Hostile Applets Home Page
Jeff Nelson (jnelson@dialogosweb.com)
Fri, 10 Jan 1997 16:05:00 -0500
Date: Fri, 10 Jan 1997 16:05:00 -0500
From: jnelson@dialogosweb.com (Jeff Nelson)
To: java-security@java
Subject: Hostile Applets Home Page
------------3CEE536A7CAF0
Content-Type: multipart/alternative; boundary="----------59812425F331"
X-Sun-Content-Length: 1356
------------59812425F331
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=us-ascii
I just wanted to make sure you folks had seen this page.
http://www.math.gatech.edu/~mladue/HostileApplets.html
--
DiaLogos, an ICL Dais Partner, delivers support, education, consulting
and implementation services to organizations building high-performance
distributed applications based on CORBA 2.0.
Http://www.dialogosweb.com
------------59812425F331
Content-Transfer-Encoding: 7bit
Content-Type: text/html; charset=us-ascii
I just wanted to make sure you folks had seen this page.
http://www.math.gatech.edu/~mladue/HostileApplets.html
--
DiaLogos, an ICL Dais Partner, delivers support, education, consulting
and implementation services to organizations building high-performance
distributed applications based on CORBA 2.0.
Http://www.dialogosweb.com
------------59812425F331--
------------3CEE536A7CAF0
Content-Type: text/html; charset="us-ascii"; name="HostileApplets.html"
Content-Disposition: inline; filename="HostileApplets.html"
Content-Base: "http://www.math.gatech.edu/~mladue/Hos
tileApplets.html"
X-Sun-Content-Length: 6302
Hostile Applets Home Page
A Collection of Increasingly Hostile Applets
These simple Java applets were created in order to point out the potential
for downloading hostile applets. They weren't designed to be beautiful.
Clearly there are many more effective ways that things can be done, and
the presence of hostile activity need not be advertised at all.
They've been tested on a Sun Sparcstation 20 running Solaris 2.5
and OpenWindows 3.5. They've also been tested on a DEC Alpha running
Digital UNIX V3.2C and an SGI Indy running Irix 5.3.
How effective they are depends on how you have
things set up, so in any case you should exercise due caution in
exploring their effects.
These Java applets perform hostile acts.
- Here's a bear that insists on marching to the beat of a
different drummer.
- This simple applet can bring Netscape 3.0
to its knees.
- Here's another applet that makes Netscape 3.0
hang.
- This one makes Netscape 3.0
keel over after giving you
enough time to go elsewhere.
- This applet asserts its good intentions, but then tries to
take control of your workstation.
- This unfriendly fellow attempts to pop up an untrusted applet window
in disguise.
If you quit, it will attack you; but if you
send a login and password....
When the applet happens to be successful,
your host name, IP address, login, and password will appear in the
logfile in this directory.
[I've shut this one
down, but you can still see some of its results.]
- By all appearances this applet seems to do nothing, just as it asserts.
In reality, however, you will be
factoring an integer and reporting
the results back to me. (The integer appears on this web page as the
parameter named "tobefactored," and the results of your factoring
calculations will appear in the primelog in
this directory. The results may take a few moments to appear, so
feel free to browse around elsewhere and return later.)
[This one is also shutdown, but you can still see some of its results.]
- This one is a self-defending
applet killer. It will stop any other
applets that are running and kill any applets that you load
after that.
- Try this Netscape Attack applet too.
- If the little applet included on this page was successful, in a moment
you'll find your e-mail address (including your user name)
added to my list of
penpals. [Unfortunately, I had to shut it down
because it was starting to cause the server some problems, but you can
still see some of its results.]
- The for these
hostile applets and applications is now available.
- Here's an introductory article
about them. A slightly different version of it appears in a recent
Java book , which you can
read online.
- And here's another recent article
that appeared in the Online Business
Consultant's "Java Black Widows" series.
- The scope of Java Security has been defined so narrowly as to exclude,
by its very definition, significant programmed threats. Many of the
problems posed by executable content have not been solved, and the wider
issues of security within the Java Platform have scarcely been raised.
In this latest article, which is
slated to appear in the Spring 1997 issue of the
Computer Security Institute's
Computer Security Journal, you'll find
an overview and analysis of this year's Java security problems as well
as some thoughts on the dangers of Java applications, including several
illustrative examples.
- Java Platform Viruses now exist. We should expect that in the future
the dangers posed by Java applets will pale in comparison to those
posed by Java viruses and other Java-based threats.
A forthcoming paper,
"When J.A.V.A. Was One: The Evolution of Java Platform Viruses"
(not available yet)
will discuss the issues, assess the potential threats, and
examine several concrete examples of Java viruses. An accompanying
Java Platform Virus Demonstration Kit
(a preview of its contents is now available)
will contain the source code and tools needed to test and understand
some non-threatening examples.
Now that you've seen how sneaky and disruptive these applets can be, you might
like some more information about them. In addition to my articles and source
code, you might also like to read some recent
papers
by Dean, Felten, and Wallach on Java Security. For a more complete
introduction to the subject, check out
Java Security: Hostile
Applets, Holes and Antidotes by Ed Felten and Gary McGraw.
If you remain unconvinced that UNIX viruses really do exist in the wild,
I recommend that you read some of the
white papers that you'll find
at CyberSoft, Inc. , and by all means
track down some of the references that they give.
And you can drop me a line
if you like. You'll find me at
mladue@math.gatech.edu.
------------3CEE536A7CAF0--