Java Applet Client Security
Author
Christensen, Dan Lund
Term
4. term
Education
Publication year
2007
Abstract
Denne rapport undersøger, hvordan man kan forbedre sikkerheden for Java-klientprogrammer over for tre udbredte angreb: man-in-the-middle (MITM), phishing og manipulation (uautoriserede ændringer). Analysen gennemgår eksisterende sikkerhedsmekanismer og teknologier, der kan afværge disse angreb. Konklusionen er, at der findes velafprøvede løsninger mod MITM og phishing, men ingen pålidelige mekanismer, der effektivt forhindrer manipulation af Java-klientprogrammer. Derfor skifter projektet fokus til at designe og implementere en prototype på en manipulationssikring (tamper-proofing) for Java-klienter. Rapporten dokumenterer designet og implementeringen samt test af prototypen. Testene viser, at mekanismen ikke er tilstrækkelig til at gøre klienten reelt manipulationssikker. Dog blev der observeret en nyttig egenskab: ved at indlejre en ulovlig (regelstridig) byte array-operation kan det muligvis lade sig gøre at have kortvarig tillid til klienten. Dette peger på en retning for videre arbejde med praktisk manipulationsmodstand i Java-applikationer.
This report explores how to improve the security of Java client applications against three common attacks: man-in-the-middle (MITM), phishing, and tampering (unauthorized modification). The analysis reviews existing security mechanisms and technologies to prevent these attacks. It finds that proven solutions exist for MITM and phishing, but no reliable mechanism prevents tampering of Java client programs. Based on this, the project focuses on designing and implementing a prototype tamper-proofing mechanism for Java clients. The design, implementation, and testing of the prototype are documented. Tests show the mechanism is not sufficient to make the client truly tamper-proof. However, a useful property was observed: embedding an illegal (rule-breaking) byte array operation may allow short-term trust in the client. This suggests a direction for further work on practical tamper-resistance in Java applications.
[This abstract was generated with the help of AI]
Documents