Re: Mobile Code Security???

[Steve Bellovin <smb () research att com>]

         How is it different, from 30,000 feet, to download a java applet
         from my site and run it, than to download linux and run it? Or
         to buy a copy of Windows NT?

The essential difference, I think, is one of scale.  On the average,
I probably don't buy new programs more than once every few weeks (if
that often).  Corporate machines get even less new software.  But applets?

A quick glance at my .netscape/cache directory shows about 200 files,
roughly 2/3 of which are pictures.  None of the files are more than
18 hours old.  Given the desire of the commercial world for
dancing pig advertisements, we can, I think, assume that a fair
percentage of the 65-odd html files would have some active content.
20%, perhaps?  That works out to about 8 applets per *day*.
(My usual daytime machine isn't showing any applet-bearers in the
cache right now, but that may be because it's mostly pages from one
site.  A check of two other machines I use shows an applet percentage
of 10-33%)  That's at least 2 orders of magnitude more foreign code
than I normally see.  I don't think our mental or our technical
trust models scale that well.

         UNIX has had
         its share of flaws in its sandbox, just like the flaws in
         Java's sandbox: weird parameters to certain system calls could
         step on uid values in kernel space, etc.

Actually, remarkably few UNIX bugs have been in the kernel.  Most have
either let outsiders in, or have been in setuid programs.
         
         Anyhow - downloadable content? I think ActiveX is dead/dying.
         Java is in trouble, and Javascript isn't in great shape, either.
         Something else will come along soon and it'll probably have
         lame security, too. :) All things being equal, I wish that the
         browser boys had thought to just download C code, then do an
         on-the-fly compilation and link against a "sandbox" shared
         library. It'd have been easier, every bit as portable, and
         fast. Live'n'learn.

A better run-time library can't protect C; you need kernel support for
that.  It's a good question what form it should take.