Running Java safely

©2010 Improving Enterprises, Inc.

Lets talk about

Java SafetyJane Prusakova

@Improving Enterprises


TIOBE Programming Community Index Java 16% - 1stC# 6.1% - 6th


Most exploited holes

Many vulnerabilities and exploits found recently



Write once, run anywhere

UbiquitousOver 20 years oldSecurity model first implemented in 1.1.5 - stack inspection with scopes [broken]Exploits combine more than one vulnerability


Java security mechanismJava stack inspection mechanism makes it impossible to abuse target system’s security by the means of arbitrary injection of a stack frame belonging to untrusted code inside a privileged code block (scope).

Security Manager’s check methods verify permissions of all the classes from a current scope (call stack). Stack frames are inspected until either the end of a call stack or a special (privileged) frame is reached.

The permission check will succeed only if all classes from a current code scope have a given permission granted. In the case of encountering an unprivileged stack frame, security exception is thrown, and execution is aborted.


Java security mechanismConcept

Powerful & clever

Single issue rarely leads to full-blown exploit

MechanismComplex and hard to

implement

Poor design and implementation choices abound


Vulnerable APIs

Reflection APIaccess restricted classes, fields and methodscreate restricted objectsInvoke restricted methods

XML Beans DecoderSpecially crafted XML can inject an arbitrary user-defined class into trusted code


Vulnerable implementation

Bytecode Verifier does not properly verify the bytecode instruction stream for the invokespecial

RMI implementation does not verify object type before unmarshalling remote object.


So what?

One or more vulnerabilities are used to compromise the Java sandbox

Intruder process can execute arbitrary code on host machineInstall software, read, change and delete data


Will I get hacked?

Win the lottery1.1 billion desktops 3 billion mobile phones

Run Java version(s) with known exploitsSubject to popular, untargeted attacks



Java: newer is better(on the average, most of the time)

Known bugs get patchedExploits take time to be prepared and distributed

Most organizations are slow to upgradetherefore exploiting older, more popular systems is easier and better valueattack on a brand-new system less likely


Multiple versions of Java

InstalledExposed through the browser


Which Java?

Java 6 (1.6) is the most vulnerableJava 7 is the most secure

Java 6 is by far most prevalent

82% endpoints


Many and old versionsThe average organization has more than 50 distinct versions of Java

93% of organizations run a version of Java 5+ years old


Update is not upgrade

Java update does not remove older versions


Why remove older versions?

Exploits can specify which Java version to run

So a more vulnerable Java install can be targetedWithout user knowledge*Even if newer and safer version is installed


Creating a safer environment

Use Java safelyRegularly upgrade to latest, best patched versionRemove all other installs

Remove all JavaRemove all Java installs

Java embedded in other products is safeIf it is not made available to the browser


Use Java SafelyDetermine the safest version

Less popular version may be more secure

Establish regular upgrade scheduleEnsure removal of earlier versionsAudit regularly for unauthorized installs


Remove Java completely

Use tools to verify and manage uninstallsMonitor network (layer-7 visibility tools)Audit for unauthorized installs

Pick replacement technologyEnsure its safety


Safety in numbers

Java 16% - most popular

1.1bln desktops

Good / Better / Best

Perfect


Questions?

[email protected]

SoftwareAndOtherThings.blogspot.com

@jprusakova Jane Prusakova

http://www.slideshare.net/jprusakova

mailto:[email protected]

http://www.slideshare.net/jprusakova


Lets talk about

Java SafetyJane Prusakova

@Improving Enterprises


ReferencesKaspersky Lab report: Evaluating the threat level of software vulnerabilities. February 1, 2013Java SE security research project Security Explorations, 2013Bit9 research report: Java Vulnerabilities: Write Once, Pwn Anywhere. 2013


Technology

Running Java safely