 |
 The Java Virtual Machine — The Machine Is Virtual, the Malicious Code Is Real
by Douglas Schweitzer
This article was excerpted from Chapter 6 of Douglas Schweitzer' book "Securing the Network from Malicious Code"
Virtual machines are computer platforms that are implemented in software on top of the "real" hardware platform and operating system. Java is a powerful programming language that is used in many Internet applications and is designed to run on almost any computer platform (Windows, Mac, Linux, and so on). This versatility is made possible by a software program called Java Virtual Machine (JVM). Instead of writing several different versions of Java for the various computer platforms, Java programmers need only compile code to operate with the Java Virtual Machine.
Individual JVM programs do vary, however, since each JVM is written to operate uniquely on a specific computer platform. The means that the JVM for a Mac, for example, will not work on a Windows-based PC, and the Windows version will not work on a Linux operating system. Use of the JVM makes Java programming code very portable. The same Java code that works on a Windows-based PC will also work on a Mac, provided that both have a Java Virtual Machine running on their operating system.
The JVM plays an essential role in making Java portable. It provides an abstract “layer” between the actual Java program and the hardware platform or operating system.
Sun Microsystems (the developer of Java) designed the JVM with security in mind from its inception. As the Internet began to gain momentum, Web browsers such as Netscape Navigator and Internet Explorer included JVMs, allowing users to take full advantage of Java-based Web content. It wasn’t long before malicious code found its way to the JVM. In August of 1998, a proof-of-concept virus called Strange Brew appeared. While it did not carry a damaging payload, it did prove the concept that cross-platform Java viruses could be written. Strange Brew, however, affects only Java applications, not Java applets (the small Java scripts) that typically run inside a Web browser. Because the Java Virtual Machine has built-in security measures, it does not allow Java applets direct access to the hard disk nor the ability to modify applications. This prevented Strange Brew from reaching other Java code and causing harm.
In January of 1999, the second known Java virus, called Java.BeanHive, was discovered. This virus was designed to infect both Java applets as well as Java applications. Remember, Java applets are small Java programs (written in Java Script) that are often used on Web sites that are downloaded and run by Web browsers while users surf the Internet. Java applets are substantially different from actual Java applications (written in Java) that are used in the stand-alone programs (applications) of desktop PCs and servers.
When a user encounters a Web site that contains one or more Java applets, the applets are downloaded to the user’s computer and then executed in the Java Virtual Machine. The virtual machine allows the Java applet to run while ensuring that the user's computer is protected from any malicious activity by the Java applet. An inherent part of JVM’s design is the fact that it prevents Java applets from accessing the Registry and other critical operating system components of the user's computer. These security features have made Java one of the safest ways to enjoy interactive content over the Internet.
While the JVM made the use of Java applets secure, it also prevented applets from performing some functional and convenient tasks. For example, if somebody wanted to develop a Java applet that could search a database of files on a user’s hard drive, it would be precluded from doing so by the JVM’s built-in security features. Because Java was designed to be both practical and portable, this ubiquitous code was later modified to lessen the restrictive nature of the JVM. The end result of these modifications was that if a Java applet made a request to access certain files it would normally not be permitted to access, a dialog box would pop-up asking the user to grant or deny such permission.
The Java.BeanHive virus was the first to exploit this feature by asking the user to grant the virus permission for full file access. Because the virus was a seemingly innocuous Java applet, some users inadvertently granted it full permission, not knowing it was malicious code. In contrast, Strange Brew did not “properly” request access, and was therefore automatically denied admission to restricted areas by the JVM. In instances where users denied access, the Java.BeanHive virus failed to execute and was immediately terminated.
Caution
When a user grants a Java applet permission to access restricted areas, they also grant permission to any future Java applets written by the same author.
The best protection against hostile Java applets is to secure your network's access points. Many organizational networks employ firewalls to guard against unauthorized access from the Internet. Nevertheless, a firewall alone cannot protect computers from requesting hostile Java applets. With the addition of content inspection software at the firewall, it is possible to inspect Java content as it enters your network.
|
|
