WWW:Beyond the Basics

14 Java Security

14.3 Security Threats

14.3.3 Covert Channels

Various covert channels exist in browsers which allow applets to establish two way communication with arbitrary third parties on the Internet. A two party attack requires that the Web server the applet resides on participate in the attack. A three party attack can originate from anywhere on the Internet, and might spread if it is hidden in a useful applet that gets used by many Web pages. Three party attacks are more dangerous than two party attacks because they do not need the collusion of the Web server.

FIGURE 14.2: A Three Party Attack

[PREV]


Figure 14.2 presents a three party attack. Charlie produces a Trojan horse applet. Bob likes it and uses it in his Web page. Alice views Bob's page and Charlie's applet establishes a covert channel to Charlie. The applet leaks Alice's information to Charlie. No collusion with Bob is necessary. Although Netscape and HotJava allow network connections only to the host from which the applet was loaded, it is not enforced properly through a number of implementation errors.

The accept() system call, used to receive a network connection initiated on another host, is not protected by the usual security checks in HotJava. This allows an arbitrary host on the Internet to connect to a HotJava browser as long as the location of the browser is known. For this to be a useful attack, the applet needs to signal the external agent to connect to a specified port. Even a low bandwidth covert channel is sufficient to communicate this information.

If the Web server which served the applet is running an SMTP mail daemon, the applet can connect to it and transmit an email message to any machine on the Internet. Additionally DNS can be used as a two way communication channel to an arbitrary host on the Internet. An applet might reference a fictitious name in the attacker's domain. This transmits the name to the attacker's DNS server, which could interpret the name as a message, and then send a list of arbitrary 32-bit IP numbers as a reply. Repeated DNS calls by the applet establish a channel between the applet and the attacker's DNS server. This channel can also pass through firewalls.[Dean]

Another third-party channel is available with the URL redirect feature. Normally, an applet may instruct the browser to load any page on the Web. An attacker's server could record the URL as a message, then redirect the browser to the original destination.

[PREV][NEXT][UP][HOME][VT CS]

Copyright © 1996 Virginia Polytechnic Institute & State University
All Rights Reserved

Vijay Sureshkumar <vijay@csgrad.cs.vt.edu>
Last modified: Sun Oct 20 21:52:09 1996