threats??
Consider the reasons that programs such as Java applets that run on client machines are considered security threats.
Explain how these programs could breach security.
 |
| Java Applet |
What is Java Applet? The Java programming language is a thread-based object-oriented language. Try to imagine it as threads as mini-programs which are, in general, executed in parallel with one another. A single Java application, known as an applet, is usually composed of several threads. The threads are interpreted and executed by an overseeing entity known as the Java virtual machine. There are typically times when the execution of one thread depends on variables which another thread is in the middle of using. For this situation, Java has provisions which allow one thread to wait while another is executing.
 |
| Java Applet Flow Diagram |
Why Java Applet are considered security threats? Java was initially designed with security in mind, so theoretically it is very secure. Java programs downloaded from the web cannot access files - only applets that reside on the host machine can do so, and they are restricted to a user defined set of directories and files, with varying degrees of accesibility. Neither can Java applets make network connections except to the server they came from. When Java programs are loaded, they are run through a bytecode verifier, which checks for any illegal operations. To further reduce the probability of a deliberate or accidental bug causing problems, the Java language does not support pointers. So, unlike in C or C++, you cannot do this:
char *naughty;
naughty = (char *)rand();
*naughty = (char)rand();
Common bugs caused by following bad pointers, or deliberate attempts to access memory outside a program's address space become nearly impossible.
 |
| Security breach! Attack!!! |
How Java Applet can breach security? However, bugs in the implementations of Java viewers such as those in web browsers can breach Java's security. Examples include the ability to write hand-coded bytecode instructions that can bypass Java's security management, and avoid detection by the bytecode verifier, which was possible under Netscape 3.01 and below and Internet Explorer 3.01 and below. It is also possible under Netscape 2.0 - 2.01 to trick the Java interpreter to load and execute an arbitrary file, which could contain a harmful program. But these security problems are very much caused by bugs in the implementation of Java interpreters - again these bugs can be, and frequently are, fixed in later versions of the software.
Well, I hope I explained those things right...
Sincerely,
Miss Sansan
Reference:
http://www.doc.ic.ac.uk/~nd/surprise_97/journal/vol4/mmp/secure.htm
Tidak ada komentar:
Posting Komentar