27-06-2012, 01:38 PM
Addressing Threats and Security Issues in World Wide Web Technology
Addressing Threats and Security Issues.doc (Size: 329.76 KB / Downloads: 35)
Abstract
We outline the Web technologies and the related threats within the framework
of a Web threat environment. We also examine the issue surrounding dowloadable
executable content and present a number of security services that can be used for
Web transactions categorised according to the Internet layering model.
Introduction
The World Wide Web (WWW or “Web”) is a distributed hypertext-based information sys-
tem developed to be a pool of human knowledge allowing collaborators on remote sites to
share ideas and information [BLCL+ 94]. The Web’s hypertext and multimedia technolo-
gies make it easy for every user to roam, browse, and contribute. From a designer point of
view the WWW is based on a client-server model. WWW is constructed from programs
that make data available on the network. The WWW consists of.
Web Browsers and Downloadable Executable Content Risks
Recently, the development of downloadable executable content, using Webware technolo-
gies such as Java and ActiveX, has raised new risks [MF96].
While the advantages of using downloadable executable content come from the in-
crease in flexibility provided by software programs and the wide access to existing soft-
ware modules that may be located anywhere around the globe, it is this increase in flex-
ibility and availability that may raise significant problems. For, instance, no user, when
“surfing” the Web wishes applets or servlets that are executed within her browser to delete
her files or even disclose private information over the network without the users consent.
Traditional applications, when running on a computer system, obtain access to certain
resources of the system. In a similar way, downloadable executable content could also
obtain access to such resources. While it is acceptable for traditional applications to
utilise such resources, it is not desirable, at least to a certain degree, for downloadable
executable content to do so. This is the case because downloadable executable content,
i. e. the program that is running within a Web browser, is considered to be untrusted and
as such could misuse a systems resources. For instance, a Java applet that runs within a
Web browser should not be able to access vital for the system resources. If therefore, a
Web browser that executes the Java code does not constrain the execution regarding the
utilisation of the systems resources, severe security issues may arise.
System Security Services
In order to provide capabilities for protecting the system assets against the aforementioned
threats system designers make use of specific security services. In the context system se-
curity services we include techniques as identification and authentication, access control,
auditing, and encryption. The services are typically integrated into the Web servers and
clients and often capitalise on the underlying operating system services.