Professional Documents
Culture Documents
Java Security Model: COEN 351: E-Commerce Security
Java Security Model: COEN 351: E-Commerce Security
Java Security Model: COEN 351: E-Commerce Security
Bytecode Verifier
Security Manager
Key Database
Access Controller
Operating System
Java 2 Platform Security
Why:
Bytecode verifier:
Ensures that Java class files follow the
rules of Java.
Enforces memory protections for all Java
programs.
Class loader:
Class loader sets permissions for each class
it loads.
Java 2 Platform Security
Why:
Remote Class Files Signed Class Files Local Class Files
Bytecode Verifier
Security Manager
Key Database
Access Controller
Operating System
Java 2 Platform Security
Why:
Access Controller
Allows / prevents most access from the core API
to the operating system
Based on policies set by the end user or system
administrator.
Security Manager
Primary interface between the core API and the
OS
Responsible for allowing or preventing access to
all system resources.
Exists mainly for historical reasons: defers actions
to access controller.
Java 2 Platform Security
Why:
Remote Class Files Signed Class Files Local Class Files
Bytecode Verifier
Security Manager
Key Database
Access Controller
Operating System
Java 2 Platform Security
Why:
Security Package
Classes in java.security package and those in
security extensions.
Add security features to applications
Provides bases for signing Java classes.
Message digests
Keys and certificates
Digital signatures
Encryption
Authentication
Java 2 Platform Security
Why:
Remote Class Files Signed Class Files Local Class Files
Bytecode Verifier
Security Manager
Key Database
Access Controller
Operating System
Java 2 Platform Security
Why:
Key database
Set of keys used by the security
infrastructure to create or verify digital
signatures.
Java 2 Platform Security
Why:
Remote Class Files Signed Class Files Local Class Files
Bytecode Verifier
Security Manager
Key Database
Access Controller
Operating System
Java 2 Platform Security
Why:
Java Sandbox
Permissions
Type, name, and action of permission
Code sources
Location from which a class has been loaded (URL)
Info on signer (if code is signed)
Protection Domains
Association of permissions with a particular code
Policy files
Entries that define protection domains
Keystores
Java 2 Platform Security
Why:
Comparison with C++
C++ has same access levels
private, (default = package in Java), protected, public
However, C++ allows backdoors that give access
to protected or private parts of objects
Casting into an arbitrary memory pointer will do that.
This is not a security problem if the code
comes from the same entity.
It is a security problem if trusted and
untrusted code needs to comingle
Java 2 Platform Security
Why:
Java provides memory integrity
Access methods are strictly adhered to.
Programs cannot access arbitrary memory locations.
No pointers in Java.
Entities declared as final must not be changed.
Otherwise:
A public final variable could be changed.
Attacker changes the values of EAST and WEST in
class.
A subclass can be created from a final class such as String.
Suddenly, String objects are no longer constants.
Java 2 Platform Security
Why:
Java provides memory integrity
Variables may not be used before they are
initialized.
Attacker declares a huge variable without initialization.
Attacker can then read large part of memory hoping to
find interesting stuff.
Array bounds are checked on all array accesses
Otherwise, buffer overflows by attacker allows
overwriting of adjacent memory.
Objects cannot be cast into other objects.
Java 2 Platform Security
Why:
Memory integrity does not prevent the
owner of the machine to use tools to
look at the memory of an applet.
Java 2 Platform Security
Why:
Object Serialization and Memory
Integrity
Object serialization allows an object to be
written as a series of bytes.
Needed to exchange objects between clients
and servers.
Needed to save objects to disk and recreate
them later.
Java 2 Platform Security
Why:
Enforcement of language rules:
Compiler enforcement
Compiler enforces casting rules, …
Java 2 Platform Security
Why:
Enforcement of language rules:
Byte code verifier
A mini-theorem prover:
Class file has the correct format.
Final classes are not subclassed and final methods are
not overridden.
Every class has a single superclass.
There is no illegal data conversion of primitive types.
There is no illegal data conversion of objects.
There are no operand stack overflows or underflows.
Java has a data stack (for methods) and an operand
Program Code
Java API
Native Libraries Security Manager
Access Controller
Program Code
Java API
Native Libraries Security Manager
Access Controller
Example:
import java.applet.*;
public class MaliciousApplet extends Applet {
Security exception if public void init() {
try {
run as applet. Runtime.getRuntime().exec(“rmdir foo”);
} catch (Exception e) {
No exception if run }
System.out.println(e);
as application. }
public static void main(String args[]) {
MaliciousApplet a = new MaliciousApplet();
But you’ll end up a.init();
deleting a directory. }
}
Java 2 Platform Security:
Security Manager
Java API algorithm for a potentially
dangerous operation:
1. Programmer makes request to Java API
2. Java API asks security manager if this is allowed.
3. Security manager either disallows by throwing
an exception which the Java API throws back to
the program.
4. Otherwise, Java API completes operation and
returns normally.
Java 2 Platform Security:
Security Manager
Code with runtime permission
createSecurityManager can create and set a
SecurityManager object.
SecurityManager class provides a complete
implementation for sandbox.
This is the one you call by specifying –
Djava.security.manager option to a Java
application.
Java Plug-in and appletviewer use a modified
implementation of this class and install it before
they load any applets.
Java 2 Platform Security:
Security Manager
Security Manager Methods
File Access
reading, writing, deleting
Network Access
socket creation and use.
Prevents:
Rogue applet connects to a third machine over the network.
Rogue applets collects network information and hands it back to the
web server.
Protection of virtual machine
Protection of threads
Protection of system resources
E.g. untrusted classes cannot print, get clipboard,
Protection of security aspects
E.g. access to classes, packages, …
Java 2 Platform Security:
Access Controller
Access Controller is built upon
Code sources: where did the code come
from.
Permissions
Policies
Protection Domains
Java 2 Platform Security:
Security Manager
Program Code
Java API
Native Libraries Security Manager
Access Controller