View
215
Download
0
Embed Size (px)
Citation preview
CSE300
IFIP98-1.1
Security Capabilities and Potentials of JavaSecurity Capabilities and Potentials of Java
D. Smarkusky, S. Demurjian, M. Bastarrica, and T.C. TingComputer Science & Engineering Department
The University of ConnecticutStorrs, Connecticut 06269-3155
{debs,steve,cecilia,ting}@engr.uconn.eduhttp://www.engr.uconn.edu/~steve
(860) 486 - 4818
CSE300
IFIP98-1.2
Overview of PresentationOverview of Presentation
Background and MotivationBackground and Motivation Enterprise Computing and Security Emergence of Java An Overview of Java
Security Capabilities of JavaSecurity Capabilities of Java User-Role Based Security (URBS) and Java User-Role Based Security (URBS) and Java Advanced Security Features and URBSAdvanced Security Features and URBS Concluding Remarks and Future WorkConcluding Remarks and Future Work
CSE300
IFIP98-1.3
Enterprise Computing and SecurityEnterprise Computing and SecurityC/S and Distributed Object ComputingC/S and Distributed Object Computing
AuthenticationAuthentication
Is the Client who S/he Says they are?
AuthorizationAuthorization
Does the Client have Permission to do what S/he Wants?
PrivacyPrivacy
Is Anyone Intercepting Client/Server Communications?
Enforcement MechanismEnforcement Mechanism Centralized and Distributed “Code” Enforces Security Policy at Runtime
CSE300
IFIP98-1.4
Enterprise Computing and SecurityEnterprise Computing and SecurityC/S and Distributed Object ComputingC/S and Distributed Object Computing
AssuranceAssurance Are the Security Privileges for Each Client
Adequate to Support their Activities? Do the Security Privileges for Each Client
Meet but Not Exceed their Capabilities? ConsistencyConsistency
Are the Defined Security Privileges for Each Client Internally Consistent? Least-Privilege Principle: Just Enough Access
Are the Defined Security Privileges for Related Clients Globally Consistent? Mutual-Exclusion: Read for Some-Write for Others
CSE300
IFIP98-1.5
Emergence of JavaEmergence of Java
Java is Emerging as the OO Language of ChoiceJava is Emerging as the OO Language of Choice Java’s Pervasiveness in Educational Institutions Java’s Pervasiveness in Educational Institutions
from Freshman to Graduate Coursesfrom Freshman to Graduate Courses Java’s Utilization in … Java’s Utilization in …
Distributed Internet-Based Applications of All Types
Legacy/COTS Integration for Enterprise Computing
General-Purpose, Single-CPU Development Distributed Object Computing Must Consider Distributed Object Computing Must Consider
Security as First Class CitizenSecurity as First Class Citizen Exploit Java Security API and URBS?Exploit Java Security API and URBS?
CSE300
IFIP98-1.6
An Overview of JavaAn Overview of Java
Java is a Third Generation, General Purpose, Java is a Third Generation, General Purpose, Platform Independent, Concurrent, Class-Based, Platform Independent, Concurrent, Class-Based, Object-Oriented Language and EnvironmentObject-Oriented Language and Environment
Java Composed of JDK and JREJava Composed of JDK and JRE Java LanguageJava Language Java Packages (Libraries)Java Packages (Libraries) javac Compiler to Bytecode (p-code)javac Compiler to Bytecode (p-code) JDB Java Debugger JDB Java Debugger Java Interpreter - Platform SpecificJava Interpreter - Platform Specific
JDK: Java Development EnvironmentJDK: Java Development Environment http://www.javasoft.com/products/jdk/1.2/http://www.javasoft.com/products/jdk/1.2/
JRE: Java Runtime EnvironmentJRE: Java Runtime Environment http://www.javasoft.com/products/jdk/1.2/jre/index.htmlhttp://www.javasoft.com/products/jdk/1.2/jre/index.html
CSE300
IFIP98-1.7
Java Visualization Java Visualization
CSE300
IFIP98-1.8
The Java API PackagesThe Java API Packages
Application Programming Interface (API)Application Programming Interface (API) Java Defined - Building Blocks/LibrariesJava Defined - Building Blocks/Libraries Java Platform 1.2 Core APIJava Platform 1.2 Core API
java.applet java.rmijava.awt java.rmi.dgcjava.awt.datatransfer java.rmi.registryjava.awt.event java.rmi.serverjava.awt.image java.securityjava.beans java.security.acljava.io java.security.interfacesjava.lang java.sqljava.lang.reflect java.textjava.math java.utiljava.net java.util.zip
Focus on java.securityFocus on java.security
CSE300
IFIP98-1.9
Security Capabilities of JavaSecurity Capabilities of Java
Sandbox and Applet Level SecuritySandbox and Applet Level Security Downloaded Applets are Confined in a
Targeted Portion of System During Execution Execution of Untrusted Code in Trusted Way
What is Sandbox?What is Sandbox? Area of Web-Browser Dedicated to Applet Applet Limited to Sandbox to Prohibit Access
to Local Machine/Environment Utilizes Class Loader, Bytecode Verifier, and
Security Manager Three Components Maintain System Integrity How Does this Occur?
CSE300
IFIP98-1.10
Security Capabilities of JavaSecurity Capabilities of Java
Class Loader - Only Load Correct ClassesClass Loader - Only Load Correct Classes Bytecode Verifier - Classes in Correct FormatBytecode Verifier - Classes in Correct Format Security Manager - Untrusted Classes Can’t Security Manager - Untrusted Classes Can’t
Execute Dangerous Instructions nor Access Execute Dangerous Instructions nor Access Protected System ResourcesProtected System Resources
Role of Security ManagersRole of Security Managers Enforces Boundaries of Sandbox All Java Classes ask Manager for Permission to
Perform Certain Operations Implements/Imposes Appl. Security Policy Java Interface Class Implementable by Users Integrated with Exception Handling of Java
CSE300
IFIP98-1.11
Security Capabilities of JavaSecurity Capabilities of Java Digital Signatures and JAR Files Digital Signatures and JAR Files
When Can Applets Become Applications?When Can Applets Become Applications? Trusted Publisher (Originator of Applet) Signed Applet is Authenticated Java Security Manager May Allow Applet out
of Sandbox to be Application How is Information Transmitted and Exchanged?How is Information Transmitted and Exchanged?
JAR: Archived (Compressed) Files Bundling of Code/Data into Java Archive Associated Digital Signature for Verification Transmission via Object Serialization
CSE300
IFIP98-1.12
Security Capabilities of JavaSecurity Capabilities of Java Message Digest and Key Management Message Digest and Key Management
Message DigestMessage Digest “Speedy” Alternative to Public Key Encryption Generation of a Short, Unique Representation
of Message that is Encrypted and Used as Digital Signature
Message Digest Algorithms (MD5, SHA, …) Key ManagementKey Management
Integrated Key Management for Java Programs and Applets
Ability to Encode/Decode Java API for Generating, Certifying, and
Manipulating Keys
CSE300
IFIP98-1.13
Security Capabilities of JavaSecurity Capabilities of JavaAccess Control List (ACLs)Access Control List (ACLs)
Control Access to Resources by PermissionsControl Access to Resources by Permissions Classical Security Technique forClassical Security Technique for
Data Structure to Protect Resources SE to Define Read/Write Permissions Based on
Users and User Groups Manipulation of List of Access Privileges Support Negative and Positive Permissions Paradigm of Individual vs. Group Individual Permissions Override Group
See Paper for Detailed Discussion and ReferencesSee Paper for Detailed Discussion and References
CSE300
IFIP98-1.14
User-Role Based Security and JavaUser-Role Based Security and Java
Public Interface is Union of All Privileges for All Public Interface is Union of All Privileges for All Potential Users Potential Users No Explicit way to Prohibit AccessNo Explicit way to Prohibit Access
Customizable Public Interface of ClassCustomizable Public Interface of Class Access to Public Interface is Variable and Based Access to Public Interface is Variable and Based
on User Needs and Responsibilitieson User Needs and Responsibilities Only Give Exactly What’s Needed and No More Only Give Exactly What’s Needed and No More
public class PatientRecord { private: Data/Methods as Needed; public: write_medical_history(); write_prescription(); get_medical_history(); get_diagnosis(); set_payment_mode(); etc… }
For MDsand Nurses
For MDs Only
For Admitting
CSE300
IFIP98-1.15
User-Role Subclassing Approach in JavaUser-Role Subclassing Approach in Java
public class PatientRecord { private: Data/Methods; public: write_medical_history(); write_prescription(); get_medical_history(); get_diagnosis(); set_payment_mode(); }
public class Nurse_PatientRecord extends PatientRecord { public: write_medical_history() {return;} write_prescription() {return;} set_payment_mode() {return;} }
public class MD_PatientRecord extends PatientRecord { public: set_payment_mode() {return;} }
• Subclasses of PatientRecord Turn Off Methods Not Available• Software Creates Nurse_PatientRecord or MD_PatientRecord Instance• Method Calls Against Subclass Return Null for Turned Off Methods• GUI Tool Works Differently Based on User Role with Same Code
CSE300
IFIP98-1.16
A Basic Exception Approach in JavaA Basic Exception Approach in Java
public class PatientRecord { // private data has been omitted
public void set_payment_mode(int mode) { // Insurance_Mode is private data of PatientRecord return(set_int_check_valid_UR(Insurance_Mode, mode)); }
public void set_int_check_valid_UR(int i1, int i2) { try { // See if Current_User can execute method check_UR(); } // catch block to process raised exceptions catch (Unauthorized_UR UR_Exception) { system.out.println(“Attempt to access by unauthorized UR”); } i1 = i2; }
public void Check_UR()throws Unauthorized_UR { // Incomplete - only to illustrate the concepts!!! if (compareTo(Current_User.Get_User_Role(), “Admitting”)!=0) throw new Unauthorized_UR(); // raises exception }}
Once the Current_Useris Set, the Rest ofthe Tool CodeWorks withoutthat Knowledge
Thus, SoftwareEngineers Don’tNeed to Knowor See the DAC/URBS Details!!
Exploit ExceptionHandling for Dynamic Behaviorof Tool by Role
CSE300
IFIP98-1.17
Applicability of URBS ApproachesApplicability of URBS Approaches
All Supported by C++, Eiffel, and Ada95All Supported by C++, Eiffel, and Ada95 User-Role Subclassing ApproachUser-Role Subclassing Approach
Requires SW Engineer to Understand URBS Supported by JavaJava
Basic Exception ApproachBasic Exception Approach Minimizes SW Engineer Exposure to URBS Elegant in Java Java Due to ExceptionsDue to Exceptions
User-Role Class Library Approach (not shown)User-Role Class Library Approach (not shown) Requires Multiple Inheritance Unsupported in JavaJava - only Design-Level
Multiple Inheritance via Interfaces Generic Exception Approach (not shown)Generic Exception Approach (not shown)
Exceptions plus Generics Improves Reuse Unsupported in JavaJava - no Templates
CSE300
IFIP98-1.18
Advanced Security Features and URBSAdvanced Security Features and URBS
Focus on the Potentials of Java Focus on the Potentials of Java What Other Aspects of Java Can be Exploited?What Other Aspects of Java Can be Exploited?
Packages in Java Access Control Lists in java.security API The Class Class in java.lang API Aglets - Java Agents
Examine the Ability of Above to Support URBSExamine the Ability of Above to Support URBS Leverage Advanced Features to Enhance and Leverage Advanced Features to Enhance and
Strengthen URBS ApproachesStrengthen URBS Approaches Utilize Advanced Features as Starting Point to Utilize Advanced Features as Starting Point to
Explore New Security SolutionsExplore New Security Solutions
CSE300
IFIP98-1.19
Packages In JavaPackages In Java
Allows Related Classes to be Grouped into a Allows Related Classes to be Grouped into a Larger AbstractionLarger Abstraction Similar to Ada95 Packages E.g., Package PatientInfo Contains
Prescription, PatientGUI, PatientRecord, … Utilization of Packages for URBSUtilization of Packages for URBS
URSA - Form a Package of PatientRecord, MD_PatientRecord and Nurse_PatientRecord
Only MD_and Nurse Subclasses Visible Outside of Package
Overall, Packages Enhance the Control and Overall, Packages Enhance the Control and Visibility to Fine-Tune Who Can See What WhenVisibility to Fine-Tune Who Can See What When
CSE300
IFIP98-1.20
Access Control Lists in java.security APIAccess Control Lists in java.security API
ACLs Can be Utilized to Control Method AccessACLs Can be Utilized to Control Method Access ACL Composed of ACL Entries ACL Entry Set of Permissions (Allowable
Method Accesses) for Each UR Utilize ACLs as Implementation Vehicle for
URSA, BEA, and Other Approaches java.security.acl.ACL Provides Following:java.security.acl.ACL Provides Following:
addEntry() and removeEntry() CheckPermission(): Can UR Utilize Method? add-, check-, and remove- Permission() SetPrincipal: UR for which Permissions
(Methods) are Assigned/Prohibited Etc…
CSE300
IFIP98-1.21
The The ClassClass Class in java.lang API Class in java.lang API
ClassClass and and ObjectObject Classes Contains Meta-Data Classes Contains Meta-Data Methods Defined that Apply to All System and
User Defined Classes Class has Methods that Return List of Public
Methods, List of Member Variables, etc. Utilization of Utilization of ClassClass Class for URBS Class for URBS
For All Approaches, Dynamically Retrieve All Public Methods for Verifying UR Permissions
In Conjunction with ACL, Powerful Tool to Dynamically Enforce UR Permissions When Assigned/Prohibited Methods Change Application Classes Evolve or Added
Simplifies Maintenance of Security PolicySimplifies Maintenance of Security Policy
CSE300
IFIP98-1.22
Aglets - Java AgentsAglets - Java Agents
A Mobile A Mobile Software AgentSoftware Agent are Objects that are Objects that have Behavior State and Location, and can Move from Place to Place in Order to
Perform its Function Agents are ObjectsAgents are Objects
Created and Destroyed Migrate to New Location Execute Required Responsibilities Process Incoming Messages from Other Agents Communicate by Message Passing
Aglets - Java Agents (http://aglets.trl.ibm.co.jp)Aglets - Java Agents (http://aglets.trl.ibm.co.jp)
CSE300
IFIP98-1.23
Aglets - Java AgentsAglets - Java Agents
Status of Mobile Aglet SecurityStatus of Mobile Aglet Security Progressing via Sandbox Involves Cryptography and Authentication to
Insure Security of Aglet and Messages Agents/Aglets and URBSAgents/Aglets and URBS
Distributed Object Computing Focuses on Runtime Objects
Can Agents/Aglets Monitor/Enforce Security from Perspective of User, UR, and/or Object?
Can Agents/Aglets Encapsulate Security Policy that is Evolvable as Needed without Impact?
Status: Still Under InvestigationStatus: Still Under Investigation
CSE300
IFIP98-1.24
Concluding RemarksConcluding Remarks
Explored the Security Capabilities and Potentials of Explored the Security Capabilities and Potentials of Java, including:Java, including: Brief Review of java.security API
Digital Signatures, Message Digests, Key Management, and ACLs
Realization and Limitations of URBS in Java Advanced Security Features and the Potential
for URBS and Security for DOC Future WorkFuture Work
Legacy/COTS and Interoperability Emerging Technologies
Middleware and OODBSs
CSE300
IFIP98-1.25
Future Work Future Work Security for Legacy/COTS?Security for Legacy/COTS?
Legacy
Legacy
Legacy
COTS
COTS
COTS
Database
Database
NETWORK
JavaClient
JavaClient
How is Security Handled How is Security Handled for Individual Systems?for Individual Systems?
What about Distributed What about Distributed Security?Security?
Security Issues for New Clients?Security Issues for New Clients?New Servers? Across Network?New Servers? Across Network?
What if Security Never Available What if Security Never Available for Legacy/COTS/Database?for Legacy/COTS/Database?
CSE300
IFIP98-1.26
Future WorkFuture WorkMiddleware and Emerging OODBSMiddleware and Emerging OODBS
Tracking Emerging TechnologiesTracking Emerging Technologies CORBA/ORBs
Level of Support for Security Current and Planned Support
Jasmine - Computer Associates, Inc. Advanced Data Storage (Multi-Media, Video,
Sound, etc.) C++, Java, CORBA Interfaces
Your Questions? Input? Discussion?Your Questions? Input? Discussion?