May 19, 1997
UW system helps improve Java security on Microsoft, Sun web browsers
A system for running Java programs that is more secure than those found in commercial World Wide Web browsers has been developed by computer scientists at the University of Washington. The UW system includes a strong new Java code verifier that makes it possible to automatically identify any potential security flaws in commercial browsers and other Java-based systems used to access Java programs on the web.
Using the new verifier, UW researchers recently analyzed Sun Microsystems’ Java Virtual Machine for its HotJava browser and Microsoft’s Java system for Internet Explorer. The UW team detected 24 potential flaws in Sun’s system — which is licensed by 30,000 companies including Netscape — and 17 potential flaws in Microsoft’s product. Major weaknesses found in both systems would allow unsuspecting computer users to download malicious web programs that could wipe out files, crash the system or permit unauthorized access to financial records.
After consulting with the UW team, Microsoft and Sun have announced that they are releasing new versions of their Java systems to correct some of the problems raised by the UW analysis. More details are provided on Microsoft’s and Sun’s web sites.
“We’re working with Microsoft and Sun because our ultimate goal is to improve the security of web services,” says Brian Bershad, associate professor of computer science and engineering at the UW, who helped develop the new system along with graduate student Emin Gun Sirer and staff programmer Sean McDirmid.
The latest versions of World Wide Web browsers like Internet Explorer and Netscape Navigator support Java, a programming language and set of procedures developed over the past five years by Sun. Java was designed for transmitting small applications — or applets — over the Internet. These applets are used in programs for online services such as electronic bill-paying and automatic stock-price monitoring that can be downloaded from the web to personal computers.
There is a risk of downloading bugs along with the applications, exposing a user’s computer and files to serious security threats. To guard against this, Java specifications require web browsers to verify that applications are properly coded and safe to use before they are accepted by the browser. Unfortunately, Bershad says, all verification systems are not created equal.
“The Trojan horse is a good analogy,” he explains. “Just as the Trojans failed to inspect the horse before it was let through the door, the verifiers on commercial browsers are failing to completely inspect all applets before they are accepted. This opens the door for hackers and bugs to access files and resources that should be secure. Our verifier is part of a strong new Java system architecture for Internet applications such as browsers. As a side effect of this work, we’ve built some technology that allows us to automatically and systematically identify potential security flaws in Java systems for commercial browsers before they cause problems for end users.”
The UW verifier — dubbed Kimera — checks every line of code in a Java application against the specifications and flags any deviations. If a commercial browser’s verifier fails to detect flagged code deviations, it is potentially vulnerable to attack, Bershad says. To test Microsoft’s and Sun’s Java systems, the UW team generated millions of variations of Java programs known to have bugs. These programs were fed into Kimera and the bugs were identified. Next, the programs were run through the commercial browsers’ Java verifiers. When they failed to reject a flawed program that was flagged by Kimera, the researchers knew a potential security weakness existed and they analyzed how it could be exploited.
The most troubling type of weakness identified by Bershad’s team would allow a program to fool the browser into treating numbers as references for files that can be edited, deleted or sent to a remote computer. The user probably wouldn’t even know it was happening until it was too late, Bershad says. UW researchers are not aware of any Internet attacks that have exploited the flaws they uncovered.
“Our intention wasn’t to attack the commercial web browsers,” Bershad explains. “Our intention was to show that a more stable and secure browser can be developed that will protect these companies’ products and the people who use them from attacks.”
###
For more information, contact Bershad at (206) 543-6707 and {bershad@cs.washington.edu} or visit the Kimera Project web site.
<!—at end of each paragraph insert
—>
