Guidelines on Active Content and Mobile Code
Total Page:16
File Type:pdf, Size:1020Kb
Archived NIST Technical Series Publication The attached publication has been archived (withdrawn), and is provided solely for historical purposes. It may have been superseded by another publication (indicated below). Archived Publication Series/Number: NIST Special Publication 800-28 Title: Guidelines on Active Content and Mobile Code Publication Date(s): October 2001 Withdrawal Date: March 2008 Withdrawal Note: SP 800-28 is superseded in its entirety by the publication of SP 800-28 Version 2 (March 2008). Superseding Publication(s) The attached publication has been superseded by the following publication(s): Series/Number: NIST Special Publication 800-28 Version 2 Title: Guidelines on Active Content and Mobile Code Author(s): Wayne A. Jansen, Theodore Winograd, Karen Scarfone Publication Date(s): March 2008 URL/DOI: http://dx.doi.org/10.6028/NIST.SP.800-28ver2 Additional Information (if applicable) Contact: Computer Security Division (Information Technology Lab) Latest revision of the SP 800-28 Version 2 (as of June 19, 2015) attached publication: Related information: http://csrc.nist.gov/ Withdrawal N/A announcement (link): Date updated: June ϭ9, 2015 Special Publication 800-28 *XLGHOLQHVRQ$FWLYH&RQWHQW DQG0RELOH&RGH Recommendations of the National Institute of Standards and Technology Wayne A. Jansen NIST Special Publication 800-28 Guidelines on Active Content and Mobile Code Recommendations of the National Institute of Standards and Technology Wayne A. Jansen C O M P U T E R S E C U R I T Y Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Gaithersburg, MD 20988-8930 October 2001 U.S. Department of Commerce Donald L. Evans, Secretary Technology Administration Karen H. Brown, Acting Under Secretary of Commerce for Technology National Institute of Standards and Technology Karen H. Brown, Acting Director Reports on Computer Systems Technology The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) promotes the U.S. economy and public welfare by providing technical leadership for the Nation’s measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of concept implementations, and technical analysis to advance the development and productive use of information technology. ITL’s responsibilities include the development of technical, physical, administrative, and management standards and guidelines for the cost-effective security and privacy of sensitive unclassified information in Federal computer systems. This Special Publication 800-series reports on ITL’s research, guidance, and outreach efforts in computer security, and its collaborative activities with industry, government, and academic organizations. National Institute of Standards and Technology Special Publication 800-28 Natl. Inst. Stand. Technol. Spec. Publ. 800-23, 53 pages (Oct. 2001) CODEN: NSPUE2 Certain commercial entities, equipment, or materials may be identified in this document in order to describe an experimental procedure or concept adequately. Such identification is not intended to imply recommendation or endorsement by the National Institute of Standards and Technology, nor is it intended to imply that the entities, materials, or equipment are necessarily the best available for the purpose. U.S. GOVERNMENT PRINTING OFFICE WASHINGTON: 2001 For sale by the Superintendent of Documents, U.S. Government Printing Office Internet: bookstore.gpo.gov — Phone: (202) 512-1800 — Fax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-0001 TABLE OF CONTENTS 7DEOHRI&RQWHQWV Foreword....................................................................................................................................v Executive Summary..................................................................................................................v Introduction............................................................................................................................... 1 Background .............................................................................................................................. 1 Browser Anatomy.............................................................................................................. 3 Server Anatomy ................................................................................................................ 8 Threats.................................................................................................................................... 11 Underlying Issues............................................................................................................ 14 Categories of Threats ..................................................................................................... 16 Technology Related Risks .................................................................................................... 17 PostScript ........................................................................................................................ 19 Portable Document Format ............................................................................................ 20 Java.................................................................................................................................. 20 JavaScript and VBScript ................................................................................................. 22 ActiveX............................................................................................................................. 22 Desktop Application Macros........................................................................................... 24 Plug-ins............................................................................................................................ 25 CGI and Related Interfaces............................................................................................ 26 Safeguards ............................................................................................................................. 27 Security Policy.................................................................................................................27 Risk Analysis and Management..................................................................................... 28 Evaluated Information Technology ................................................................................ 29 Security Audit ..................................................................................................................30 Application Settings......................................................................................................... 30 Version Control................................................................................................................ 31 ,,, TABLE OF CONTENTS Incident Response Handling .......................................................................................... 31 Automated Filters ............................................................................................................ 31 Behavioral Controls......................................................................................................... 32 Readers ........................................................................................................................... 32 Digital Signature .............................................................................................................. 33 Isolation............................................................................................................................ 33 Minimal Functionality....................................................................................................... 34 Least Privilege .................................................................................................................34 Layered and Diverse Defenses...................................................................................... 34 Summary ................................................................................................................................ 35 Terminology............................................................................................................................ 37 On-line Resources ................................................................................................................. 40 References ............................................................................................................................. 41 Annex A – HTTP Request Methods ..................................................................................... 46 Annex B – HTTP Response Status...................................................................................... 46 ,9 FORWARD )RUHZRUG This document provides guidelines for Federal organizations’ acquisition and use of security-related Information Technology (IT) products. These guidelines provide advice to agencies for sensitive (i.e., non-national security) unclassified systems. NIST’s advice is given in the context of larger recommendations regarding computer systems security. NIST developed this document in furtherance of its statutory responsibilities under the Computer Security Act of 1987 and the Information Technology Management Reform Active of 1996 (specifically section 15 of the United States Code (U.S.C.) 278 g-3(a)(5)). This is not a guideline within the meaning of 15 U.S.C. 278 g-3 (a)(3). These