next up previous
Next: The Advantages of Software Up: Extensible Security Architectures for Previous: Extensible Security Architectures for

Introduction

 

As the World Wide Web has been used to build increasingly complex applications, developers have been constrained by the Web's static document model. ``Active'' content can add simple animations to a page, but it can also transform the Web into a ``platform'' for writing and distributing programs. A variety of mobile code systems such as Java [18], JavaScript [12], ActiveX [30], and Shockwave [40] make this possible.

Users and developers love mobile code, but it raises serious security concerns. Software distribution over the Internet has been common for years, but the risks are greatly amplified with Web plug-ins and applets by virtue of their ubiquity and seamless integration. Users are often not even aware of mobile code's presence. Mobile code systems must have correspondingly stronger security to compensate for the increased exposure to potentially hostile code.

This paper considers the problem of securely supporting mobile code on real-world systems. Unlike traditional operating systems, Web browsers must rely on software mechanisms for basic memory safety, both for portability and performance. Currently, there is no standard for constructing secure services above basic memory safety primitives. We explain three different strategies and their implementations in Java: several vendors [14,10] have built capability systems, Netscape and Microsoft have extensions to Java's stack introspection, and we designed an add-on to Microsoft Internet Explorer which hides or replaces Java classes. We analyze these systems in terms of established security criteria and conclude with a discussion of appropriate environments in which to deploy each strategy.



 
next up previous
Next: The Advantages of Software Up: Extensible Security Architectures for Previous: Extensible Security Architectures for
Dan Wallach
7/26/1997