Java Security Model: COEN 351: E-Commerce Security

Java Security Model
COEN 351: E-Commerce Security

Java Security Model
 High-level Features:
 Platform Security: Built-in language security features
enforced by the Java compiler and virtual machine:
 Strong data typing
 Automatic memory management
 Bytecode verification
 Secure class loading
 Cryptography
 Comprehensive API
 digital signatures
 message digests
 ciphers (symmetric, asymmetric, stream & block)
 message authentication codes
 key generators and key factories
 Support for a wide range of standard algorithms including RSA,
DSA, AES, Triple DES, SHA, PKCS#5, RC2, and RC4.
 PKCS#11 cryptographic token support
Java Security Model
 Authentication and Access Control
 Abstract authentication APIs that can
incorporate a wide range of login mechanisms
through a pluggable architecture.
 A comprehensive policy and permissions API
that allows the developer to create and
administer applications requiring fine-grained
access to security-sensitive resources
Java Security Model
 Secure Communications APIs and
implementations:
 Transport Layer Security (TLS),
 Secure Sockets Layer (SSL),
 Kerberos (accessible through GSS-API),
 Simple Authentication and Security Layer
(SASL).
 Support for HTTPS over SSL/TLS.
Java Security Model
 Public Key Infrastructure (PKI)
 Tools for managing keys and certificates and comprehensive,
abstract APIs with support for the following features and

algorithms:
 Certificates and Certificate Revocation Lists (CRLs): X.509
 Certification Path Validators and Builders: PKIX (RFC 3280),
On-line Certificate Status Protocol (OCSP)

 KeyStores: PKCS#11, PKCS#12
 Certificate Stores (Repositories): LDAP, java.util.

Java 2 Platform Security
 Language is type-safe, and easy to use. (So that mistakes are less
likely.)
 Done with language features such as
 Automatic memory management
 Garbage collection
 Range checking on strings and arrays.
 Code is executed in the Java Virtual Machine (JVM).
 JVM simulates execution of Java Byte Code.
 Compiler and bytecode verifier ensure that only legitimate Java
bytecodes are executed.
 Bytecode verifier and JVM guarantee language safety at run time.
 Classloader defines a local name space:
 An untrusted applet cannot interfere with the running of other programs.
 JVM mediates access to crucial system resources.
 SecurityManager class restricts the actions of Java code.
 Original Sandbox Model
 Code is executed in the Java Virtual Machine
(JVM).
 JVM simulates execution of Java Byte Code.
 Sandbox model allows code to run in a very
restricted environment.
 Local code however has full access to valuable
system resources.
 JDK 1.1: “Signed Applet”
 Correctly signed applet is treated as trusted
applet.
 Applets and signatures are delivered in the JAR
(Java Archive) format.
 Untrusted applets run in the sandbox.
 Java 2 Platform Security
 Fine-grained access control.
 Previously, the application writer had to do substantial
programming
 (e.g., by subclassing and customizing the SecurityManager
and ClassLoader classes).
 The HotJava browser 1.0 allows the user to choose from
a small number of different security levels.
 Easily configurable security policy.
 Easily extensible access control structure.
 Extension of security checks to all Java programs,
including applications as well as applets.
 Trust of local code is no longer a built-in concept.
Java 2 Platform Security:
Protection Domains
 Protection Domains
 Set of objects that are currently directly accessible
by a principal.
 Principal is an entity in the computer system to
which permissions are granted.
 Serves to group and to isolate between units of
protection.
 Protection domains are either system domains or
application domains.
 Example: JDK 1.0 sandbox is a protection
domain
Protection Domains
Protection Domains
 A domain conceptually encloses a set of
classes whose instances are granted the
same set of permissions.
 Protection domains are determined by the
policy currently in effect.
 The Java application environment maintains a
mapping from code (classes and instances) to
their protection domains and then to their
permissions.
Protection Domains
Protection Domains
 Java thread can completely occur within a
single protection domain.
 Can also involve application domain and
system domain.
 Examples:
 Application prints out a message.
 Needs to interact with system domain that is the access
point to an output stream.
 AWT system domain calls an applet’s paint method to
display it.
 Important:
Protection Domains
 Normal rule:
 The permission set of an execution thread is the
intersection of the permissions of all protection
domains traversed by the execution thread.
 Exception: doPrivileged call
 Enables a piece of trusted code to temporarily enable
access to more resources than are available directly to
the application that called it.
 Example:
 Application may not be allowed direct access to files that
contain files, but the system utility displaying those fonts
needs to obtain them on behalf of the user.
Protection Domains
 When access to a critical system
resource (such as file I/O and network
I/O) is requested:
 the resource-handling code invokes a
special AccessController class method
 Evaluates the request
 Decides if the request should be granted or
denied.
Protection Domains
 Each domain needs to implement
additional protection of internal
resources.
 Example:
 Banking application needs to maintain
internal concepts of
 checking accounts
 deposits
 withdrawals
Why:
 Original Problem:
 Users download programs that contain viruses
and worms (even in commercial software).
 Java machines executes downloaded codes,
which make the problem worse.
 Early work focuses on this issue:
 Java programs are secure because they cannot
install, run, or propagate viruses.
Why:
Remote Class Files Signed Class Files Local Class Files
Bytecode Verifier
Core API Class Files Class Loader
Core Java API

Security Package
Security Manager
Key Database
Access Controller
Operating System
Why:
 Bytecode verifier:
 Ensures that Java class files follow the
rules of Java.
 Enforces memory protections for all Java
programs.
 Class loader:
 Class loader sets permissions for each class
it loads.
Why:
Bytecode Verifier
Core Java API

Security Package
Security Manager
Key Database
Access Controller
Operating System
Why:
 Access Controller
 Allows / prevents most access from the core API
to the operating system
 Based on policies set by the end user or system
administrator.
 Security Manager
 Primary interface between the core API and the
OS
 Responsible for allowing or preventing access to
all system resources.
 Exists mainly for historical reasons: defers actions
to access controller.
Why:
Bytecode Verifier
Core Java API

Security Package
Security Manager
Key Database
Access Controller
Operating System
Why:
 Security Package
 Classes in java.security package and those in
security extensions.
 Add security features to applications
 Provides bases for signing Java classes.
 Message digests
 Keys and certificates
 Digital signatures
 Encryption
 Authentication
Why:
Bytecode Verifier
Core Java API

Security Package
Security Manager
Key Database
Access Controller
Operating System
Why:
 Key database
 Set of keys used by the security
infrastructure to create or verify digital
signatures.
Why:
Bytecode Verifier
Core Java API

Security Package
Security Manager
Key Database
Access Controller
Operating System
Why:
 Java Sandbox
 Permissions
 Type, name, and action of permission
 Code sources
 Location from which a class has been loaded (URL)
 Info on signer (if code is signed)
 Association of permissions with a particular code
 Policy files
 Entries that define protection domains
 Keystores
Why:
 Comparison with C++
 C++ has same access levels
 private, (default = package in Java), protected, public
 However, C++ allows backdoors that give access
to protected or private parts of objects
 Casting into an arbitrary memory pointer will do that.
 This is not a security problem if the code
comes from the same entity.
 It is a security problem if trusted and
untrusted code needs to comingle
Why:
 Java provides memory integrity
 Access methods are strictly adhered to.
 Programs cannot access arbitrary memory locations.
 No pointers in Java.
 Entities declared as final must not be changed.
 Otherwise:
 A public final variable could be changed.
 Attacker changes the values of EAST and WEST in
GridBagConstraints and now all applets will change the layout

of maps.
 A subclass overrides a final method and alters its behavior.
 Attacker overrides the SetPriority() method of the Thread
class.
 A subclass can be created from a final class such as String.
 Suddenly, String objects are no longer constants.
Why:
 Java provides memory integrity
 Variables may not be used before they are
initialized.
 Attacker declares a huge variable without initialization.
 Attacker can then read large part of memory hoping to
find interesting stuff.
 Array bounds are checked on all array accesses
 Otherwise, buffer overflows by attacker allows
overwriting of adjacent memory.
 Objects cannot be cast into other objects.
Why:
 Memory integrity does not prevent the
owner of the machine to use tools to
look at the memory of an applet.
Why:
 Object Serialization and Memory
Integrity
 Object serialization allows an object to be
written as a series of bytes.
 Needed to exchange objects between clients
and servers.
 Needed to save objects to disk and recreate
them later.
Why:
 Enforcement of language rules:
 Compiler enforcement
 Compiler enforces casting rules, …
Why:
 Byte code verifier
 A mini-theorem prover:
 Class file has the correct format.
 Final classes are not subclassed and final methods are
not overridden.
 Every class has a single superclass.
 There is no illegal data conversion of primitive types.
 There is no illegal data conversion of objects.
 There are no operand stack overflows or underflows.
 Java has a data stack (for methods) and an operand
stack, the latter is protected.

Why:
 Delayed bytecode verification
 Verification of tests for field and method access
is delayed until code is actually executed.
 Runtime enforcement
 Array bounds checking
 Object casting
Security Manager
 Security Manager provides mechanisms for
Java API to see if security related operations
are allowed.
 Access Controller provides bases of the
default implementation of the security
manager.
 Class loader encapsulates information about
security policies and classes.
Security Manager
Program Code
Java API
Native Libraries Security Manager
Access Controller
Operating System Program-Specific resources
Coordination of Security Manager and Access Controller

Security Manager
 Security Manager is in control of the security policy of
an application.
 Determines whether particular operations should be
permitted or denied.
 Access controller does pretty much the same.
 Historical development explains why there are two
similar entities.
 Java 2: Security manager relies more on access controller.
 Java 2: Access controller policies specified by policy files.
 Java 2: More flexible architecture.
 Large body of pre-Java 2 code freezes the main interface to
security procedures, i.e. the security manager.
Security Manager
Program Code
Java API
Access Controller

Security Manager
 Native libraries are still outside of the
scope of security manager and access
controller.
 Ability to load these libraries can be
restricted.
 Security manager sometimes bypasses
the access controller.
Security Manager
 Default setting:
 Java applications have no security
manager.
 Needs to be explicitly installed.
 With the -Djava.security.manager option
 Java applets have a strict security
manager.
Security Manager
Package java.example
Example:
import java.applet.*;

public class MaliciousApplet extends Applet {
 Security exception if public void init() {
try {
run as applet. Runtime.getRuntime().exec(“rmdir foo”);
} catch (Exception e) {
 No exception if run }
System.out.println(e);
as application. }
public static void main(String args[]) {
MaliciousApplet a = new MaliciousApplet();
 But you’ll end up a.init();
deleting a directory. }
}
Security Manager
 Java API algorithm for a potentially
dangerous operation:
1. Programmer makes request to Java API
2. Java API asks security manager if this is allowed.
3. Security manager either disallows by throwing
an exception which the Java API throws back to
the program.
4. Otherwise, Java API completes operation and
returns normally.
Security Manager
 Code with runtime permission
createSecurityManager can create and set a
SecurityManager object.
 SecurityManager class provides a complete
implementation for sandbox.
 This is the one you call by specifying –
Djava.security.manager option to a Java
application.
 Java Plug-in and appletviewer use a modified
implementation of this class and install it before
they load any applets.
Security Manager
 Security Manager Methods
 File Access
 reading, writing, deleting
 Network Access
 socket creation and use.
 Prevents:
 Rogue applet connects to a third machine over the network.
 Rogue applets collects network information and hands it back to the
web server.
 Protection of virtual machine
 Protection of threads
 Protection of system resources
 E.g. untrusted classes cannot print, get clipboard,
 Protection of security aspects
 E.g. access to classes, packages, …
Access Controller
 Access Controller is built upon
 Code sources: where did the code come
from.
 Permissions
 Policies
Security Manager
Program Code
Java API
Access Controller

Access Controller
 Code Source Class
 Simple object
 that reflects the URL (http, file, …) from which
a class was loaded
 that contains the keys that were used to sign
the class.
 Class loaders are responsible for
creating and manipulating code source
objects.
Access Controller
 Permissions
 Consist of
 Type
 e.g. java.io.FilePermission
 Name
 e.g. name of file
 “showWindowWithoutWarningBanner”
 Action
 read file, write file, delete file
 Allow Java API to negotiate access to resources.
 Allow programmer arbitrary permissions for use
within their own programs.
Access Controller
 Policy Class
 Specify which permission applies to which
code source.
 Only a single instance of policy class can
be installed in the virtual machine at any
one time.
Access Controller
 Protection Domain:
 Grouping of code source and permissions.
 When associated with a class:
 Given class was loaded from the site specified
in the code source.
 Was signed by the public keys specified in the
source code.
 Has the permissions represented in the
permission collection object.
Secure Class Loading
 Class Loader is responsible for:
 locating and fetching the class file
 consulting the security policy
 defining the class object with the appropriate permissions
 Dynamic class loading:
 Lazy loading (on demand loading)
 Link-time checks for type safety.
 Programmers can define their own class loaders
 Specify remote locations from which classes are loaded.
 Assign appropriate security attributes for them.
 Class loaders provide separate name spaces.
 Example: browser can load applets from different web pages using
separate class loaders
 Thus maintaining a degree of isolation between those applet classes.
 Multiple instances of class loader objects in
JVM:
 Root is abstract class: java.lang.ClassLoader
 Has subclass java.security.SecureClassLoader
 Has subclass java.net.URLClassLoader
 Utility program Appletviewer uses private class
sun.applet.AppletClassLoader to load applets.
 Primordial Class Loader
 Implemented in sytem-native language loads
classes from the local file system in a platform-
dependent manner.
 Class Loader Delegation:
 Class loader can either load the class itself
 Or ask another class loader to do so.
 Class Resolution Algorithm:
 Check if the class has already been loaded.
 If the current class loader has a specified
delegation parent, delegate to the parent to try to
load this class. If there is no parent, delegate to
the primordial class loader.
 Call a customizable method to find the class
elsewhere.
class C {  Class is defined in a machine-independent
binary representation
void f() {
D d = new D();
…
}
 Called the class file
}
 Example: class file of C contains reference to
class D.
 Symbolic reference is resolved at link time.
 Class loader for C is the initiating loader for class
D.
 Class loader for C can delegate to a second class
loader, etc.
 Delegation relationship is formed at run-time.
 Class loader performs:
1. Consults security manager.
2. If class loader has already loaded the class, find previously
defined class object.
3. Otherwise, class loader goes to parent to see whether the parent
knows how to load the class. (Recursive call)
4. Consults security manager to see if the program is allowed to
create the class.
5. Class file is read into a byte array.
6. Create protection domain for the class.
 Consult default security model
7. Construct class object from bytecode. Get permissions associated
with the code source.
8. Resolve class: any immediate references to other classes must
be found.
Java Security Problems
 Security model does not protect against
all bad things:
 Applets that perform annoying tasks
 e.g. using up CPU.
 Installing a local class file or local native
library:
 An applet can call them if not prevented.
 Newer versions of browsers mitigates the adverse
potential.

Java Security Model: COEN 351: E-Commerce Security

Uploaded by

Copyright:

Available Formats

You might also like

Java Security Model: COEN 351: E-Commerce Security

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Java Security Model: COEN 351: E-Commerce Security

Uploaded by

Copyright:

Available Formats

Java Security Model

COEN 351: E-Commerce Security

abstract APIs with support for the following features and

 Certification Path Validators and Builders: PKIX (RFC 3280),

On-line Certificate Status Protocol (OCSP)

 Certificate Stores (Repositories): LDAP, java.util.

Core API Class Files Class Loader

Core Java API

Core API Class Files Class Loader

Core Java API

Core API Class Files Class Loader

Core Java API

Core API Class Files Class Loader

Core Java API

Core API Class Files Class Loader

Core Java API

GridBagConstraints and now all applets will change the layout

stack, the latter is protected.

Operating System Program-Specific resources

Coordination of Security Manager and Access Controller

Operating System Program-Specific resources

Coordination of Security Manager and Access Controller

Operating System Program-Specific resources

Coordination of Security Manager and Access Controller

You might also like