Upload
jane-prusakova
View
318
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Lets talk about running Java - safely.
Citation preview
©2010 Improving Enterprises, Inc.
Lets talk about
Java SafetyJane Prusakova
@Improving Enterprises
©2010 Improving Enterprises, Inc.
TIOBE Programming Community Index Java 16% - 1stC# 6.1% - 6th
©2010 Improving Enterprises, Inc.
Most exploited holes
Many vulnerabilities and exploits found recently
©2010 Improving Enterprises, Inc.
©2010 Improving Enterprises, Inc.
Write once, run anywhere
UbiquitousOver 20 years oldSecurity model first implemented in 1.1.5 - stack inspection with scopes [broken]Exploits combine more than one vulnerability
©2010 Improving Enterprises, Inc.
Java security mechanismJava stack inspection mechanism makes it impossible to abuse target system’s security by the means of arbitrary injection of a stack frame belonging to untrusted code inside a privileged code block (scope).
Security Manager’s check methods verify permissions of all the classes from a current scope (call stack). Stack frames are inspected until either the end of a call stack or a special (privileged) frame is reached.
The permission check will succeed only if all classes from a current code scope have a given permission granted. In the case of encountering an unprivileged stack frame, security exception is thrown, and execution is aborted.
©2010 Improving Enterprises, Inc.
Java security mechanismConcept
Powerful & clever
Single issue rarely leads to full-blown exploit
MechanismComplex and hard to
implement
Poor design and implementation choices abound
©2010 Improving Enterprises, Inc.
Vulnerable APIs
Reflection APIaccess restricted classes, fields and methodscreate restricted objectsInvoke restricted methods
XML Beans DecoderSpecially crafted XML can inject an arbitrary user-defined class into trusted code
©2010 Improving Enterprises, Inc.
Vulnerable implementation
Bytecode Verifier does not properly verify the bytecode instruction stream for the invokespecial
RMI implementation does not verify object type before unmarshalling remote object.
©2010 Improving Enterprises, Inc.
So what?
One or more vulnerabilities are used to compromise the Java sandbox
Intruder process can execute arbitrary code on host machineInstall software, read, change and delete data
©2010 Improving Enterprises, Inc.
Will I get hacked?
Win the lottery1.1 billion desktops 3 billion mobile phones
Run Java version(s) with known exploitsSubject to popular, untargeted attacks
©2010 Improving Enterprises, Inc.
©2010 Improving Enterprises, Inc.
Java: newer is better(on the average, most of the time)
Known bugs get patchedExploits take time to be prepared and distributed
Most organizations are slow to upgradetherefore exploiting older, more popular systems is easier and better valueattack on a brand-new system less likely
©2010 Improving Enterprises, Inc.
Multiple versions of Java
InstalledExposed through the browser
©2010 Improving Enterprises, Inc.
Which Java?
Java 6 (1.6) is the most vulnerableJava 7 is the most secure
Java 6 is by far most prevalent
82% endpoints
©2010 Improving Enterprises, Inc.
Many and old versionsThe average organization has more than 50 distinct versions of Java
93% of organizations run a version of Java 5+ years old
©2010 Improving Enterprises, Inc.
Update is not upgrade
Java update does not remove older versions
©2010 Improving Enterprises, Inc.
Why remove older versions?
Exploits can specify which Java version to run
So a more vulnerable Java install can be targetedWithout user knowledge*Even if newer and safer version is installed
©2010 Improving Enterprises, Inc.
Creating a safer environment
Use Java safelyRegularly upgrade to latest, best patched versionRemove all other installs
Remove all JavaRemove all Java installs
Java embedded in other products is safeIf it is not made available to the browser
©2010 Improving Enterprises, Inc.
Use Java SafelyDetermine the safest version
Less popular version may be more secure
Establish regular upgrade scheduleEnsure removal of earlier versionsAudit regularly for unauthorized installs
©2010 Improving Enterprises, Inc.
Remove Java completely
Use tools to verify and manage uninstallsMonitor network (layer-7 visibility tools)Audit for unauthorized installs
Pick replacement technologyEnsure its safety
©2010 Improving Enterprises, Inc.
Safety in numbers
Java 16% - most popular
1.1bln desktops
Good / Better / Best
Perfect
©2010 Improving Enterprises, Inc.
Questions?
SoftwareAndOtherThings.blogspot.com
@jprusakova Jane Prusakova
http://www.slideshare.net/jprusakova
©2010 Improving Enterprises, Inc.
Lets talk about
Java SafetyJane Prusakova
@Improving Enterprises
©2010 Improving Enterprises, Inc.
ReferencesKaspersky Lab report: Evaluating the threat level of software vulnerabilities. February 1, 2013Java SE security research project Security Explorations, 2013Bit9 research report: Java Vulnerabilities: Write Once, Pwn Anywhere. 2013
©2010 Improving Enterprises, Inc.