Codes Java and ActiveX are carried out locally, by machines of end users, endangering these machines of an attack. The it is more important to know, how similar attacks can be prevented.

So, any user of browser Web - whether it is Netscape Navigator or Internet Explorer from corporation Microsoft - becomes the private soldier of growing army of users Java. Thus is unimportant even, that such user can not be able to program at all and does not apply for a rank of the software developer knowing algorithmic languages up and down and capable blindly to find a mistake in code C or C ++. It is necessary to the person to start one of the most popular browsers - and it already user Java, it is pleasant to it whether or not.

There is nothing easier, than to glance in magic world Java - everyone who though time saw any poured by all colors of the rainbow, the rotating name in a window of a browser, can count, that already has visited there. Corporation Microsoft, not wishing to lag behind from Sun Microsystems, has offered the own executed code known as ActiveX. This Wednesday allows developers to create the elements of management based on program architecture Component Object Model (COM). Last serves for support of creation of appendices in such languages, as C and C ++. Applets Java are widely applied now on units Web, thus while only the few use ActiveX.

Unfortunately, not all users know, as Java, and ActiveX send a code on a client computer where this code and is executed. All so-called mobile or transferable programs get directly in client system and do(make) there for what they are written. It occurs irrespective of desire of the user if in installations of protection there is no corresponding interdiction.

It is uneasy to guess, that a idea that a certain unknown and "unreliable" code will penetrate from the removed server on a workstation or a network sluice, causes anxiety in end users and managers of a network. Really anybody in fact does not know, that for the person wrote here this piece of the program and that was thus at it on mind!

Perhaps, everyone " going on the Network " though time yes read messages on the mobile programs doing on desktop computers any dirty tricks. Truth that the majority of representatives of press, no less than developers, has no a complete picture of possible danger which carry Java and ActiveX.

In this article we would like to give the general representation about mobile codes, including about their importance for everyone who is engaged in business, especially using for this purpose Internet. Besides models of a safety both for Java, and for ActiveX here are considered. Article also will acquaint readers with those measures, which can be accepted to not fall a victim to ill-intentioned programs.

LET'S ADDRESS TO JAVA

When in the beginning of 1995 Sun has presented Java, it seemed to developers and manufacturers, that at them in hands the magic wand has come to be. They had all bases to be pleased: Java promised to make Web really suitable for commerce and allowed good chances to escape forward and to win competitors. Applets Java - small portions of the transferable executed code working on all having access to Web machines, gave advantage to those companies, which would like to leave on the immense interactive market.

Firstly applets were applied basically to advertising in Web. Manufacturers have filled in units shining and turning prompts for attraction of attention of leisure "travelers". Even in these earliest applets the code generated them, was transferred to the client machine where it was carried out supporting Java by a browser. Already then it was necessary to guess only who was the author of this code, and before the user there was an alternative: to refuse pleasure by beauty Web or to risk integrity of the system.

Time went, Web "matured", there were new ways of application Java. From a toy suitable only for creation of moving pictures, language has turned to means of realization of technology of compulsory distribution of the software and even electronic commerce.

Fascinated with such force and power, clients began to ask even more often serious questions of that actually can also that cannot Java make with their computers. So it is extremely useful to receive even

The general representation how Java works and as Java environment is realized

In Web. First of all developers write an initial code in programming language Java. The compiler will transform this code to byte - code Java. The byte - code in the form of an applet is placed on page Web, access to which is carried out by means of a browser designed for work with Java. The browser checks a code, then virtual machine Java (Java Virtual Machine, JVM) carries out performance of an applet by the client machine.

Even from such fluent description it becomes clear, that before code Java appears in dangerous affinity from a computer of the user, it is exposed to certain procedures which purpose is prevention of hit in system of nocuous codes. To this purpose is served, for example, with the mechanism of check of legitimacy of a code and its performance in the limited area of a browser. Some safety measures further will be described in more detail.

Shortly after Java has received a wide circulation, experts and ordinary users began to find out blanks in a safety of the complete set of developer Java Developers Kit (JDK.) JDK will consist of several components (including language for transformation of commands to a byte - code and JVM for performance of a byte - code on various platforms). In essence it gives base technology for creation and executions of codes Java.

" Gaps in protection - now they are liquidated - had a various origin: the some people have arisen because of simple mistakes of realization, others had basic character ", - the researcher from Reliable Software Technologies, studying safety issues Java since first days of existence of technology has explained Gary Mackgrei

It has added, that each new realization JDK (in the beginning of 1998 mass deliveries of version 1.2 will begin) generated new problems with the safety, however the found mistakes were invariable quickly eliminated. " The more complexity, the is more probability of a mistake, - the researcher has recognized. - I am confident, there will be still a weight of defects ". In opinion Macgrei, because of an excessive demand of the company of the Silicon Valley hurry up with release of a code so safety fades into the background.

ALL WORLDS IN THE SANDBOX

Java from the very beginning it has been conceived as technology with which help once the written program could be carried out on any platform. And as Java can work in system practically any type and as applets Java from the removed server are carried out by the client machine, JavaSoft, the division of corporation Sun, has worked hard on solving questions of protection at a level of the programming language. Many manufacturers like to repeat, that safety Java is not that other as oxymoron , but founders of language from the very beginning knew, that questions of protection will have crucial importance for destiny of the offered technology.

All system of safety Java is under construction around of so-called model of safety Sandbox (this term can be explained approximately as " a fire box with sand "). This idea is realized already in early versions JDK 1.0.x. Sandbox provides the limited environment for performance of applets Java, the unreliable removed codes. The essence of principle Sandbox will be, that local codes are considered reliable, and in their order files and other system resources, and the loaded removed codes are given - are not present. It access only to the certain resources in limits Sandbox opens.

Within the framework of this model Java receives some the additional functions of a safety guaranteeing security of systems, admitting codes inside. Each of components should be placed in the certain place and to function properly, all models differently will not work.

So, for example, means of check of a byte - code should guarantee execution on the client only legitimate code Java. When the code reaches a client workstation, the verifier checks each fragment for observance of restrictions of access and its integrity.

One more of components of protection Java is the loader of classes determining, under what circumstances it is authorized to applet to add classes. Results of compilation of initial code Java are located in the files of classes containing the diversified data, for example the debugging information or data on a class. As a rule, the loader of classes is delivered with a browser.

There is also a third defender is the dispatcher of protection Java limiting activity of an illegitimate code. This means supposes option and, besides the other numerous duties, provides, for example, prevention of installation of new loaders of classes, the control over operations with files, such as reading and record, strict supervision of access to local files and the control over creation and access to system programs and processes.

Quality of protection Java depends on as far as well these components cope with the codes acting from the removed server. Certainly, any defects can make useless all this harmonious system of protection, therefore so it is important to keep abreast of changes browsers software.