Java Security Model

Java Security Model

COEN 351: E-Commerce Security

Java Security Model High-level Features:

Platform Security: Built-in language security features enforced by the Java compiler and virtual machine:

Strong data typing Automatic memory management Bytecode verification Secure class loading

Cryptography Comprehensive API

digital signatures message digests ciphers (symmetric, asymmetric, stream & block) message authentication codes key generators and key factories

Support for a wide range of standard algorithms including RSA, DSA, AES, Triple DES, SHA, PKCS#5, RC2, and RC4.

PKCS#11 cryptographic token support


Authentication and Access Control Abstract authentication APIs that can

incorporate a wide range of login mechanisms through a pluggable architecture.

A comprehensive policy and permissions API that allows the developer to create and administer applications requiring fine-grained access to security-sensitive resources


Secure Communications APIs and implementations:

Transport Layer Security (TLS), Secure Sockets Layer (SSL), Kerberos (accessible through GSS-API), Simple Authentication and Security Layer

(SASL). Support for HTTPS over SSL/TLS.


Public Key Infrastructure (PKI) Tools for managing keys and certificates and

comprehensive, abstract APIs with support for the following features and algorithms:

Certificates and Certificate Revocation Lists (CRLs): X.509

Certification Path Validators and Builders: PKIX (RFC 3280), On-line Certificate Status Protocol (OCSP)

KeyStores: PKCS#11, PKCS#12 Certificate Stores (Repositories): LDAP, java.util.

Java 2 Platform Security Language is type-safe, and easy to use. (So that mistakes

are less likely.) Done with language features such as Automatic memory management Garbage collection Range checking on strings and arrays.

Code is executed in the Java Virtual Machine (JVM). JVM simulates execution of Java Byte Code. Compiler and bytecode verifier ensure that only legitimate

Java bytecodes are executed. Bytecode verifier and JVM guarantee language safety at run

time. Classloader defines a local name space:

An untrusted applet cannot interfere with the running of other programs.

JVM mediates access to crucial system resources. SecurityManager class restricts the actions of Java code.

Java 2 Platform Security Original Sandbox Model

Code is executed in the Java Virtual Machine (JVM).

JVM simulates execution of Java Byte Code. Sandbox model allows code to run in a very

restricted environment. Local code however has full access to

valuable system resources.

Java 2 Platform Security JDK 1.1: “Signed Applet”

Correctly signed applet is treated as trusted applet.

Applets and signatures are delivered in the JAR (Java Archive) format.

Untrusted applets run in the sandbox.

Java 2 Platform Security Java 2 Platform Security

Fine-grained access control. Previously, the application writer had to do

substantial programming (e.g., by subclassing and customizing the

SecurityManager and ClassLoader classes). The HotJava browser 1.0 allows the user to choose

from a small number of different security levels. Easily configurable security policy. Easily extensible access control structure. Extension of security checks to all Java

programs, including applications as well as applets.

Trust of local code is no longer a built-in concept.

Java 2 Platform Security

Java 2 Platform Security: Protection Domains

Protection Domains Set of objects that are currently directly

accessible by a principal. Principal is an entity in the computer

system to which permissions are granted.

Serves to group and to isolate between units of protection.

Protection domains are either system domains or application domains.


Java 2 Platform Security:Protection Domains A domain conceptually encloses a set of

classes whose instances are granted the same set of permissions.

Protection domains are determined by the policy currently in effect.

The Java application environment maintains a mapping from code (classes and instances) to their protection domains and then to their permissions.


Java 2 Platform Security: Protection Domains Java thread can completely occur within

a single protection domain. Can also involve application domain and

system domain. Examples:

Application prints out a message. Needs to interact with system domain that is the

access point to an output stream. AWT system domain calls an applet’s paint

method to display it. Important:

Java 2 Platform Security: Protection Domains Normal rule:

The permission set of an execution thread is the intersection of the permissions of all protection domains traversed by the execution thread.

Exception: doPrivileged call Enables a piece of trusted code to temporarily enable

access to more resources than are available directly to the application that called it.

Example: Application may not be allowed direct access to files

that contain files, but the system utility displaying those fonts needs to obtain them on behalf of the user.


When access to a critical system resource (such as file I/O and network I/O) is requested: the resource-handling code invokes a

special AccessController class method Evaluates the request Decides if the request should be granted

or denied.

Java 2 Platform Security: Protection Domains Each domain needs to implement

additional protection of internal resources.

Example: Banking application needs to

maintain internal concepts of checking accounts deposits withdrawals

Java 2 Platform SecurityWhy:

Original Problem: Users download programs that contain

viruses and worms (even in commercial software).

Java machines executes downloaded codes, which make the problem worse.

Early work focuses on this issue: Java programs are secure because they

cannot install, run, or propagate viruses.


Remote Class Files

Local Class Files

Signed Class Files

Bytecode Verifier

Class LoaderCore API Class Files

Core Java APISecurity Package

Key Database

Operating System

Security ManagerAccess Controller


Bytecode verifier: Ensures that Java class files follow the

rules of Java. Enforces memory protections for all

Java programs. Class loader:

Class loader sets permissions for each class it loads.


Remote Class Files

Local Class Files

Signed Class Files

Bytecode Verifier



Key Database

Operating System


Java 2 Platform SecurityWhy: Access Controller

Allows / prevents most access from the core API to the operating system

Based on policies set by the end user or system administrator.

Security Manager Primary interface between the core API and

the OS Responsible for allowing or preventing

access to all system resources. Exists mainly for historical reasons: defers

actions to access controller.


Remote Class Files

Local Class Files

Signed Class Files

Bytecode Verifier



Key Database

Operating System


Java 2 Platform SecurityWhy: Security Package

Classes in java.security package and those in security extensions.

Add security features to applications Provides bases for signing Java classes.

Message digests Keys and certificates Digital signatures Encryption Authentication


Remote Class Files

Local Class Files

Signed Class Files

Bytecode Verifier



Key Database

Operating System



Key database Set of keys used by the security

infrastructure to create or verify digital signatures.


Remote Class Files

Local Class Files

Signed Class Files

Bytecode Verifier



Key Database

Operating System


Java 2 Platform SecurityWhy: Java Sandbox

Permissions Type, name, and action of permission

Code sources Location from which a class has been loaded

(URL) Info on signer (if code is signed)

Protection Domains Association of permissions with a particular code

Policy files Entries that define protection domains

Keystores

Java 2 Platform SecurityWhy: Comparison with C++

C++ has same access levels private, (default = package in Java), protected, public

However, C++ allows backdoors that give access to protected or private parts of objects

Casting into an arbitrary memory pointer will do that. This is not a security problem if the code

comes from the same entity. It is a security problem if trusted and

untrusted code needs to comingle

Java 2 Platform SecurityWhy: Java provides memory integrity

Access methods are strictly adhered to. Programs cannot access arbitrary memory locations.

No pointers in Java. Entities declared as final must not be changed.

Otherwise: A public final variable could be changed.

Attacker changes the values of EAST and WEST in GridBagConstraints and now all applets will change the layout of maps.

A subclass overrides a final method and alters its behavior.

Attacker overrides the SetPriority() method of the Thread class.

A subclass can be created from a final class such as String.

Suddenly, String objects are no longer constants.

Java 2 Platform SecurityWhy: Java provides memory integrity

Variables may not be used before they are initialized.

Attacker declares a huge variable without initialization.

Attacker can then read large part of memory hoping to find interesting stuff.

Array bounds are checked on all array accesses

Otherwise, buffer overflows by attacker allows overwriting of adjacent memory.

Objects cannot be cast into other objects.


Memory integrity does not prevent the owner of the machine to use tools to look at the memory of an applet.


Object Serialization and Memory Integrity Object serialization allows an object

to be written as a series of bytes. Needed to exchange objects between

clients and servers. Needed to save objects to disk and

recreate them later.


Enforcement of language rules: Compiler enforcement

Compiler enforces casting rules, …


Enforcement of language rules: Byte code verifier

A mini-theorem prover: Class file has the correct format. Final classes are not subclassed and final methods

are not overridden. Every class has a single superclass. There is no illegal data conversion of primitive

types. There is no illegal data conversion of objects. There are no operand stack overflows or underflows.

Java has a data stack (for methods) and an operand stack, the latter is protected.


Enforcement of language rules: Delayed bytecode verification

Verification of tests for field and method access is delayed until code is actually executed.

Runtime enforcement Array bounds checking Object casting

Java 2 Platform Security:Security Manager Security Manager provides mechanisms

for Java API to see if security related operations are allowed.

Access Controller provides bases of the default implementation of the security manager.

Class loader encapsulates information about security policies and classes.

Java 2 Platform Security:Security Manager

Program Code

Java API

Native Libraries Security Manager

Access Controller

Operating System Program-Specific resources

Coordination of Security Manager and Access Controller

Java 2 Platform Security:Security Manager Security Manager is in control of the security

policy of an application. Determines whether particular operations should

be permitted or denied. Access controller does pretty much the same. Historical development explains why there are

two similar entities. Java 2: Security manager relies more on access

controller. Java 2: Access controller policies specified by policy

files. Java 2: More flexible architecture. Large body of pre-Java 2 code freezes the main interface

to security procedures, i.e. the security manager.


Program Code

Java API


Access Controller




Native libraries are still outside of the scope of security manager and access controller. Ability to load these libraries can be

restricted. Security manager sometimes

bypasses the access controller.


Default setting: Java applications have no security

manager. Needs to be explicitly installed.

With the -Djava.security.manager option

Java applets have a strict security manager.


Example: Security exception

if run as applet. No exception if

run as application. But you’ll end up

deleting a directory.

Package java.exampleimport java.applet.*;

public class MaliciousApplet extends Applet { public void init() { try { Runtime.getRuntime().exec(“rmdir foo”); } catch (Exception e) { System.out.println(e); } } public static void main(String args[]) { MaliciousApplet a = new MaliciousApplet(); a.init(); }}

Java 2 Platform Security:Security Manager Java API algorithm for a potentially

dangerous operation:1. Programmer makes request to Java API2. Java API asks security manager if this is

allowed.3. Security manager either disallows by

throwing an exception with the Java API throws back to the program.

4. Otherwise, Java API completes operation and returns normally.

Java 2 Platform Security:Security Manager Code with runtime permission

createSecurityManager can create and set a SecurityManager object.

SecurityManager class provides a complete implementation for sandbox. This is the one you call by specifying –

Djava.security.manager option to a Java application.

Java Plug-in and appletviewer use a modified implementation of this class and install it before they load any applets.

Java 2 Platform Security:Security Manager Security Manager Methods

File Access reading, writing, deleting

Network Access socket creation and use.

Prevents: Rogue applet connects to a third machine over the

network. Rogue applets collects network information and hands

it back to the web server. Protection of virtual machine Protection of threads Protection of system resources

E.g. untrusted classes cannot print, get clipboard, Protection of security aspects

E.g. access to classes, packages, …

Java 2 Platform Security:Access Controller

Access Controller is built upon Code sources: where did the code

come from. Permissions Policies Protection Domains


Program Code

Java API


Access Controller



Java 2 Platform Security:Access Controller Code Source Class

Simple object that reflects the URL (http, file, …) from

which a class was loaded that contains the keys that were used to

sign the class. Class loaders are responsible for

creating and manipulating code source objects.

Java 2 Platform Security:Access Controller Permissions

Consist of Type

e.g. java.io.FilePermission Name

e.g. name of file “showWindowWithoutWarningBanner”

Action read file, write file, delete file

Allow Java API to negotiate access to resources.

Allow programmer arbitrary permissions for use within their own programs.


Policy Class Specify which permission applies to

which code source. Only a single instance of policy class

can be installed in the virtual machine at any one time.


Protection Domain: Grouping of code source and

permissions. When associated with a class:

Given class was loaded from the site specified in the code source.

Was signed by the public keys specified in the source code.

Has the permissions represented in the permission collection object.

Java 2 Platform Security: Secure Class Loading Class Loader is responsible for:

locating and fetching the class file consulting the security policy defining the class object with the appropriate permissions

Dynamic class loading: Lazy loading (on demand loading) Link-time checks for type safety. Programmers can define their own class loaders

Specify remote locations from which classes are loaded. Assign appropriate security attributes for them.

Class loaders provide separate name spaces. Example: browser can load applets from different web pages

using separate class loaders Thus maintaining a degree of isolation between those applet

classes.

Java 2 Platform Security: Secure Class Loading Multiple instances of class loader objects

in JVM: Root is abstract class: java.lang.ClassLoader Has subclass java.security.SecureClassLoader Has subclass java.net.URLClassLoader Utility program Appletviewer uses private

class sun.applet.AppletClassLoader to load applets.

Primordial Class Loader Implemented in sytem-native language loads

classes from the local file system in a platform-dependent manner.

Java 2 Platform Security: Secure Class Loading Class Loader Delegation:

Class loader can either load the class itself Or ask another class loader to do so.

Class Resolution Algorithm: Check if the class has already been loaded. If the current class loader has a specified

delegation parent, delegate to the parent to try to load this class. If there is no parent, delegate to the primordial class loader.

Call a customizable method to find the class elsewhere.

Java 2 Platform Security: Secure Class Loading

Class is defined in a machine-independent binary representation

Called the class file Example: class file of C contains

reference to class D. Symbolic reference is resolved at link time. Class loader for C is the initiating loader for

class D. Class loader for C can delegate to a second

class loader, etc. Delegation relationship is formed at run-

time.

class C { void f() { D d = new D(); … }}

Java 2 Platform Security: Secure Class Loading Class loader performs:

1. Consults security manager.2. If class loader has already loaded the class, find

previously defined class object.3. Otherwise, class loader goes to parent to see whether

the parent knows how to load the class. (Recursive call)4. Consults security manager to see if the program is

allowed to create the class.5. Class file is read into a byte array.6. Create protection domain for the class.

Consult default security model 7. Construct class object from bytecode. Get permissions

associated with the code source.8. Resolve class: any immediate references to other classes

must be found.

Java Security Problems

Security model does not protect against all bad things: Applets that perform annoying tasks

e.g. using up CPU. Installing a local class file or local

native library: An applet can call them if not prevented.

Newer versions of browsers mitigates the adverse potential.

Documents

Java Security Model