Guidelines on Active Content and Mobile Code
Total Page:16
File Type:pdf, Size:1020Kb
Special Publication 800-28 Version 2 (Draft) Guidelines on Active Content and Mobile Code Recommendations of the National Institute of Standards and Technology Wayne A. Jansen Theodore Winograd Karen Scarfone NIST Special Publication 800-28 Guidelines on Active Content and Mobile Version 2 Code (Draft) Recommendations of the National Institute of Standards and Technology Wayne A. Jansen Theodore Winograd Karen Scarfone C O M P U T E R S E C U R I T Y Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Gaithersburg, MD 20899-8930 March 2008 U.S. Department of Commerce Carlos M. Gutierrez, Secretary National Institute of Standards and Technology James M. Turner, Acting Director GUIDELINES ON ACTIVE CONTENT AND MOBILE CODE Reports on Computer Systems Technology The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) promotes the U.S. economy and public welfare by providing technical leadership for the nation’s measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of concept implementations, and technical analysis to advance the development and productive use of information technology. ITL’s responsibilities include the development of technical, physical, administrative, and management standards and guidelines for the cost-effective security and privacy of sensitive unclassified information in Federal computer systems. This Special Publication 800-series reports on ITL’s research, guidance, and outreach efforts in computer security and its collaborative activities with industry, government, and academic organizations. National Institute of Standards and Technology Special Publication 800-28 Version 2 Natl. Inst. Stand. Technol. Spec. Publ. 800-28v2, 62 pages (Mar. 2008) Certain commercial entities, equipment, or materials may be identified in this document in order to describe an experimental procedure or concept adequately. Such identification is not intended to imply recommendation or endorsement by the National Institute of Standards and Technology, nor is it intended to imply that the entities, materials, or equipment are necessa rily the best available for the purpose. ii GUIDELINES ON ACTIVE CONTENT AND MOBILE CODE Acknowledgements The authors, Wayne A. Jansen and Karen Scarfone of the National Institute of Standards and Technology (NIST) and Theodore Winograd of Booz Allen Hamilton, wish to thank their colleagues who reviewed drafts of this document and contributed to its technical content, particularly Tim Grance and Anoop Singhal of NIST, Edward Tracy of Booz Allen Hamilton, and Kurt Dillard. iii GUIDELINES ON ACTIVE CONTENT AND MOBILE CODE Table of Contents Executive Summary..............................................................................................................ES-1 1. Introduction ......................................................................................................................1-1 1.1 Authority...................................................................................................................1-1 1.2 Purpose and Scope .................................................................................................1-1 1.3 Audience ..................................................................................................................1-1 1.4 Document Structure .................................................................................................1-2 2. Background ......................................................................................................................2-1 2.1 Browser Anatomy.....................................................................................................2-3 2.2 Server Anatomy .......................................................................................................2-6 3. Threats ..............................................................................................................................3-1 3.1 Threat Sources ........................................................................................................3-1 3.2 Basic Threat Model ..................................................................................................3-4 3.3 Categories of Threats ..............................................................................................3-6 3.4 Threat Summary ......................................................................................................3-8 4. Technology Related Risks ..............................................................................................4-1 4.1 Client-Side Technologies .........................................................................................4-2 4.2 Server-Side Technologies........................................................................................4-8 4.3 Risk Summary........................................................................................................4-11 5. Safeguards........................................................................................................................5-1 5.1 Management and Operational Safeguards ..............................................................5-1 5.2 Technical Safeguards ..............................................................................................5-7 5.3 Safeguard Summary ..............................................................................................5-12 6. Summary...........................................................................................................................6-1 7. References........................................................................................................................7-1 List of Appendices Appendix A— HTTP Request Methods ................................................................................. A-1 Appendix B— HTTP Response Status.................................................................................. B-1 Appendix C— Glossary .......................................................................................................... C-1 Appendix D— Acronyms and Abbreviations ....................................................................... D-1 iv GUIDELINES ON ACTIVE CONTENT AND MOBILE CODE List of Figures Figure 2-1. Basic Components of a Generic Browser...............................................................2-5 Figure 2-2. Basic Components of a Generic Web Server.........................................................2-7 Figure 3-1. Producer-Consumer Model ....................................................................................3-4 Figure 3-2. Simplified HTTP Transaction..................................................................................3-5 Figure 3-3. Entities Involved in HTTP Transaction Processing.................................................3-5 Figure 5-1. Filtering Incoming Active Content...........................................................................5-8 Figure 5-2. Constraining Active Content Behavior with a Software Cage.................................5-9 Figure 5-3. Verifying Active Content Digital Signatures ..........................................................5-10 Figure 5-4. Verifying Proofs of Active Content Properties ......................................................5-11 List of Tables Table A-1. Summary of Available Browser Request Methods ................................................. A-1 Table B-1. Categories of Server Response Code.................................................................... B-1 v GUIDELINES ON ACTIVE CONTENT AND MOBILE CODE Executive Summary The private and public sectors depend heavily upon information technology (IT) systems to perform essential, mission-critical functions. As existing technology evolves and new technologies are introduced to provide improved capabilities and advanced features in systems, new technology-related vulnerabilities often arise. Organizations implementing and using advanced technologies must be increasingly on guard. One such category of technologies is active content. Broadly speaking, active content refers to electronic documents that can carry out or trigger actions automatically without an individual directly or knowingly invoking the actions. Exploits based on vulnerabilities in active content technologies can be insidious. The following key guidelines are recommended to organizations for dealing with active content. Organizations should understand the concept of active content and how it affects the security of their systems. The use of products with capabilities for producing and handling active content contributes to the functionality of a system as a whole and thus is an important factor in IT procurement and implementation decisions. Active content technologies allow code, in the form of a script, macro, or other kind of portable instruction representation, to execute when the document is rendered. Like any technology, active content can be used to deliver essential services, but it can also become a source of vulnerability for exploitation by an attacker. Examples of active content are Portable Document Format (PDF) documents, Web pages containing Java applets, JavaScript instructions, or ActiveX controls, word processor files containing macros, Flash and Shockwave media files, spreadsheet formulas, and other interpretable content. Active content may also be distributed embedded in email or as executable mail