SlideShare a Scribd company logo

Use GFA To Make Someone Fall In Love With You

Download as PPT, PDF
C
CameronTait3

You cannot resist on this new version. https://grandfuckauto.xyz/

Small Business & Entrepreneurship
1 of 20
Mobile CodeMobile Code Java, JavaScript, ActiveXJava, JavaScript, ActiveX
IntroductionIntroduction • Mobile codeMobile code: A term that describes any: A term that describes any software that is mobile, being passed fromsoftware that is mobile, being passed from one system to another. In particular, it isone system to another. In particular, it is used to describe applets within webused to describe applets within web browsers based upon Microsoft's ActiveX,browsers based upon Microsoft's ActiveX, Sun's Java, or Netscape's JavaScriptSun's Java, or Netscape's JavaScript technologies.technologies.
Mobile Code ExamplesMobile Code Examples • Web AppletsWeb Applets Mini-programs written in Java, which areMini-programs written in Java, which are automatically loaded and run on beingautomatically loaded and run on being named in an HTML document. Anamed in an HTML document. A document can include a number ofdocument can include a number of applets. These may be sourced from aapplets. These may be sourced from a number of different servers and runnumber of different servers and run without the user being aware of them.without the user being aware of them.
Mobile Code ExamplesMobile Code Examples (Continued(Continued(( • Dynamic EmailDynamic Email One proposal for the provision of dynamicOne proposal for the provision of dynamic email suggested incorporating Safe-TCLemail suggested incorporating Safe-TCL scripts as components of MIME email.scripts as components of MIME email. These scripts could be run either on mailThese scripts could be run either on mail delivery, or when the mail is read by thedelivery, or when the mail is read by the recipient.recipient.
Low-level Security IssuesLow-level Security Issues • The use of 'mobile code' raises a number ofThe use of 'mobile code' raises a number of obvious security issues:obvious security issues: • access control - is the use of this code permitted?access control - is the use of this code permitted? • user authentication - to identify valid usersuser authentication - to identify valid users • data integrity - to ensure the code is delivereddata integrity - to ensure the code is delivered intactintact • non-repudiation of use of the code - for both thenon-repudiation of use of the code - for both the sender and the receiver especially if its use issender and the receiver especially if its use is being chargedbeing charged • data confidentiality - to protect sensitive codedata confidentiality - to protect sensitive code • auditing - to trace uses of mobile codeauditing - to trace uses of mobile code
Mobile Code SafetyMobile Code Safety • The prime focus of this paper is on theThe prime focus of this paper is on the techniques which can be used to provide for thetechniques which can be used to provide for the safe execution of imported code on the localsafe execution of imported code on the local system. This has to address threats due tosystem. This has to address threats due to rogue code being loaded and run. Of course inrogue code being loaded and run. Of course in many ways, these problems are not new: theymany ways, these problems are not new: they have been a key component of operatinghave been a key component of operating systems design on multi-user systems for manysystems design on multi-user systems for many years. The traditional approach to addressingyears. The traditional approach to addressing these problems has been to use heavy addressthese problems has been to use heavy address space protection mechanisms, along with userspace protection mechanisms, along with user access rights to the file system and otheraccess rights to the file system and other resources. The difference between theresources. The difference between the traditional problems and those posed by mobiletraditional problems and those posed by mobile code is one of volume and responsiveness.code is one of volume and responsiveness.
Mobile Code SafetyMobile Code Safety (Continued(Continued(( • Mobile code is intended for quick, lightweightMobile code is intended for quick, lightweight execution, which conflicts with the cost of heavyexecution, which conflicts with the cost of heavy address space mechanisms in most currentaddress space mechanisms in most current operating systems. In additon, each mobile codeoperating systems. In additon, each mobile code unit can, in one sense, be thought of as runningunit can, in one sense, be thought of as running as its own unique user, to provide protectionas its own unique user, to provide protection between the various mobile code units and thebetween the various mobile code units and the system. Traditional methods of adding newsystem. Traditional methods of adding new users cannot cope with this demand.users cannot cope with this demand.
Mobile Code SafetyMobile Code Safety (Continued(Continued(( The types of attacks which need toThe types of attacks which need to be guarded against include:be guarded against include: • denial of servicedenial of service • disclosure of confidentialdisclosure of confidential informationinformation • damage or modification of datadamage or modification of data • annoyance attacksannoyance attacks
Resource Access & SafetyResource Access & Safety • , the issue of safe execution of code comes, the issue of safe execution of code comes down to a concern with access to systemdown to a concern with access to system resources. Any running program has to accessresources. Any running program has to access system resources in order to perform its task.system resources in order to perform its task. Traditionally, that access has been to all normalTraditionally, that access has been to all normal user resources. 'Mobile Code' must haveuser resources. 'Mobile Code' must have restricted access to resources for safety.restricted access to resources for safety. However, it must be allowed some access inHowever, it must be allowed some access in order to perform its required functions. Justorder to perform its required functions. Just which types of access and how these are to bewhich types of access and how these are to be controlled is a key research issue.controlled is a key research issue.
Resource Access & SafetyResource Access & Safety The types of resources to which access is required include:The types of resources to which access is required include: • file systemfile system • networknetwork • random memoryrandom memory • output devices (entire display, various windows,output devices (entire display, various windows, speaker)speaker) • input devices (keyboard)input devices (keyboard) • process control (access to CPU cycles)process control (access to CPU cycles) • user environmentuser environment • system callssystem calls
Granting Access to ResourcesGranting Access to Resources • One of the key issues in providing for safeOne of the key issues in providing for safe execution of 'mobile code' is determiningexecution of 'mobile code' is determining exactly which resources a particular codeexactly which resources a particular code unit is to be granted access to. That is,unit is to be granted access to. That is, there is a need for a security policy whichthere is a need for a security policy which determines the type of access of anydetermines the type of access of any 'mobile code' unit. This policy may be:'mobile code' unit. This policy may be:
Granting Access to Resources (ContinuedGranting Access to Resources (Continued(( • fixed for all 'mobile code' unitsfixed for all 'mobile code' units – very restrictive but easy, and is the approachvery restrictive but easy, and is the approach currently used to handle applet security in webcurrently used to handle applet security in web browsers such as Netscapebrowsers such as Netscape • that the user verifies each security-related accessthat the user verifies each security-related access requestrequest – relatively easy, but rapidly gets annoying, andrelatively easy, but rapidly gets annoying, and eventually is self-defeating when users stop takingeventually is self-defeating when users stop taking notice of the details of the requests (whilst there is anotice of the details of the requests (whilst there is a place for querying the user, it should be usedplace for querying the user, it should be used exceedingly sparingly)exceedingly sparingly) • to negotiate for each 'mobile code' unitto negotiate for each 'mobile code' unit – much harder as some basis is needed for negotiation,much harder as some basis is needed for negotiation, perhaps based on various profiles, but ultimately thisperhaps based on various profiles, but ultimately this is likely to be the best approachis likely to be the best approach
Granting Access to Resources (ContinuedGranting Access to Resources (Continued(( • In the longer term, some mechanisms areIn the longer term, some mechanisms are needed to permit negotiation of appropriateneeded to permit negotiation of appropriate accesses. How this is expressed is, I believe,accesses. How this is expressed is, I believe, one of the key research issues. Initially this isone of the key research issues. Initially this is likely to be based on a simple tabular approachlikely to be based on a simple tabular approach based on the various categories mentionedbased on the various categories mentioned above. While adequate for the simplistic appletsabove. While adequate for the simplistic applets seen to date, this is unlikely to be sufficient forseen to date, this is unlikely to be sufficient for more complex 'mobile code' applications.more complex 'mobile code' applications.
Granting Access to Resources (ContinuedGranting Access to Resources (Continued(( • For these, some fairly powerful language is going toFor these, some fairly powerful language is going to be needed to express the required types of accesses,be needed to express the required types of accesses, along with a means of reasoning about thosealong with a means of reasoning about those requests. For example, consider a simple 'mobilerequests. For example, consider a simple 'mobile code' text-editor: it should be able to change anycode' text-editor: it should be able to change any textual file specified by the user, have access perhapstextual file specified by the user, have access perhaps to a preferences file, but otherwise be denied accessto a preferences file, but otherwise be denied access to all other files. How can this be expressed andto all other files. How can this be expressed and reasoned with? This is an area that needsreasoned with? This is an area that needs considerable additional work, but will be a key to theconsiderable additional work, but will be a key to the successful use of 'mobile code'.successful use of 'mobile code'.
Mobile Code TechnologiesMobile Code Technologies Embedded Script (JScript /VBScript):Embedded Script (JScript /VBScript): Internet Explorer includes a built-in interpreter to parseInternet Explorer includes a built-in interpreter to parse Jscript or Visual Basic scripts (VBScript) embeddedJscript or Visual Basic scripts (VBScript) embedded within web pages. These scripting engines provide thewithin web pages. These scripting engines provide the "glue" to manipulate other objects on the web page. Both"glue" to manipulate other objects on the web page. Both scripting engines offer common programming constructsscripting engines offer common programming constructs to control program flow (e.g. If, Then, Else, For, Do, etc),to control program flow (e.g. If, Then, Else, For, Do, etc), perform simple mathematical functions, evaluateperform simple mathematical functions, evaluate conditions, and manipulate data types. In addition, theseconditions, and manipulate data types. In addition, these languages offer the ability to load objects, such aslanguages offer the ability to load objects, such as ActiveX controls and Java applets, call methods onActiveX controls and Java applets, call methods on them, or set and get their properties. On the Microsoftthem, or set and get their properties. On the Microsoft Windows family of operating systems both scriptingWindows family of operating systems both scripting engines also include at least one "built-in" object, theengines also include at least one "built-in" object, the FileSystemObject, which can be called to manipulateFileSystemObject, which can be called to manipulate files or directories on the local file system as long asfiles or directories on the local file system as long as those scripts aren't being run from a web page.those scripts aren't being run from a web page.
Mobile Code Technologies (ContinuedMobile Code Technologies (Continued(( ActiveX Controls:ActiveX Controls: The Component Object Model (COM) is Microsoft'sThe Component Object Model (COM) is Microsoft's architecture for creating programming objects that canarchitecture for creating programming objects that can be reused and provide services to other programs. Mostbe reused and provide services to other programs. Most of Microsoft's productivity applications are composed ofof Microsoft's productivity applications are composed of many COM objects, such as Microsoft Word, Excel,many COM objects, such as Microsoft Word, Excel, PowerPoint presentation graphics program, and VisioPowerPoint presentation graphics program, and Visio drawing and diagramming software. An ActiveX controldrawing and diagramming software. An ActiveX control is simply a COM object that is designed to beis simply a COM object that is designed to be downloaded and used within web pages. Once andownloaded and used within web pages. Once an ActiveX control is installed on the system it runs directlyActiveX control is installed on the system it runs directly on the workstation in the security context of the webon the workstation in the security context of the web browser (normally the logged on user).browser (normally the logged on user).
Mobile Code Technologies (ContinuedMobile Code Technologies (Continued(( These objects can be scripted to perform operations byThese objects can be scripted to perform operations by calling their properties and methods from embeddedcalling their properties and methods from embedded script within the web page. An ActiveX control canscript within the web page. An ActiveX control can perform any operation the user can. This makes ActiveXperform any operation the user can. This makes ActiveX controls tremendously powerful for developing browser-controls tremendously powerful for developing browser- based applications, but also makes them very dangerousbased applications, but also makes them very dangerous if normal safeguards are not employed. Whenif normal safeguards are not employed. When developing ActiveX controls, the developer mustdeveloping ActiveX controls, the developer must implement sufficient security measures to prevent theirimplement sufficient security measures to prevent their malicious use. If the control is not safe for use by anymalicious use. If the control is not safe for use by any web page, its use from within Internet Explorer can beweb page, its use from within Internet Explorer can be disabled or the tools described below can be used todisabled or the tools described below can be used to allow the control to run only when appropriate.allow the control to run only when appropriate.
Mobile Code Technologies (ContinuedMobile Code Technologies (Continued(( Java Applets:Java Applets: Like ActiveX controls, Java applets are reusable codeLike ActiveX controls, Java applets are reusable code modules that can be downloaded and installed on themodules that can be downloaded and installed on the client machine. They are created using the Javaclient machine. They are created using the Java programming language and compiled into platform-programming language and compiled into platform- neutral byte-code. Once downloaded to the clientneutral byte-code. Once downloaded to the client machine the applet is loaded into a Java Virtual Machinemachine the applet is loaded into a Java Virtual Machine (VM) that interprets the byte-codes and runs the applet.(VM) that interprets the byte-codes and runs the applet. The VM normally restricts what the applet can do,The VM normally restricts what the applet can do, thereby limiting the functionality of the applet, but alsothereby limiting the functionality of the applet, but also limiting the amount of damage a potential attacker couldlimiting the amount of damage a potential attacker could do.do.
ConclusionsConclusions • 'Mobile code' is here with increasing demands for its use.'Mobile code' is here with increasing demands for its use. Safe execution of 'mobile code' implies a need forSafe execution of 'mobile code' implies a need for controlled access to resources, access which ideallycontrolled access to resources, access which ideally should be negotiated for each 'mobile code' unit. Theshould be negotiated for each 'mobile code' unit. The means for achieving this is a subject for considerablemeans for achieving this is a subject for considerable additional research.additional research. • Approaches taken so far to providing 'mobile code'Approaches taken so far to providing 'mobile code' include the distribution of source, intermediate code, orinclude the distribution of source, intermediate code, or binary code, and the use of Just-In-Time compilers.binary code, and the use of Just-In-Time compilers. • Experience with these systems has shown that safe andExperience with these systems has shown that safe and secure systems need both correct specification andsecure systems need both correct specification and implementation. There is still considerable research andimplementation. There is still considerable research and development needed in these systems. However, Idevelopment needed in these systems. However, I believe the goal of safe and secure 'mobile code'believe the goal of safe and secure 'mobile code' execution is reasonable and achievable.execution is reasonable and achievable.
ReferencesReferences

Recommended

Symantec Ubiquity
Symantec UbiquitySymantec Ubiquity
Symantec Ubiquity
Symantec
 
Network Security Architecture
Network Security Architecture Network Security Architecture
Network Security Architecture
InnoTech
 
Enterprise Mobile Security
Enterprise Mobile SecurityEnterprise Mobile Security
Enterprise Mobile Security
tbeckwith
 
Defence in Depth Architectural Decisions
Defence in Depth Architectural DecisionsDefence in Depth Architectural Decisions
Defence in Depth Architectural Decisions
Peter Rawsthorne
 
Using DDS to Secure the Industrial Internet of Things (IIoT)
Using DDS to Secure the Industrial Internet of Things (IIoT)Using DDS to Secure the Industrial Internet of Things (IIoT)
Using DDS to Secure the Industrial Internet of Things (IIoT)
Gerardo Pardo-Castellote
 
It's 2012 and My Network Got Hacked - Omar Santos
It's 2012 and My Network Got Hacked - Omar SantosIt's 2012 and My Network Got Hacked - Omar Santos
It's 2012 and My Network Got Hacked - Omar Santos
santosomar
 
OMG DDS Security. 4th Revised Submission
OMG DDS Security. 4th Revised SubmissionOMG DDS Security. 4th Revised Submission
OMG DDS Security. 4th Revised Submission
Gerardo Pardo-Castellote
 
Avila 3 b
Avila 3 bAvila 3 b
Avila 3 b
Michael Chastain
 

Recommended

Symantec Ubiquity
Symantec UbiquitySymantec Ubiquity
Symantec Ubiquity
Symantec
 
Network Security Architecture
Network Security Architecture Network Security Architecture
Network Security Architecture
InnoTech
 
Enterprise Mobile Security
Enterprise Mobile SecurityEnterprise Mobile Security
Enterprise Mobile Security
tbeckwith
 
Defence in Depth Architectural Decisions
Defence in Depth Architectural DecisionsDefence in Depth Architectural Decisions
Defence in Depth Architectural Decisions
Peter Rawsthorne
 
Using DDS to Secure the Industrial Internet of Things (IIoT)
Using DDS to Secure the Industrial Internet of Things (IIoT)Using DDS to Secure the Industrial Internet of Things (IIoT)
Using DDS to Secure the Industrial Internet of Things (IIoT)
Gerardo Pardo-Castellote
 
It's 2012 and My Network Got Hacked - Omar Santos
It's 2012 and My Network Got Hacked - Omar SantosIt's 2012 and My Network Got Hacked - Omar Santos
It's 2012 and My Network Got Hacked - Omar Santos
santosomar
 
OMG DDS Security. 4th Revised Submission
OMG DDS Security. 4th Revised SubmissionOMG DDS Security. 4th Revised Submission
OMG DDS Security. 4th Revised Submission
Gerardo Pardo-Castellote
 
Avila 3 b
Avila 3 bAvila 3 b
Avila 3 b
Michael Chastain
 
Practical Enterprise Security Architecture
Practical Enterprise Security Architecture Practical Enterprise Security Architecture
Practical Enterprise Security Architecture
Priyanka Aash
 
Wireless Communiction Security
Wireless Communiction SecurityWireless Communiction Security
Wireless Communiction Security
Meet Soni
 
Security assessment for financial institutions
Security assessment for financial institutionsSecurity assessment for financial institutions
Security assessment for financial institutions
Zsolt Nemeth
 
Modern Lessons in Security Monitoring
Modern Lessons in Security MonitoringModern Lessons in Security Monitoring
Modern Lessons in Security Monitoring
Anton Goncharov
 
2012 Data Center Security
2012 Data Center Security2012 Data Center Security
2012 Data Center Security
Szymon Dowgwillowicz-Nowicki
 
Day1
Day1Day1
Day1
Jai4uk
 
Cio ciso security_strategyv1.1
Cio ciso security_strategyv1.1Cio ciso security_strategyv1.1
Cio ciso security_strategyv1.1
Anindya Ghosh,
 
امن نظم المعلومات وامن الشبكات
امن نظم المعلومات وامن الشبكاتامن نظم المعلومات وامن الشبكات
امن نظم المعلومات وامن الشبكات
Amr Rashed
 
Stronger/Multi-factor Authentication for Enterprise Applications
Stronger/Multi-factor Authentication for Enterprise ApplicationsStronger/Multi-factor Authentication for Enterprise Applications
Stronger/Multi-factor Authentication for Enterprise Applications
Ramesh Nagappan
 
CNS - Chapter1
CNS - Chapter1CNS - Chapter1
CNS - Chapter1
JeevananthamArumugam
 
Ensure Software Security already during development
Ensure Software Security already during developmentEnsure Software Security already during development
Ensure Software Security already during development
IT Weekend
 
Wireless Security Needs For Enterprises
Wireless Security Needs For EnterprisesWireless Security Needs For Enterprises
Wireless Security Needs For Enterprises
shrutisreddy
 
Recent Cybersecurity Concerns and How to Protect SCADA/HMI Applications Prese...
Recent Cybersecurity Concerns and How to Protect SCADA/HMI Applications Prese...Recent Cybersecurity Concerns and How to Protect SCADA/HMI Applications Prese...
Recent Cybersecurity Concerns and How to Protect SCADA/HMI Applications Prese...
AVEVA
 
HTLV - DSS @Vilnius 2010
HTLV - DSS @Vilnius 2010HTLV - DSS @Vilnius 2010
HTLV - DSS @Vilnius 2010
Andris Soroka
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Priyanka Aash
 
Project cyper
Project cyperProject cyper
Project cyper
AbdulazizShammri
 
Chapter 5 Networking and Server Attacks
Chapter 5 Networking and Server AttacksChapter 5 Networking and Server Attacks
Chapter 5 Networking and Server Attacks
Dr. Ahmed Al Zaidy
 
Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS NetworksLessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Angeloluca Barba
 
Hardware Security on Vehicles
Hardware Security on VehiclesHardware Security on Vehicles
Hardware Security on Vehicles
Priyanka Aash
 
User authentication
User authenticationUser authentication
User authentication
CAS
 
Security Patterns - An Introduction
Security Patterns - An IntroductionSecurity Patterns - An Introduction
Security Patterns - An Introduction
Marcel Winandy
 
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Mobodexter
 

More Related Content

What's hot

Security assessment for financial institutions
Security assessment for financial institutionsSecurity assessment for financial institutions
Security assessment for financial institutions
Zsolt Nemeth
 
Modern Lessons in Security Monitoring
Modern Lessons in Security MonitoringModern Lessons in Security Monitoring
Modern Lessons in Security Monitoring
Anton Goncharov
 
Cio ciso security_strategyv1.1
Cio ciso security_strategyv1.1Cio ciso security_strategyv1.1
Cio ciso security_strategyv1.1
Anindya Ghosh,
 
Stronger/Multi-factor Authentication for Enterprise Applications
Stronger/Multi-factor Authentication for Enterprise ApplicationsStronger/Multi-factor Authentication for Enterprise Applications
Stronger/Multi-factor Authentication for Enterprise Applications
Ramesh Nagappan
 
HTLV - DSS @Vilnius 2010
HTLV - DSS @Vilnius 2010HTLV - DSS @Vilnius 2010
HTLV - DSS @Vilnius 2010
Andris Soroka
 

What's hot (20)

Practical Enterprise Security Architecture
Practical Enterprise Security Architecture Practical Enterprise Security Architecture
Practical Enterprise Security Architecture
 
Wireless Communiction Security
Wireless Communiction SecurityWireless Communiction Security
Wireless Communiction Security
 
Security assessment for financial institutions
Security assessment for financial institutionsSecurity assessment for financial institutions
Security assessment for financial institutions
 
Modern Lessons in Security Monitoring
Modern Lessons in Security MonitoringModern Lessons in Security Monitoring
Modern Lessons in Security Monitoring
 
2012 Data Center Security
2012 Data Center Security2012 Data Center Security
2012 Data Center Security
 
Day1
Day1Day1
Day1
 
Cio ciso security_strategyv1.1
Cio ciso security_strategyv1.1Cio ciso security_strategyv1.1
Cio ciso security_strategyv1.1
 
امن نظم المعلومات وامن الشبكات
امن نظم المعلومات وامن الشبكاتامن نظم المعلومات وامن الشبكات
امن نظم المعلومات وامن الشبكات
 
Stronger/Multi-factor Authentication for Enterprise Applications
Stronger/Multi-factor Authentication for Enterprise ApplicationsStronger/Multi-factor Authentication for Enterprise Applications
Stronger/Multi-factor Authentication for Enterprise Applications
 
CNS - Chapter1
CNS - Chapter1CNS - Chapter1
CNS - Chapter1
 
Ensure Software Security already during development
Ensure Software Security already during developmentEnsure Software Security already during development
Ensure Software Security already during development
 
Wireless Security Needs For Enterprises
Wireless Security Needs For EnterprisesWireless Security Needs For Enterprises
Wireless Security Needs For Enterprises
 
Recent Cybersecurity Concerns and How to Protect SCADA/HMI Applications Prese...
Recent Cybersecurity Concerns and How to Protect SCADA/HMI Applications Prese...Recent Cybersecurity Concerns and How to Protect SCADA/HMI Applications Prese...
Recent Cybersecurity Concerns and How to Protect SCADA/HMI Applications Prese...
 
HTLV - DSS @Vilnius 2010
HTLV - DSS @Vilnius 2010HTLV - DSS @Vilnius 2010
HTLV - DSS @Vilnius 2010
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
 
Project cyper
Project cyperProject cyper
Project cyper
 
Chapter 5 Networking and Server Attacks
Chapter 5 Networking and Server AttacksChapter 5 Networking and Server Attacks
Chapter 5 Networking and Server Attacks
 
Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS NetworksLessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
 
Hardware Security on Vehicles
Hardware Security on VehiclesHardware Security on Vehicles
Hardware Security on Vehicles
 
User authentication
User authenticationUser authentication
User authentication
 

Similar to Use GFA To Make Someone Fall In Love With You

Project Quality-SIPOCSelect a process of your choice and creat.docx
Project Quality-SIPOCSelect a process of your choice and creat.docxProject Quality-SIPOCSelect a process of your choice and creat.docx
Project Quality-SIPOCSelect a process of your choice and creat.docx
wkyra78
 
Chapter 4Secure Design PrinciplesCopyright © 2014 by McGraw-
Chapter 4Secure Design PrinciplesCopyright © 2014 by McGraw-Chapter 4Secure Design PrinciplesCopyright © 2014 by McGraw-
Chapter 4Secure Design PrinciplesCopyright © 2014 by McGraw-
WilheminaRossi174
 
Information security questions
Information security questions Information security questions
Information security questions
gamemaker762
 
Application Security Done Right
Application Security Done RightApplication Security Done Right
Application Security Done Right
pvanwoud
 

Similar to Use GFA To Make Someone Fall In Love With You (20)

Security Patterns - An Introduction
Security Patterns - An IntroductionSecurity Patterns - An Introduction
Security Patterns - An Introduction
 
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
 
When developer's api simplify user mode rootkits developing.
When developer's api simplify user mode rootkits developing.When developer's api simplify user mode rootkits developing.
When developer's api simplify user mode rootkits developing.
 
Project Quality-SIPOCSelect a process of your choice and creat.docx
Project Quality-SIPOCSelect a process of your choice and creat.docxProject Quality-SIPOCSelect a process of your choice and creat.docx
Project Quality-SIPOCSelect a process of your choice and creat.docx
 
Security is our duty and we shall deliver it - White Paper
Security is our duty and we shall deliver it - White PaperSecurity is our duty and we shall deliver it - White Paper
Security is our duty and we shall deliver it - White Paper
 
Unit4
Unit4Unit4
Unit4
 
Chapter 4Secure Design PrinciplesCopyright © 2014 by McGraw-
Chapter 4Secure Design PrinciplesCopyright © 2014 by McGraw-Chapter 4Secure Design PrinciplesCopyright © 2014 by McGraw-
Chapter 4Secure Design PrinciplesCopyright © 2014 by McGraw-
 
Information security questions
Information security questions Information security questions
Information security questions
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
The Importance of DevOps Security in 2023.docx
The Importance of DevOps Security in 2023.docxThe Importance of DevOps Security in 2023.docx
The Importance of DevOps Security in 2023.docx
 
DevSecOps – The Importance of DevOps Security in 2023.docx
DevSecOps – The Importance of DevOps Security in 2023.docxDevSecOps – The Importance of DevOps Security in 2023.docx
DevSecOps – The Importance of DevOps Security in 2023.docx
 
110307 cloud security requirements gourley
110307 cloud security requirements gourley110307 cloud security requirements gourley
110307 cloud security requirements gourley
 
Cloud Computing
Cloud ComputingCloud Computing
Cloud Computing
 
AusCERT - Developing Secure iOS Applications
AusCERT - Developing Secure iOS ApplicationsAusCERT - Developing Secure iOS Applications
AusCERT - Developing Secure iOS Applications
 
Application Security Done Right
Application Security Done RightApplication Security Done Right
Application Security Done Right
 
Importance of Secure Coding with it’s Best Practices
Importance of Secure Coding with it’s Best PracticesImportance of Secure Coding with it’s Best Practices
Importance of Secure Coding with it’s Best Practices
 
Re-Thinking BYOD Policy.pptx
Re-Thinking BYOD Policy.pptxRe-Thinking BYOD Policy.pptx
Re-Thinking BYOD Policy.pptx
 
Software Supply Chain Attacks (June 2021)
Software Supply Chain Attacks (June 2021)Software Supply Chain Attacks (June 2021)
Software Supply Chain Attacks (June 2021)
 

Recently uploaded

Dehradun Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort Service
Dehradun Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort ServiceDehradun Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort Service
Dehradun Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort Service
Damini Dixit
 
EV Electric Vehicle Startup Pitch Deck- StartupSprouts.in
EV Electric Vehicle Startup Pitch Deck- StartupSprouts.inEV Electric Vehicle Startup Pitch Deck- StartupSprouts.in
EV Electric Vehicle Startup Pitch Deck- StartupSprouts.in
StartupSprouts.in
 
Shareholders Agreement Template for Compulsorily Convertible Debt Funding- St...
Shareholders Agreement Template for Compulsorily Convertible Debt Funding- St...Shareholders Agreement Template for Compulsorily Convertible Debt Funding- St...
Shareholders Agreement Template for Compulsorily Convertible Debt Funding- St...
StartupSprouts.in
 
Sohna Call Girls Service ☎ ️93326-06886 ❤️‍🔥 Enjoy 24/7 Escort Service
Sohna Call Girls Service ☎ ️93326-06886 ❤️‍🔥 Enjoy 24/7 Escort ServiceSohna Call Girls Service ☎ ️93326-06886 ❤️‍🔥 Enjoy 24/7 Escort Service
Sohna Call Girls Service ☎ ️93326-06886 ❤️‍🔥 Enjoy 24/7 Escort Service
Damini Dixit
 
Bangalore Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort Service
Bangalore Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort ServiceBangalore Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort Service
Bangalore Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort Service
Damini Dixit
 
Hyderabad Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort Service
Hyderabad Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort ServiceHyderabad Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort Service
Hyderabad Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort Service
Damini Dixit
 
Tirupati Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort Service
Tirupati Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort ServiceTirupati Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort Service
Tirupati Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort Service
Damini Dixit
 
Lucknow Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort Service
Lucknow Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort ServiceLucknow Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort Service
Lucknow Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort Service
Damini Dixit
 
Sangareddy Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort Service
Sangareddy Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort ServiceSangareddy Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort Service
Sangareddy Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort Service
Damini Dixit
 

Recently uploaded (12)

Dehradun Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort Service
Dehradun Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort ServiceDehradun Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort Service
Dehradun Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort Service
 
EV Electric Vehicle Startup Pitch Deck- StartupSprouts.in
EV Electric Vehicle Startup Pitch Deck- StartupSprouts.inEV Electric Vehicle Startup Pitch Deck- StartupSprouts.in
EV Electric Vehicle Startup Pitch Deck- StartupSprouts.in
 
Shareholders Agreement Template for Compulsorily Convertible Debt Funding- St...
Shareholders Agreement Template for Compulsorily Convertible Debt Funding- St...Shareholders Agreement Template for Compulsorily Convertible Debt Funding- St...
Shareholders Agreement Template for Compulsorily Convertible Debt Funding- St...
 
Sohna Call Girls Service ☎ ️93326-06886 ❤️‍🔥 Enjoy 24/7 Escort Service
Sohna Call Girls Service ☎ ️93326-06886 ❤️‍🔥 Enjoy 24/7 Escort ServiceSohna Call Girls Service ☎ ️93326-06886 ❤️‍🔥 Enjoy 24/7 Escort Service
Sohna Call Girls Service ☎ ️93326-06886 ❤️‍🔥 Enjoy 24/7 Escort Service
 
Famedesired Project portfolio1 . Fullsail
Famedesired Project portfolio1 . FullsailFamedesired Project portfolio1 . Fullsail
Famedesired Project portfolio1 . Fullsail
 
Bangalore Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort Service
Bangalore Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort ServiceBangalore Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort Service
Bangalore Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort Service
 
Dàni Velvet Personal Brand Exploration (1).pptx
Dàni Velvet Personal Brand Exploration (1).pptxDàni Velvet Personal Brand Exploration (1).pptx
Dàni Velvet Personal Brand Exploration (1).pptx
 
Hyderabad Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort Service
Hyderabad Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort ServiceHyderabad Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort Service
Hyderabad Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort Service
 
Call girls in Andheri with phone number 9892124323
Call girls in Andheri with phone number 9892124323Call girls in Andheri with phone number 9892124323
Call girls in Andheri with phone number 9892124323
 
Tirupati Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort Service
Tirupati Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort ServiceTirupati Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort Service
Tirupati Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort Service
 
Lucknow Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort Service
Lucknow Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort ServiceLucknow Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort Service
Lucknow Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort Service
 
Sangareddy Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort Service
Sangareddy Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort ServiceSangareddy Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort Service
Sangareddy Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort Service
 

Use GFA To Make Someone Fall In Love With You

  • 1. Mobile CodeMobile Code Java, JavaScript, ActiveXJava, JavaScript, ActiveX
  • 2. IntroductionIntroduction • Mobile codeMobile code: A term that describes any: A term that describes any software that is mobile, being passed fromsoftware that is mobile, being passed from one system to another. In particular, it isone system to another. In particular, it is used to describe applets within webused to describe applets within web browsers based upon Microsoft's ActiveX,browsers based upon Microsoft's ActiveX, Sun's Java, or Netscape's JavaScriptSun's Java, or Netscape's JavaScript technologies.technologies.
  • 3. Mobile Code ExamplesMobile Code Examples • Web AppletsWeb Applets Mini-programs written in Java, which areMini-programs written in Java, which are automatically loaded and run on beingautomatically loaded and run on being named in an HTML document. Anamed in an HTML document. A document can include a number ofdocument can include a number of applets. These may be sourced from aapplets. These may be sourced from a number of different servers and runnumber of different servers and run without the user being aware of them.without the user being aware of them.
  • 4. Mobile Code ExamplesMobile Code Examples (Continued(Continued(( • Dynamic EmailDynamic Email One proposal for the provision of dynamicOne proposal for the provision of dynamic email suggested incorporating Safe-TCLemail suggested incorporating Safe-TCL scripts as components of MIME email.scripts as components of MIME email. These scripts could be run either on mailThese scripts could be run either on mail delivery, or when the mail is read by thedelivery, or when the mail is read by the recipient.recipient.
  • 5. Low-level Security IssuesLow-level Security Issues • The use of 'mobile code' raises a number ofThe use of 'mobile code' raises a number of obvious security issues:obvious security issues: • access control - is the use of this code permitted?access control - is the use of this code permitted? • user authentication - to identify valid usersuser authentication - to identify valid users • data integrity - to ensure the code is delivereddata integrity - to ensure the code is delivered intactintact • non-repudiation of use of the code - for both thenon-repudiation of use of the code - for both the sender and the receiver especially if its use issender and the receiver especially if its use is being chargedbeing charged • data confidentiality - to protect sensitive codedata confidentiality - to protect sensitive code • auditing - to trace uses of mobile codeauditing - to trace uses of mobile code
  • 6. Mobile Code SafetyMobile Code Safety • The prime focus of this paper is on theThe prime focus of this paper is on the techniques which can be used to provide for thetechniques which can be used to provide for the safe execution of imported code on the localsafe execution of imported code on the local system. This has to address threats due tosystem. This has to address threats due to rogue code being loaded and run. Of course inrogue code being loaded and run. Of course in many ways, these problems are not new: theymany ways, these problems are not new: they have been a key component of operatinghave been a key component of operating systems design on multi-user systems for manysystems design on multi-user systems for many years. The traditional approach to addressingyears. The traditional approach to addressing these problems has been to use heavy addressthese problems has been to use heavy address space protection mechanisms, along with userspace protection mechanisms, along with user access rights to the file system and otheraccess rights to the file system and other resources. The difference between theresources. The difference between the traditional problems and those posed by mobiletraditional problems and those posed by mobile code is one of volume and responsiveness.code is one of volume and responsiveness.
  • 7. Mobile Code SafetyMobile Code Safety (Continued(Continued(( • Mobile code is intended for quick, lightweightMobile code is intended for quick, lightweight execution, which conflicts with the cost of heavyexecution, which conflicts with the cost of heavy address space mechanisms in most currentaddress space mechanisms in most current operating systems. In additon, each mobile codeoperating systems. In additon, each mobile code unit can, in one sense, be thought of as runningunit can, in one sense, be thought of as running as its own unique user, to provide protectionas its own unique user, to provide protection between the various mobile code units and thebetween the various mobile code units and the system. Traditional methods of adding newsystem. Traditional methods of adding new users cannot cope with this demand.users cannot cope with this demand.
  • 8. Mobile Code SafetyMobile Code Safety (Continued(Continued(( The types of attacks which need toThe types of attacks which need to be guarded against include:be guarded against include: • denial of servicedenial of service • disclosure of confidentialdisclosure of confidential informationinformation • damage or modification of datadamage or modification of data • annoyance attacksannoyance attacks
  • 9. Resource Access & SafetyResource Access & Safety • , the issue of safe execution of code comes, the issue of safe execution of code comes down to a concern with access to systemdown to a concern with access to system resources. Any running program has to accessresources. Any running program has to access system resources in order to perform its task.system resources in order to perform its task. Traditionally, that access has been to all normalTraditionally, that access has been to all normal user resources. 'Mobile Code' must haveuser resources. 'Mobile Code' must have restricted access to resources for safety.restricted access to resources for safety. However, it must be allowed some access inHowever, it must be allowed some access in order to perform its required functions. Justorder to perform its required functions. Just which types of access and how these are to bewhich types of access and how these are to be controlled is a key research issue.controlled is a key research issue.
  • 10. Resource Access & SafetyResource Access & Safety The types of resources to which access is required include:The types of resources to which access is required include: • file systemfile system • networknetwork • random memoryrandom memory • output devices (entire display, various windows,output devices (entire display, various windows, speaker)speaker) • input devices (keyboard)input devices (keyboard) • process control (access to CPU cycles)process control (access to CPU cycles) • user environmentuser environment • system callssystem calls
  • 11. Granting Access to ResourcesGranting Access to Resources • One of the key issues in providing for safeOne of the key issues in providing for safe execution of 'mobile code' is determiningexecution of 'mobile code' is determining exactly which resources a particular codeexactly which resources a particular code unit is to be granted access to. That is,unit is to be granted access to. That is, there is a need for a security policy whichthere is a need for a security policy which determines the type of access of anydetermines the type of access of any 'mobile code' unit. This policy may be:'mobile code' unit. This policy may be:
  • 12. Granting Access to Resources (ContinuedGranting Access to Resources (Continued(( • fixed for all 'mobile code' unitsfixed for all 'mobile code' units – very restrictive but easy, and is the approachvery restrictive but easy, and is the approach currently used to handle applet security in webcurrently used to handle applet security in web browsers such as Netscapebrowsers such as Netscape • that the user verifies each security-related accessthat the user verifies each security-related access requestrequest – relatively easy, but rapidly gets annoying, andrelatively easy, but rapidly gets annoying, and eventually is self-defeating when users stop takingeventually is self-defeating when users stop taking notice of the details of the requests (whilst there is anotice of the details of the requests (whilst there is a place for querying the user, it should be usedplace for querying the user, it should be used exceedingly sparingly)exceedingly sparingly) • to negotiate for each 'mobile code' unitto negotiate for each 'mobile code' unit – much harder as some basis is needed for negotiation,much harder as some basis is needed for negotiation, perhaps based on various profiles, but ultimately thisperhaps based on various profiles, but ultimately this is likely to be the best approachis likely to be the best approach
  • 13. Granting Access to Resources (ContinuedGranting Access to Resources (Continued(( • In the longer term, some mechanisms areIn the longer term, some mechanisms are needed to permit negotiation of appropriateneeded to permit negotiation of appropriate accesses. How this is expressed is, I believe,accesses. How this is expressed is, I believe, one of the key research issues. Initially this isone of the key research issues. Initially this is likely to be based on a simple tabular approachlikely to be based on a simple tabular approach based on the various categories mentionedbased on the various categories mentioned above. While adequate for the simplistic appletsabove. While adequate for the simplistic applets seen to date, this is unlikely to be sufficient forseen to date, this is unlikely to be sufficient for more complex 'mobile code' applications.more complex 'mobile code' applications.
  • 14. Granting Access to Resources (ContinuedGranting Access to Resources (Continued(( • For these, some fairly powerful language is going toFor these, some fairly powerful language is going to be needed to express the required types of accesses,be needed to express the required types of accesses, along with a means of reasoning about thosealong with a means of reasoning about those requests. For example, consider a simple 'mobilerequests. For example, consider a simple 'mobile code' text-editor: it should be able to change anycode' text-editor: it should be able to change any textual file specified by the user, have access perhapstextual file specified by the user, have access perhaps to a preferences file, but otherwise be denied accessto a preferences file, but otherwise be denied access to all other files. How can this be expressed andto all other files. How can this be expressed and reasoned with? This is an area that needsreasoned with? This is an area that needs considerable additional work, but will be a key to theconsiderable additional work, but will be a key to the successful use of 'mobile code'.successful use of 'mobile code'.
  • 15. Mobile Code TechnologiesMobile Code Technologies Embedded Script (JScript /VBScript):Embedded Script (JScript /VBScript): Internet Explorer includes a built-in interpreter to parseInternet Explorer includes a built-in interpreter to parse Jscript or Visual Basic scripts (VBScript) embeddedJscript or Visual Basic scripts (VBScript) embedded within web pages. These scripting engines provide thewithin web pages. These scripting engines provide the "glue" to manipulate other objects on the web page. Both"glue" to manipulate other objects on the web page. Both scripting engines offer common programming constructsscripting engines offer common programming constructs to control program flow (e.g. If, Then, Else, For, Do, etc),to control program flow (e.g. If, Then, Else, For, Do, etc), perform simple mathematical functions, evaluateperform simple mathematical functions, evaluate conditions, and manipulate data types. In addition, theseconditions, and manipulate data types. In addition, these languages offer the ability to load objects, such aslanguages offer the ability to load objects, such as ActiveX controls and Java applets, call methods onActiveX controls and Java applets, call methods on them, or set and get their properties. On the Microsoftthem, or set and get their properties. On the Microsoft Windows family of operating systems both scriptingWindows family of operating systems both scripting engines also include at least one "built-in" object, theengines also include at least one "built-in" object, the FileSystemObject, which can be called to manipulateFileSystemObject, which can be called to manipulate files or directories on the local file system as long asfiles or directories on the local file system as long as those scripts aren't being run from a web page.those scripts aren't being run from a web page.
  • 16. Mobile Code Technologies (ContinuedMobile Code Technologies (Continued(( ActiveX Controls:ActiveX Controls: The Component Object Model (COM) is Microsoft'sThe Component Object Model (COM) is Microsoft's architecture for creating programming objects that canarchitecture for creating programming objects that can be reused and provide services to other programs. Mostbe reused and provide services to other programs. Most of Microsoft's productivity applications are composed ofof Microsoft's productivity applications are composed of many COM objects, such as Microsoft Word, Excel,many COM objects, such as Microsoft Word, Excel, PowerPoint presentation graphics program, and VisioPowerPoint presentation graphics program, and Visio drawing and diagramming software. An ActiveX controldrawing and diagramming software. An ActiveX control is simply a COM object that is designed to beis simply a COM object that is designed to be downloaded and used within web pages. Once andownloaded and used within web pages. Once an ActiveX control is installed on the system it runs directlyActiveX control is installed on the system it runs directly on the workstation in the security context of the webon the workstation in the security context of the web browser (normally the logged on user).browser (normally the logged on user).
  • 17. Mobile Code Technologies (ContinuedMobile Code Technologies (Continued(( These objects can be scripted to perform operations byThese objects can be scripted to perform operations by calling their properties and methods from embeddedcalling their properties and methods from embedded script within the web page. An ActiveX control canscript within the web page. An ActiveX control can perform any operation the user can. This makes ActiveXperform any operation the user can. This makes ActiveX controls tremendously powerful for developing browser-controls tremendously powerful for developing browser- based applications, but also makes them very dangerousbased applications, but also makes them very dangerous if normal safeguards are not employed. Whenif normal safeguards are not employed. When developing ActiveX controls, the developer mustdeveloping ActiveX controls, the developer must implement sufficient security measures to prevent theirimplement sufficient security measures to prevent their malicious use. If the control is not safe for use by anymalicious use. If the control is not safe for use by any web page, its use from within Internet Explorer can beweb page, its use from within Internet Explorer can be disabled or the tools described below can be used todisabled or the tools described below can be used to allow the control to run only when appropriate.allow the control to run only when appropriate.
  • 18. Mobile Code Technologies (ContinuedMobile Code Technologies (Continued(( Java Applets:Java Applets: Like ActiveX controls, Java applets are reusable codeLike ActiveX controls, Java applets are reusable code modules that can be downloaded and installed on themodules that can be downloaded and installed on the client machine. They are created using the Javaclient machine. They are created using the Java programming language and compiled into platform-programming language and compiled into platform- neutral byte-code. Once downloaded to the clientneutral byte-code. Once downloaded to the client machine the applet is loaded into a Java Virtual Machinemachine the applet is loaded into a Java Virtual Machine (VM) that interprets the byte-codes and runs the applet.(VM) that interprets the byte-codes and runs the applet. The VM normally restricts what the applet can do,The VM normally restricts what the applet can do, thereby limiting the functionality of the applet, but alsothereby limiting the functionality of the applet, but also limiting the amount of damage a potential attacker couldlimiting the amount of damage a potential attacker could do.do.
  • 19. ConclusionsConclusions • 'Mobile code' is here with increasing demands for its use.'Mobile code' is here with increasing demands for its use. Safe execution of 'mobile code' implies a need forSafe execution of 'mobile code' implies a need for controlled access to resources, access which ideallycontrolled access to resources, access which ideally should be negotiated for each 'mobile code' unit. Theshould be negotiated for each 'mobile code' unit. The means for achieving this is a subject for considerablemeans for achieving this is a subject for considerable additional research.additional research. • Approaches taken so far to providing 'mobile code'Approaches taken so far to providing 'mobile code' include the distribution of source, intermediate code, orinclude the distribution of source, intermediate code, or binary code, and the use of Just-In-Time compilers.binary code, and the use of Just-In-Time compilers. • Experience with these systems has shown that safe andExperience with these systems has shown that safe and secure systems need both correct specification andsecure systems need both correct specification and implementation. There is still considerable research andimplementation. There is still considerable research and development needed in these systems. However, Idevelopment needed in these systems. However, I believe the goal of safe and secure 'mobile code'believe the goal of safe and secure 'mobile code' execution is reasonable and achievable.execution is reasonable and achievable.