2. IntroductionIntroduction
• Mobile codeMobile code: A term that describes any: A term that describes any
software that is mobile, being passed fromsoftware that is mobile, being passed from
one system to another. In particular, it isone system to another. In particular, it is
used to describe applets within webused to describe applets within web
browsers based upon Microsoft's ActiveX,browsers based upon Microsoft's ActiveX,
Sun's Java, or Netscape's JavaScriptSun's Java, or Netscape's JavaScript
technologies.technologies.
3. Mobile Code ExamplesMobile Code Examples
• Web AppletsWeb Applets
Mini-programs written in Java, which areMini-programs written in Java, which are
automatically loaded and run on beingautomatically loaded and run on being
named in an HTML document. Anamed in an HTML document. A
document can include a number ofdocument can include a number of
applets. These may be sourced from aapplets. These may be sourced from a
number of different servers and runnumber of different servers and run
without the user being aware of them.without the user being aware of them.
4. Mobile Code ExamplesMobile Code Examples
(Continued(Continued((
• Dynamic EmailDynamic Email
One proposal for the provision of dynamicOne proposal for the provision of dynamic
email suggested incorporating Safe-TCLemail suggested incorporating Safe-TCL
scripts as components of MIME email.scripts as components of MIME email.
These scripts could be run either on mailThese scripts could be run either on mail
delivery, or when the mail is read by thedelivery, or when the mail is read by the
recipient.recipient.
5. Low-level Security IssuesLow-level Security Issues
• The use of 'mobile code' raises a number ofThe use of 'mobile code' raises a number of
obvious security issues:obvious security issues:
• access control - is the use of this code permitted?access control - is the use of this code permitted?
• user authentication - to identify valid usersuser authentication - to identify valid users
• data integrity - to ensure the code is delivereddata integrity - to ensure the code is delivered
intactintact
• non-repudiation of use of the code - for both thenon-repudiation of use of the code - for both the
sender and the receiver especially if its use issender and the receiver especially if its use is
being chargedbeing charged
• data confidentiality - to protect sensitive codedata confidentiality - to protect sensitive code
• auditing - to trace uses of mobile codeauditing - to trace uses of mobile code
6. Mobile Code SafetyMobile Code Safety
• The prime focus of this paper is on theThe prime focus of this paper is on the
techniques which can be used to provide for thetechniques which can be used to provide for the
safe execution of imported code on the localsafe execution of imported code on the local
system. This has to address threats due tosystem. This has to address threats due to
rogue code being loaded and run. Of course inrogue code being loaded and run. Of course in
many ways, these problems are not new: theymany ways, these problems are not new: they
have been a key component of operatinghave been a key component of operating
systems design on multi-user systems for manysystems design on multi-user systems for many
years. The traditional approach to addressingyears. The traditional approach to addressing
these problems has been to use heavy addressthese problems has been to use heavy address
space protection mechanisms, along with userspace protection mechanisms, along with user
access rights to the file system and otheraccess rights to the file system and other
resources. The difference between theresources. The difference between the
traditional problems and those posed by mobiletraditional problems and those posed by mobile
code is one of volume and responsiveness.code is one of volume and responsiveness.
7. Mobile Code SafetyMobile Code Safety
(Continued(Continued((
• Mobile code is intended for quick, lightweightMobile code is intended for quick, lightweight
execution, which conflicts with the cost of heavyexecution, which conflicts with the cost of heavy
address space mechanisms in most currentaddress space mechanisms in most current
operating systems. In additon, each mobile codeoperating systems. In additon, each mobile code
unit can, in one sense, be thought of as runningunit can, in one sense, be thought of as running
as its own unique user, to provide protectionas its own unique user, to provide protection
between the various mobile code units and thebetween the various mobile code units and the
system. Traditional methods of adding newsystem. Traditional methods of adding new
users cannot cope with this demand.users cannot cope with this demand.
8. Mobile Code SafetyMobile Code Safety
(Continued(Continued((
The types of attacks which need toThe types of attacks which need to
be guarded against include:be guarded against include:
• denial of servicedenial of service
• disclosure of confidentialdisclosure of confidential
informationinformation
• damage or modification of datadamage or modification of data
• annoyance attacksannoyance attacks
9. Resource Access & SafetyResource Access & Safety
• , the issue of safe execution of code comes, the issue of safe execution of code comes
down to a concern with access to systemdown to a concern with access to system
resources. Any running program has to accessresources. Any running program has to access
system resources in order to perform its task.system resources in order to perform its task.
Traditionally, that access has been to all normalTraditionally, that access has been to all normal
user resources. 'Mobile Code' must haveuser resources. 'Mobile Code' must have
restricted access to resources for safety.restricted access to resources for safety.
However, it must be allowed some access inHowever, it must be allowed some access in
order to perform its required functions. Justorder to perform its required functions. Just
which types of access and how these are to bewhich types of access and how these are to be
controlled is a key research issue.controlled is a key research issue.
10. Resource Access & SafetyResource Access & Safety
The types of resources to which access is required include:The types of resources to which access is required include:
• file systemfile system
• networknetwork
• random memoryrandom memory
• output devices (entire display, various windows,output devices (entire display, various windows,
speaker)speaker)
• input devices (keyboard)input devices (keyboard)
• process control (access to CPU cycles)process control (access to CPU cycles)
• user environmentuser environment
• system callssystem calls
11. Granting Access to ResourcesGranting Access to Resources
• One of the key issues in providing for safeOne of the key issues in providing for safe
execution of 'mobile code' is determiningexecution of 'mobile code' is determining
exactly which resources a particular codeexactly which resources a particular code
unit is to be granted access to. That is,unit is to be granted access to. That is,
there is a need for a security policy whichthere is a need for a security policy which
determines the type of access of anydetermines the type of access of any
'mobile code' unit. This policy may be:'mobile code' unit. This policy may be:
12. Granting Access to Resources (ContinuedGranting Access to Resources (Continued((
• fixed for all 'mobile code' unitsfixed for all 'mobile code' units
– very restrictive but easy, and is the approachvery restrictive but easy, and is the approach
currently used to handle applet security in webcurrently used to handle applet security in web
browsers such as Netscapebrowsers such as Netscape
• that the user verifies each security-related accessthat the user verifies each security-related access
requestrequest
– relatively easy, but rapidly gets annoying, andrelatively easy, but rapidly gets annoying, and
eventually is self-defeating when users stop takingeventually is self-defeating when users stop taking
notice of the details of the requests (whilst there is anotice of the details of the requests (whilst there is a
place for querying the user, it should be usedplace for querying the user, it should be used
exceedingly sparingly)exceedingly sparingly)
• to negotiate for each 'mobile code' unitto negotiate for each 'mobile code' unit
– much harder as some basis is needed for negotiation,much harder as some basis is needed for negotiation,
perhaps based on various profiles, but ultimately thisperhaps based on various profiles, but ultimately this
is likely to be the best approachis likely to be the best approach
13. Granting Access to Resources (ContinuedGranting Access to Resources (Continued((
• In the longer term, some mechanisms areIn the longer term, some mechanisms are
needed to permit negotiation of appropriateneeded to permit negotiation of appropriate
accesses. How this is expressed is, I believe,accesses. How this is expressed is, I believe,
one of the key research issues. Initially this isone of the key research issues. Initially this is
likely to be based on a simple tabular approachlikely to be based on a simple tabular approach
based on the various categories mentionedbased on the various categories mentioned
above. While adequate for the simplistic appletsabove. While adequate for the simplistic applets
seen to date, this is unlikely to be sufficient forseen to date, this is unlikely to be sufficient for
more complex 'mobile code' applications.more complex 'mobile code' applications.
14. Granting Access to Resources (ContinuedGranting Access to Resources (Continued((
• For these, some fairly powerful language is going toFor these, some fairly powerful language is going to
be needed to express the required types of accesses,be needed to express the required types of accesses,
along with a means of reasoning about thosealong with a means of reasoning about those
requests. For example, consider a simple 'mobilerequests. For example, consider a simple 'mobile
code' text-editor: it should be able to change anycode' text-editor: it should be able to change any
textual file specified by the user, have access perhapstextual file specified by the user, have access perhaps
to a preferences file, but otherwise be denied accessto a preferences file, but otherwise be denied access
to all other files. How can this be expressed andto all other files. How can this be expressed and
reasoned with? This is an area that needsreasoned with? This is an area that needs
considerable additional work, but will be a key to theconsiderable additional work, but will be a key to the
successful use of 'mobile code'.successful use of 'mobile code'.
15. Mobile Code TechnologiesMobile Code Technologies
Embedded Script (JScript /VBScript):Embedded Script (JScript /VBScript):
Internet Explorer includes a built-in interpreter to parseInternet Explorer includes a built-in interpreter to parse
Jscript or Visual Basic scripts (VBScript) embeddedJscript or Visual Basic scripts (VBScript) embedded
within web pages. These scripting engines provide thewithin web pages. These scripting engines provide the
"glue" to manipulate other objects on the web page. Both"glue" to manipulate other objects on the web page. Both
scripting engines offer common programming constructsscripting engines offer common programming constructs
to control program flow (e.g. If, Then, Else, For, Do, etc),to control program flow (e.g. If, Then, Else, For, Do, etc),
perform simple mathematical functions, evaluateperform simple mathematical functions, evaluate
conditions, and manipulate data types. In addition, theseconditions, and manipulate data types. In addition, these
languages offer the ability to load objects, such aslanguages offer the ability to load objects, such as
ActiveX controls and Java applets, call methods onActiveX controls and Java applets, call methods on
them, or set and get their properties. On the Microsoftthem, or set and get their properties. On the Microsoft
Windows family of operating systems both scriptingWindows family of operating systems both scripting
engines also include at least one "built-in" object, theengines also include at least one "built-in" object, the
FileSystemObject, which can be called to manipulateFileSystemObject, which can be called to manipulate
files or directories on the local file system as long asfiles or directories on the local file system as long as
those scripts aren't being run from a web page.those scripts aren't being run from a web page.
16. Mobile Code Technologies (ContinuedMobile Code Technologies (Continued((
ActiveX Controls:ActiveX Controls:
The Component Object Model (COM) is Microsoft'sThe Component Object Model (COM) is Microsoft's
architecture for creating programming objects that canarchitecture for creating programming objects that can
be reused and provide services to other programs. Mostbe reused and provide services to other programs. Most
of Microsoft's productivity applications are composed ofof Microsoft's productivity applications are composed of
many COM objects, such as Microsoft Word, Excel,many COM objects, such as Microsoft Word, Excel,
PowerPoint presentation graphics program, and VisioPowerPoint presentation graphics program, and Visio
drawing and diagramming software. An ActiveX controldrawing and diagramming software. An ActiveX control
is simply a COM object that is designed to beis simply a COM object that is designed to be
downloaded and used within web pages. Once andownloaded and used within web pages. Once an
ActiveX control is installed on the system it runs directlyActiveX control is installed on the system it runs directly
on the workstation in the security context of the webon the workstation in the security context of the web
browser (normally the logged on user).browser (normally the logged on user).
17. Mobile Code Technologies (ContinuedMobile Code Technologies (Continued((
These objects can be scripted to perform operations byThese objects can be scripted to perform operations by
calling their properties and methods from embeddedcalling their properties and methods from embedded
script within the web page. An ActiveX control canscript within the web page. An ActiveX control can
perform any operation the user can. This makes ActiveXperform any operation the user can. This makes ActiveX
controls tremendously powerful for developing browser-controls tremendously powerful for developing browser-
based applications, but also makes them very dangerousbased applications, but also makes them very dangerous
if normal safeguards are not employed. Whenif normal safeguards are not employed. When
developing ActiveX controls, the developer mustdeveloping ActiveX controls, the developer must
implement sufficient security measures to prevent theirimplement sufficient security measures to prevent their
malicious use. If the control is not safe for use by anymalicious use. If the control is not safe for use by any
web page, its use from within Internet Explorer can beweb page, its use from within Internet Explorer can be
disabled or the tools described below can be used todisabled or the tools described below can be used to
allow the control to run only when appropriate.allow the control to run only when appropriate.
18. Mobile Code Technologies (ContinuedMobile Code Technologies (Continued((
Java Applets:Java Applets:
Like ActiveX controls, Java applets are reusable codeLike ActiveX controls, Java applets are reusable code
modules that can be downloaded and installed on themodules that can be downloaded and installed on the
client machine. They are created using the Javaclient machine. They are created using the Java
programming language and compiled into platform-programming language and compiled into platform-
neutral byte-code. Once downloaded to the clientneutral byte-code. Once downloaded to the client
machine the applet is loaded into a Java Virtual Machinemachine the applet is loaded into a Java Virtual Machine
(VM) that interprets the byte-codes and runs the applet.(VM) that interprets the byte-codes and runs the applet.
The VM normally restricts what the applet can do,The VM normally restricts what the applet can do,
thereby limiting the functionality of the applet, but alsothereby limiting the functionality of the applet, but also
limiting the amount of damage a potential attacker couldlimiting the amount of damage a potential attacker could
do.do.
19. ConclusionsConclusions
• 'Mobile code' is here with increasing demands for its use.'Mobile code' is here with increasing demands for its use.
Safe execution of 'mobile code' implies a need forSafe execution of 'mobile code' implies a need for
controlled access to resources, access which ideallycontrolled access to resources, access which ideally
should be negotiated for each 'mobile code' unit. Theshould be negotiated for each 'mobile code' unit. The
means for achieving this is a subject for considerablemeans for achieving this is a subject for considerable
additional research.additional research.
• Approaches taken so far to providing 'mobile code'Approaches taken so far to providing 'mobile code'
include the distribution of source, intermediate code, orinclude the distribution of source, intermediate code, or
binary code, and the use of Just-In-Time compilers.binary code, and the use of Just-In-Time compilers.
• Experience with these systems has shown that safe andExperience with these systems has shown that safe and
secure systems need both correct specification andsecure systems need both correct specification and
implementation. There is still considerable research andimplementation. There is still considerable research and
development needed in these systems. However, Idevelopment needed in these systems. However, I
believe the goal of safe and secure 'mobile code'believe the goal of safe and secure 'mobile code'
execution is reasonable and achievable.execution is reasonable and achievable.