View
225
Download
2
Embed Size (px)
Citation preview
2
Mechanisms for Secure Modular Mechanisms for Secure Modular Programming in JAVAProgramming in JAVA
1.1. Lujo BauerLujo Bauer
2.2. Andrew W Appel Andrew W Appel
3.3. Edward W FeltenEdward W Felten
3
Theme of the PaperTheme of the Paper
To provide a new module system for java To provide a new module system for java which improves deficiencies of the java which improves deficiencies of the java package system.package system.
To emphasize the need of modular systems To emphasize the need of modular systems rather than Object oriented software rather than Object oriented software system.system.
4
Deficiencies in JAVA Package Deficiencies in JAVA Package SystemSystem
Limited ability for the control access to their Limited ability for the control access to their member class.member class.
No explicit interfacesNo explicit interfaces
Don’t support multiple view of modulesDon’t support multiple view of modules
Problems with dynamic linkingProblems with dynamic linking
5
Solution to the problemSolution to the problem
ML-style hierarchical module systemML-style hierarchical module system
o provides Explicit interfaceprovides Explicit interfaceo Multiple views of ModuleMultiple views of Module
More control over external modules with More control over external modules with which the code is linkedwhich the code is linked
6
Module SystemModule System
Source FilesSource Files Module description fileModule description file
Export Export Membership Membership ImportImport
InterfaceInterface ListList Statement Statement
7
Access
AccessList
Codegen
Frame
Proc
Access.Java
AccessList.Java
Codgen.Java
Frame.Java
Proc.Java
Tree…/Tree/
Temp../Temp/
Assem../Assem/
Util../Util
Abstract class Codgen{
Frame frame;
Abstract Assem.InstrList Codgen(Tree.Stm stm)
}
Codegen.Java
Export Interface Membership List Import Interface
9
Fixing Java PackagesFixing Java Packages
Export InterfacesExport Interfaces– Explicit export interfacesExplicit export interfaces
» Java package system lacks this featureJava package system lacks this feature
Membership ListMembership List– Deficiency of java package makes malicious Deficiency of java package makes malicious
code to be part of trusted application like code to be part of trusted application like application.application.
10
Fixing Java PackagesFixing Java Packages
Attack Scenario in Java Package System:Attack Scenario in Java Package System:
Class1.Java
Class2.java
Class3.java
Class4.java
Malicious Code class.Java
Package
Malicious Code class.Java
11
Fixing Java Packages
Hierarchical Scalability and Multiple Interface
Multiple view of an module is possible.
Example
Module M can have V1 and V2 view with class access A,B,C and A,D respectively
12
Module MO
Exporting A,B,C,and D
Multiple View of Module M0
Module M1
Importing M0.A,M0.B,M0.C
Module M2
Importing M0.A,M0.D
13
Fixing Java PackagesFixing Java Packages
Name-Space managementName-Space management
– Java packages are named it merely lifts Java packages are named it merely lifts the problem to package levelthe problem to package level..Example:Example:
We can have clash between the two classes We can have clash between the two classes called Util.Parsercalled Util.Parser
14
Solution:Solution:
Module system assigns the names viaModule system assigns the names via
import statementsimport statements..
15
Secure LinkingSecure Linking
Java uses Type checking mechanism for the Java uses Type checking mechanism for the secure dynamic linkingsecure dynamic linking– Problem:Problem:
Type checking guarantees that programs and Type checking guarantees that programs and libraries at least agree on the types they are libraries at least agree on the types they are usingusing..
Java uses code signature when a system Java uses code signature when a system must trust the behavior of a particular must trust the behavior of a particular executableexecutable..
– Problem:Problem:In this scheme also we don’t know about theIn this scheme also we don’t know about theproperties of the codeproperties of the code
16
Solution:Solution:– We allow the programmer to require We allow the programmer to require
certain properties of the modules on which certain properties of the modules on which his code depends.his code depends.
– The properties our system supports are The properties our system supports are keywords about the behavior of his codekeywords about the behavior of his code..
– It will cryptographically hash the < byte It will cryptographically hash the < byte code, module description, property name>code, module description, property name>
18
ImplementationImplementation
Module Description File
Java
Complier Java Source
Byte Code
JVMTrf 1
Trf 2
Trf 3
Class Loader
Trf = Transform
19
Execution in Virtual MachineExecution in Virtual Machine
Dynamic linking in JVM is managed by Class Dynamic linking in JVM is managed by Class Loader.Loader.
A request to load a class is may be allowed A request to load a class is may be allowed by the digital signature of the class.by the digital signature of the class.
The Class loader of the system described The Class loader of the system described uses module description file to set uses module description file to set appropriate environment.appropriate environment.
20
Class Loader manipulation leads to security Class Loader manipulation leads to security problems and Type system can be brokenproblems and Type system can be broken
– New JVM have stricter namespace New JVM have stricter namespace management policies.management policies.
» Machine verifies the encoded name of the Machine verifies the encoded name of the class(returned by load Class request) with which class(returned by load Class request) with which load class is invokedload class is invoked..
21
Problem:Problem:
In our Module system identifiers for class names hasIn our Module system identifiers for class names has
very little resemblance with the actual package namesvery little resemblance with the actual package names
they refer.they refer.
Solution:Solution:
Rewriting the byte code replacing the symbolicRewriting the byte code replacing the symbolic
name with actual name.name with actual name.