Extension Security

Downloading code, as usual, opens up a variety of security issues.

Possible Attacks

• Over-write system files as root (or whatever the uid of the http server proccess is).
• Supply body, set method to a put, and get server to over-write system files.
• Snoop confidential stuff on the system.
• Consume unreasonable amounts of disk, memory, or CPU resources (denial of service attack).
• Replace a good extension with a counterfeit. This is could happen if one of the agents served as a clearinghouse.

Solutions

• Hobble the extension with a paranoid Java Security Manager - likely to render all but the most trivial server side extensions useless. Some client side presentation extensions may still be practical.
• Get extensions from trusted site. Such a site could serve as a clearinghouse for extensions that were deemed neither malignant nor negligent.
• Extension approval and signing by a trusted site.
• Divide extensions into security classes with different authorization demands. Stream extensions could opperate well within a security manager, while it is much harder to validate all the possible actions that a resource extension may take.
• Assign a govenment agency to monitor the actions of all the mean or stupid people - Hey, why is that van still parked accross the street?

PEPsample measures

Because PEPsample was designed to be simple to undertand, and because many of the security issues would be agent dependent, it was deemed impractical to authenticate dynamicly loaded extensions. For safety's sake, all dynamic downloading defaults to disabled. If you wish to enable it, set allowNetworkExtensions=true in URLClassLoader.