Security Attacks on Jini
Introduction
Jini is a new distributed systems technology from Sun MicroSystems. It differs
from other distributed systems such as CORBA in a number of ways
- The reliance on the location of naming services is reduced by using
multicast search methods
- The reliance on strings to label services is reduced by using
object-oriented class matching methods
- Requirements for code implementations to exist on clients is reduced
by using downloadable code from services
The ability to download code from one agent to another introduces a range
of security issues. Any party that downloads code from a remote source
may be attacked by that code.
While many of the attacks can be addressed by the new security model in JDK 1.2,
programmers and users of Jini systems need to be aware of the attacks that can be
made, of the potential damage they can do, and what can be done to guard against
attack.
This paper gives a survey of Jini attacks. Some of these are well-known in the
Jini community, some are less well known. This paper is intended to be an
"e;extensible document"e;: as new attacks or solutions are discovered
the document will be modified to cover this information.
Jini Overview
Cause of the Problem
JDK 1.2 Security Model
Deficiencies of Current Model
Attacks by LookupServices
Attacks by Services
Attacks by Clients
Attacks on LookupServices
Attacks on Clients
Attacks on Services
Attacks on rmid
Jan Newmarch (http://pandonia.canberra.edu.au)
jan@ise.canberra.edu.au
Last modified: Mon May 8 09:52:26 EST 2000
Copyright ©Jan Newmarch