Upload
isleen
View
98
Download
1
Embed Size (px)
DESCRIPTION
Java Security Model. COEN 351: E-Commerce Security. Java Security Model. High-level Features: Platform Security: Built-in language security features enforced by the Java compiler and virtual machine: Strong data typing Automatic memory management Bytecode verification Secure class loading - PowerPoint PPT Presentation
Citation preview
Java Security Model
COEN 351: E-Commerce Security
Java Security Model High-level Features:
Platform Security: Built-in language security features enforced by the Java compiler and virtual machine:
Strong data typing Automatic memory management Bytecode verification Secure class loading
Cryptography Comprehensive API
digital signatures message digests ciphers (symmetric, asymmetric, stream & block) message authentication codes key generators and key factories
Support for a wide range of standard algorithms including RSA, DSA, AES, Triple DES, SHA, PKCS#5, RC2, and RC4.
PKCS#11 cryptographic token support
Java Security Model High-level Features:
Authentication and Access Control Abstract authentication APIs that can
incorporate a wide range of login mechanisms through a pluggable architecture.
A comprehensive policy and permissions API that allows the developer to create and administer applications requiring fine-grained access to security-sensitive resources
Java Security Model High-level Features:
Secure Communications APIs and implementations:
Transport Layer Security (TLS), Secure Sockets Layer (SSL), Kerberos (accessible through GSS-API), Simple Authentication and Security Layer
(SASL). Support for HTTPS over SSL/TLS.
Java Security Model High-level Features:
Public Key Infrastructure (PKI) Tools for managing keys and certificates and
comprehensive, abstract APIs with support for the following features and algorithms:
Certificates and Certificate Revocation Lists (CRLs): X.509
Certification Path Validators and Builders: PKIX (RFC 3280), On-line Certificate Status Protocol (OCSP)
KeyStores: PKCS#11, PKCS#12 Certificate Stores (Repositories): LDAP, java.util.
Java 2 Platform Security Language is type-safe, and easy to use. (So that mistakes
are less likely.) Done with language features such as Automatic memory management Garbage collection Range checking on strings and arrays.
Code is executed in the Java Virtual Machine (JVM). JVM simulates execution of Java Byte Code. Compiler and bytecode verifier ensure that only legitimate
Java bytecodes are executed. Bytecode verifier and JVM guarantee language safety at run
time. Classloader defines a local name space:
An untrusted applet cannot interfere with the running of other programs.
JVM mediates access to crucial system resources. SecurityManager class restricts the actions of Java code.
Java 2 Platform Security Original Sandbox Model
Code is executed in the Java Virtual Machine (JVM).
JVM simulates execution of Java Byte Code. Sandbox model allows code to run in a very
restricted environment. Local code however has full access to
valuable system resources.
Java 2 Platform Security JDK 1.1: “Signed Applet”
Correctly signed applet is treated as trusted applet.
Applets and signatures are delivered in the JAR (Java Archive) format.
Untrusted applets run in the sandbox.
Java 2 Platform Security Java 2 Platform Security
Fine-grained access control. Previously, the application writer had to do
substantial programming (e.g., by subclassing and customizing the
SecurityManager and ClassLoader classes). The HotJava browser 1.0 allows the user to choose
from a small number of different security levels. Easily configurable security policy. Easily extensible access control structure. Extension of security checks to all Java
programs, including applications as well as applets.
Trust of local code is no longer a built-in concept.
Java 2 Platform Security
Java 2 Platform Security: Protection Domains
Protection Domains Set of objects that are currently directly
accessible by a principal. Principal is an entity in the computer
system to which permissions are granted.
Serves to group and to isolate between units of protection.
Protection domains are either system domains or application domains.
Java 2 Platform Security: Protection Domains
Java 2 Platform Security:Protection Domains A domain conceptually encloses a set of
classes whose instances are granted the same set of permissions.
Protection domains are determined by the policy currently in effect.
The Java application environment maintains a mapping from code (classes and instances) to their protection domains and then to their permissions.
Java 2 Platform Security: Protection Domains
Java 2 Platform Security: Protection Domains Java thread can completely occur within
a single protection domain. Can also involve application domain and
system domain. Examples:
Application prints out a message. Needs to interact with system domain that is the
access point to an output stream. AWT system domain calls an applet’s paint
method to display it. Important:
Java 2 Platform Security: Protection Domains Normal rule:
The permission set of an execution thread is the intersection of the permissions of all protection domains traversed by the execution thread.
Exception: doPrivileged call Enables a piece of trusted code to temporarily enable
access to more resources than are available directly to the application that called it.
Example: Application may not be allowed direct access to files
that contain files, but the system utility displaying those fonts needs to obtain them on behalf of the user.
Java 2 Platform Security: Protection Domains
When access to a critical system resource (such as file I/O and network I/O) is requested: the resource-handling code invokes a
special AccessController class method Evaluates the request Decides if the request should be granted
or denied.
Java 2 Platform Security: Protection Domains Each domain needs to implement
additional protection of internal resources.
Example: Banking application needs to
maintain internal concepts of checking accounts deposits withdrawals
Java 2 Platform SecurityWhy:
Original Problem: Users download programs that contain
viruses and worms (even in commercial software).
Java machines executes downloaded codes, which make the problem worse.
Early work focuses on this issue: Java programs are secure because they
cannot install, run, or propagate viruses.
Java 2 Platform SecurityWhy:
Remote Class Files
Local Class Files
Signed Class Files
Bytecode Verifier
Class LoaderCore API Class Files
Core Java APISecurity Package
Key Database
Operating System
Security ManagerAccess Controller
Java 2 Platform SecurityWhy:
Bytecode verifier: Ensures that Java class files follow the
rules of Java. Enforces memory protections for all
Java programs. Class loader:
Class loader sets permissions for each class it loads.
Java 2 Platform SecurityWhy:
Remote Class Files
Local Class Files
Signed Class Files
Bytecode Verifier
Class LoaderCore API Class Files
Core Java APISecurity Package
Key Database
Operating System
Security ManagerAccess Controller
Java 2 Platform SecurityWhy: Access Controller
Allows / prevents most access from the core API to the operating system
Based on policies set by the end user or system administrator.
Security Manager Primary interface between the core API and
the OS Responsible for allowing or preventing
access to all system resources. Exists mainly for historical reasons: defers
actions to access controller.
Java 2 Platform SecurityWhy:
Remote Class Files
Local Class Files
Signed Class Files
Bytecode Verifier
Class LoaderCore API Class Files
Core Java APISecurity Package
Key Database
Operating System
Security ManagerAccess Controller
Java 2 Platform SecurityWhy: Security Package
Classes in java.security package and those in security extensions.
Add security features to applications Provides bases for signing Java classes.
Message digests Keys and certificates Digital signatures Encryption Authentication
Java 2 Platform SecurityWhy:
Remote Class Files
Local Class Files
Signed Class Files
Bytecode Verifier
Class LoaderCore API Class Files
Core Java APISecurity Package
Key Database
Operating System
Security ManagerAccess Controller
Java 2 Platform SecurityWhy:
Key database Set of keys used by the security
infrastructure to create or verify digital signatures.
Java 2 Platform SecurityWhy:
Remote Class Files
Local Class Files
Signed Class Files
Bytecode Verifier
Class LoaderCore API Class Files
Core Java APISecurity Package
Key Database
Operating System
Security ManagerAccess Controller
Java 2 Platform SecurityWhy: Java Sandbox
Permissions Type, name, and action of permission
Code sources Location from which a class has been loaded
(URL) Info on signer (if code is signed)
Protection Domains Association of permissions with a particular code
Policy files Entries that define protection domains
Keystores
Java 2 Platform SecurityWhy: Comparison with C++
C++ has same access levels private, (default = package in Java), protected, public
However, C++ allows backdoors that give access to protected or private parts of objects
Casting into an arbitrary memory pointer will do that. This is not a security problem if the code
comes from the same entity. It is a security problem if trusted and
untrusted code needs to comingle
Java 2 Platform SecurityWhy: Java provides memory integrity
Access methods are strictly adhered to. Programs cannot access arbitrary memory locations.
No pointers in Java. Entities declared as final must not be changed.
Otherwise: A public final variable could be changed.
Attacker changes the values of EAST and WEST in GridBagConstraints and now all applets will change the layout of maps.
A subclass overrides a final method and alters its behavior.
Attacker overrides the SetPriority() method of the Thread class.
A subclass can be created from a final class such as String.
Suddenly, String objects are no longer constants.
Java 2 Platform SecurityWhy: Java provides memory integrity
Variables may not be used before they are initialized.
Attacker declares a huge variable without initialization.
Attacker can then read large part of memory hoping to find interesting stuff.
Array bounds are checked on all array accesses
Otherwise, buffer overflows by attacker allows overwriting of adjacent memory.
Objects cannot be cast into other objects.
Java 2 Platform SecurityWhy:
Memory integrity does not prevent the owner of the machine to use tools to look at the memory of an applet.
Java 2 Platform SecurityWhy:
Object Serialization and Memory Integrity Object serialization allows an object
to be written as a series of bytes. Needed to exchange objects between
clients and servers. Needed to save objects to disk and
recreate them later.
Java 2 Platform SecurityWhy:
Enforcement of language rules: Compiler enforcement
Compiler enforces casting rules, …
Java 2 Platform SecurityWhy:
Enforcement of language rules: Byte code verifier
A mini-theorem prover: Class file has the correct format. Final classes are not subclassed and final methods
are not overridden. Every class has a single superclass. There is no illegal data conversion of primitive
types. There is no illegal data conversion of objects. There are no operand stack overflows or underflows.
Java has a data stack (for methods) and an operand stack, the latter is protected.
Java 2 Platform SecurityWhy:
Enforcement of language rules: Delayed bytecode verification
Verification of tests for field and method access is delayed until code is actually executed.
Runtime enforcement Array bounds checking Object casting
Java 2 Platform Security:Security Manager Security Manager provides mechanisms
for Java API to see if security related operations are allowed.
Access Controller provides bases of the default implementation of the security manager.
Class loader encapsulates information about security policies and classes.
Java 2 Platform Security:Security Manager
Program Code
Java API
Native Libraries Security Manager
Access Controller
Operating System Program-Specific resources
Coordination of Security Manager and Access Controller
Java 2 Platform Security:Security Manager Security Manager is in control of the security
policy of an application. Determines whether particular operations should
be permitted or denied. Access controller does pretty much the same. Historical development explains why there are
two similar entities. Java 2: Security manager relies more on access
controller. Java 2: Access controller policies specified by policy
files. Java 2: More flexible architecture. Large body of pre-Java 2 code freezes the main interface
to security procedures, i.e. the security manager.
Java 2 Platform Security:Security Manager
Program Code
Java API
Native Libraries Security Manager
Access Controller
Operating System Program-Specific resources
Coordination of Security Manager and Access Controller
Java 2 Platform Security:Security Manager
Native libraries are still outside of the scope of security manager and access controller. Ability to load these libraries can be
restricted. Security manager sometimes
bypasses the access controller.
Java 2 Platform Security:Security Manager
Default setting: Java applications have no security
manager. Needs to be explicitly installed.
With the -Djava.security.manager option
Java applets have a strict security manager.
Java 2 Platform Security:Security Manager
Example: Security exception
if run as applet. No exception if
run as application. But you’ll end up
deleting a directory.
Package java.exampleimport java.applet.*;
public class MaliciousApplet extends Applet { public void init() { try { Runtime.getRuntime().exec(“rmdir foo”); } catch (Exception e) { System.out.println(e); } } public static void main(String args[]) { MaliciousApplet a = new MaliciousApplet(); a.init(); }}
Java 2 Platform Security:Security Manager Java API algorithm for a potentially
dangerous operation:1. Programmer makes request to Java API2. Java API asks security manager if this is
allowed.3. Security manager either disallows by
throwing an exception with the Java API throws back to the program.
4. Otherwise, Java API completes operation and returns normally.
Java 2 Platform Security:Security Manager Code with runtime permission
createSecurityManager can create and set a SecurityManager object.
SecurityManager class provides a complete implementation for sandbox. This is the one you call by specifying –
Djava.security.manager option to a Java application.
Java Plug-in and appletviewer use a modified implementation of this class and install it before they load any applets.
Java 2 Platform Security:Security Manager Security Manager Methods
File Access reading, writing, deleting
Network Access socket creation and use.
Prevents: Rogue applet connects to a third machine over the
network. Rogue applets collects network information and hands
it back to the web server. Protection of virtual machine Protection of threads Protection of system resources
E.g. untrusted classes cannot print, get clipboard, Protection of security aspects
E.g. access to classes, packages, …
Java 2 Platform Security:Access Controller
Access Controller is built upon Code sources: where did the code
come from. Permissions Policies Protection Domains
Java 2 Platform Security:Security Manager
Program Code
Java API
Native Libraries Security Manager
Access Controller
Operating System Program-Specific resources
Coordination of Security Manager and Access Controller
Java 2 Platform Security:Access Controller Code Source Class
Simple object that reflects the URL (http, file, …) from
which a class was loaded that contains the keys that were used to
sign the class. Class loaders are responsible for
creating and manipulating code source objects.
Java 2 Platform Security:Access Controller Permissions
Consist of Type
e.g. java.io.FilePermission Name
e.g. name of file “showWindowWithoutWarningBanner”
Action read file, write file, delete file
Allow Java API to negotiate access to resources.
Allow programmer arbitrary permissions for use within their own programs.
Java 2 Platform Security:Access Controller
Policy Class Specify which permission applies to
which code source. Only a single instance of policy class
can be installed in the virtual machine at any one time.
Java 2 Platform Security:Access Controller
Protection Domain: Grouping of code source and
permissions. When associated with a class:
Given class was loaded from the site specified in the code source.
Was signed by the public keys specified in the source code.
Has the permissions represented in the permission collection object.
Java 2 Platform Security: Secure Class Loading Class Loader is responsible for:
locating and fetching the class file consulting the security policy defining the class object with the appropriate permissions
Dynamic class loading: Lazy loading (on demand loading) Link-time checks for type safety. Programmers can define their own class loaders
Specify remote locations from which classes are loaded. Assign appropriate security attributes for them.
Class loaders provide separate name spaces. Example: browser can load applets from different web pages
using separate class loaders Thus maintaining a degree of isolation between those applet
classes.
Java 2 Platform Security: Secure Class Loading Multiple instances of class loader objects
in JVM: Root is abstract class: java.lang.ClassLoader Has subclass java.security.SecureClassLoader Has subclass java.net.URLClassLoader Utility program Appletviewer uses private
class sun.applet.AppletClassLoader to load applets.
Primordial Class Loader Implemented in sytem-native language loads
classes from the local file system in a platform-dependent manner.
Java 2 Platform Security: Secure Class Loading Class Loader Delegation:
Class loader can either load the class itself Or ask another class loader to do so.
Class Resolution Algorithm: Check if the class has already been loaded. If the current class loader has a specified
delegation parent, delegate to the parent to try to load this class. If there is no parent, delegate to the primordial class loader.
Call a customizable method to find the class elsewhere.
Java 2 Platform Security: Secure Class Loading
Class is defined in a machine-independent binary representation
Called the class file Example: class file of C contains
reference to class D. Symbolic reference is resolved at link time. Class loader for C is the initiating loader for
class D. Class loader for C can delegate to a second
class loader, etc. Delegation relationship is formed at run-
time.
class C { void f() { D d = new D(); … }}
Java 2 Platform Security: Secure Class Loading Class loader performs:
1. Consults security manager.2. If class loader has already loaded the class, find
previously defined class object.3. Otherwise, class loader goes to parent to see whether
the parent knows how to load the class. (Recursive call)4. Consults security manager to see if the program is
allowed to create the class.5. Class file is read into a byte array.6. Create protection domain for the class.
Consult default security model 7. Construct class object from bytecode. Get permissions
associated with the code source.8. Resolve class: any immediate references to other classes
must be found.
Java Security Problems
Security model does not protect against all bad things: Applets that perform annoying tasks
e.g. using up CPU. Installing a local class file or local
native library: An applet can call them if not prevented.
Newer versions of browsers mitigates the adverse potential.