The Transitive Trust In Java Virtual Machines

1. Introduction

1.1 Introduction

The Trusted Computing Group (TCG [1]) is a not-profit organization formed to

develop, define, and promote open standards for hardware-enabled trusted computing and
security technologies. Its primary goal is to help users protect their data and digital
identities on their systems more secure from external software attack and physical theft.
TCG designed a specification for Trusted Platform (TP) which creates a foundation of
trust for software processes, based on a small amount of hardware within such platforms.
Within each Trusted Platform is a Trusted Sub-system, which contains a TPM, a core
Root of Trust for Measurement (CRTM [2]), and support software (Trusted platform
Support Service or TSS [2]). CRTM, i.e. the BIOS Boot Block, is the first software to run
during boot process and is preferably physically located within TPM, although it isn‟t
essential. TPM provides mechanism of integrity measurement, storage, and report of a
platform, so that strong protection capabilities and attestations can be achieved.

1
Department of Computer Science & Engineering
 The Transitive Trust In Java Virtual Machines

1.2 Motivation

TCG uses TPM as root of trust in a process that measures platform‟s software
environment. Starting from the TPM, TCG uses a series of measurements that record
summaries of executed (or executing) software on a platform to ensure transitive trust
from CRTM to BIOS boot block, to OS Loader, to OS Kernel, to OS and to the
application in order. In Trusted Platform, operations on computing platform must be
trusted and unfrosted entities, on other hand, malicious code, will not be prohibited.
Accordingly, TCG constructed a "chain of trust" that beginning from „root of trust‟ in
order to ensure the security of platform and applications.

2
Department of Computer Science & Engineering
 The Transitive Trust In Java Virtual Machines

1.3 Literature Survey

In recent studies about using root of trust to build trusted computing platform, R.
Sailer implemented transitive trust from operating system's executable code to
application in the Linux platform [3], HUANG Tao proposed a trusted bootstrap scenario
based on trusted server [4], LI Xiao Yong proposed a Dynamic Multi-path trust Chain
(DMPTC) in Windows environment [5]. In the bootstrap process, HUANG Tao validates
integrity at each layer transition with the trusted server, and only if the validating is
passed, the control right is passed to the next layer. As a result, system bootstrap process
is in a trusted state and identified as a trusted bootstrap process. DMPTC differentiates
static system software and dynamic application software, it controls loading and running
various executable codes by different policies, therefore, DMPTC built up a trusted
computing platform. The above-mentioned emphasizes on using system call to verify
executables‟ integrity and authenticity. However, Java language is platform-independent,
so that determines running of Java applications does not dependent on operating system,
and transitive trust in Java Virtual Machine (JVM) has its uniqueness. In this paper, the
main job is to study and implementation transitive trust in JVM.

3
Department of Computer Science & Engineering
 The Transitive Trust In Java Virtual Machines

2. Concept and Design

2.1 Concept

Transitive trust, that also known as “Inductive Trust”, is a process where Root of
Trust gives a trustworthy description of a second group of functions. Base on this
description, an interested entity can determine the trust that placed in this second group of
functions. If it is acceptable for the interested entity to determine the trust level of the
second group, the trust boundary is extended from the Root of Trust to the second group
of functions.
In the end-point computer platform, transitive trust of system starts from the root,
and rights of control transmits from the trusted bios to the trusted operation system
loader, then to the trusted operation system and trusted application. In operation system,
the transition of control power means the transition of execution right. Therefore, each of
transition need to be verified to ensure the next step codes will be trusted. Please refer to
the below Fig. 2.1 for more details.

Figure 2.1: Transitive Trust of Computing Platform

Huang Tao proposed a method in his paper, he assumes BIOS is the root of trust,
and related executable entity and server are trusted. According to above constrains, it is
considered trust from power-on to the complete of bios executing during system booting.
The transitive trust begins from MBR, where after verified by a trusted server, then

4
Department of Computer Science & Engineering
 The Transitive Trust In Java Virtual Machines

transferred to OS loader and operation system in turn to complete the trusted bootstrap
process.
DMPTC divides the transitive trust into two parts shown as figure 2.1. It is a static
one-way trust transition process during power-on to system loading. However the process
of trusted transition from static kernel boot to applications executing is dynamic and
multi-ways. HOOKAPI is used by DMPTC to verify the executables‟ integrity and
authenticity in system calls of CreateProcess() and LoadLibrary() based on Trusted
Software List (TSL),System calls will complete if the executables pass the authentication,
then “Trust” is transmitted to executable codes; otherwise, system calls will exit and
result will be record. Dynamic and multi-ways chain of trusted transition will be built to
ensure the security and trusted of platform and applications.

5
Department of Computer Science & Engineering
 The Transitive Trust In Java Virtual Machines

2.2 Design

In a Java platform, Java virtual machine executes Java application. According to

the transitive trust of computer platform, we can assure that the Java virtual machine is
trusted. We use the trusted JVM as “second root of trust”, and the trusted JVM will verify
every Java application, so we can design a transitive trust model in the JVM to build a
Trusted Java Platform. Figure 2.2 shows that.

Figure 2.2: Transitive Trust Model in JVM

6
Department of Computer Science & Engineering
 The Transitive Trust In Java Virtual Machines

3. Implementation

3.1 Property of Loading Class in Java Platform

Java is a platform-independent language, and it is a strict program development

language which does not include any unsafe constructions, such as array accesses without
index checking. Java program is generally compiled into a particular file format that
called „class file format‟, which contains JVM instructions (or byte codes), a symbol
table, as well as ancillary information. JVM is an abstract computing machine and does
not assume any particular implementation technology or host platform.JVM does not
recognize Java programming language but only class format. Binary class files are loaded
into a JVM and then linked, initialized, and executed.
Class is the smallest unit in Java software components and is loaded by class
loader and dynamic class loading [6][7] is used in JVM. Because each class loader is an
instance of a class that must be loaded by another class loader, a “primordial” class loader
is needed to bootstrap the class loading process. This is formally referred as bootstrap
class loader that is sometimes written in a native language, such as C language. The
bootstrap class loader loads classes from local file system in a platform-dependent
manner.
System classes that are essential for the correct function of JVM and Java runtime
environment are loaded and defined by the bootstrap class loader. Another well-know
class loader instance is extension class loader, which loads classes from installed optional
packages. The bootstrap class loader loads the system class loader and extension class
loader. Sometimes the bootstrap class loader is also functioned as the system class loader.
The loading relationship between class loader and all classes is illustrated in Figure 3.1.
In this class loading tree, the class that is not a class loader is a leaf node. The
immediately preceding node of each class is its defining class loader, with the bootstrap
class loader being the root class. Such a structure is a tree because there cannot be cycles,
meaning that a class loader cannot load its own ancestor class loader.

7
Department of Computer Science & Engineering
 The Transitive Trust In Java Virtual Machines

Figure 3.1: Class Loading Relationship

From the Figure 3.1, we can see the bootstrap class loader loads the extension class
loader and the system classes; the extension class loader loads the application class loader
and extension classes; finally, the application class loader loads application classes. The
java.lang.ClassLoader class, which is the root of the class loader class hierarchy, use
loadClass(String name) method to load class by name. All class loaders, such as
SecureClassLoader and URLClassLoader, are abstract class inherited from the
java.lang.ClassLoader. The class either loads the class itself or delegate to the second
class loader to do it when a class loader is asked to load class. The delegation relationship
is formed when ClassLoader objects are created; it takes the form of a parent-child
relationship. The default implementations of the loadClass() method in the ClassLoader
abstract class, search for a class in the following order:
1. Call findLoadedClass() method to check whether class has already been loaded.
If the class has been loaded, loadClass() method will return a class object.
Otherwise,
2. If this class loader has a specified delegation parent, call the corresponding
loadClass() method of the parent, thereby delegating to the parent the task of
loading the class. If the class loader does not have a delegation parent, call the
findBootstrapClass0() method trying to load the class in system classes.

8
Department of Computer Science & Engineering
 The Transitive Trust In Java Virtual Machines

3. If none of the class loaders in this class loader's delegation hierarchy loaded the
class, invoke the findClass() method to find the class using this class loader's
implementation-specific mechanism to locate the class.

At the end, the loadClass() method will return a ClassNotFoundException exception

if none class has been found.

9
Department of Computer Science & Engineering
 The Transitive Trust In Java Virtual Machines

3.2 Building the Transitive Trust in JVM

By analyzing source code of JDK 5.0, we know that all the class loader are not
overwritten the loadClass() method in the java.lang.ClassLoader. In this case, we can
modify the loadClass() method in java.lang.Classloader, make sure every class loader to
verify authenticity and integrity of class before its loading. The authentication based on
Trusted Class List (TCL), which is including all the trustworthy class file and its digest
list. When loading a class, we firstly find the absolute path of the class being loaded by
the class name before the class loader ask its delegation parent, then calculate the digest
of the class file, finally, verify the digest with the TCL. The loadClass() method will
continue if the class pass the authentication. “Trust” is allowed to transmit to the class;
otherwise, loadClass() method will exit and the result will be recorded. Assuming
bootstrap class loader is trusted, transitive trust will start from bootstrap class loader to
system classes and extension class loader, then go through extension classes and
application class loaders, and finally get to the Java applications.
Because of bootstrap class loader is identified by OS normally as other
applications, we can use DMPTC or other methods to verify integrity and authenticity of
bootstrap class loader, and use it as the “second root of trust‟ in Java platform. Therefore
the total transitive trust start from CRTM to BIOS boot block, and goes through, OS
Loader, OS Kernel, OS, the Java virtual machine and finally reaches trusted Java
applications, ensuring the trust of OS platform and Java platform. It is show as Fig 3.2.

Figure 3.2: Transitive Trust in Java Platform

10
Department of Computer Science & Engineering
 The Transitive Trust In Java Virtual Machines

4. Analysis

4.1 Performance Analysis

Dynamic class loading is a fundamental feature of JVM. The feature enables

classes are loaded on demand and as they are needed to resolve links. Even more, it
makes sure a class which is loaded by a class loader will not be loaded by the same class
loader again. So the class which is already loaded will not be verified again when
verifying loaded class, it is reducing the performance loss caused by the frequency load
of system classes and improving the efficiency of the verification. At the same time, we
use the Binary search method when searching TCL and further improve verification
performance ensure feasibility of the module.

11
Department of Computer Science & Engineering
 The Transitive Trust In Java Virtual Machines

Conclusion

Based on control of class loading in JVM, verifying integrity and of loading class, this
paper implements transitive trust in Java environment and builds a Trusted Java platform.
Because of platform-independent of the Java language, the transitive trust is also platform
independent and the prototype system has strong applicability and usefulness in resisting
malicious Java programs and managing and controlling the Java applications. This paper
studied about control of class loading in JVM, and verifying integrity and authenticity
about classes loaded by JVM to guarantee Java running is trusted, so that it is possible to
build up a Trusted Java Platform and realize the trusted transition process in JVM. As a
conclusion, the prototype system is highly applicable and practical in resisting malicious
Java programs, because trusted transition is unrelated to independent Java platform.

12
Department of Computer Science & Engineering
 The Transitive Trust In Java Virtual Machines

References

[1] TCG. TCG Specification Architecture Overview, Version1.2.

https://www.trustedcomputinggroup.org.
[2] TCG. TCG PC Specification ImplementationSpecification, Version
1.1.https://www.trustedcomputinggroup.org.
[3] Reiner Sailer, Xiaolan Zhang, Trent Jaeger, Leendert van Doorn. Design and
implementation of TCG-based integrity measurement architecture. The 13thUsenix
Security Symposium, San Diego, 2004.
[4] Huang Tao, Shen Chang-Xiang. A Trusted BootstrapScenario Based Trusted Server.
Journal of WuhanUniversity, Vol. 50, No.S1, pp. 12-14, 2004.
[5] Li Xiao-Yong, Shen Chang-Xiang. Transitive Trustand Performance Analysis in
Windows Environment.Journal of Computer Research and Development, Vol.44, No. 11,
pp. 1889-1895, 2007.
[6] Li Gong, Gary Ellison, Mary Dageforde. InsideJava™ 2 Platform Security:
Architecture, API Design,and Implementation, Second Edition, pp. 273-279 June 06,
2003.
[7] Sheng Liang, GiladBracha. Dynamic Class Loading in the Java Virtual Machine.
Proceeding of the ACMConference on Object Oriented Programming Systems,
Languages, and Applications, Vancouver, British Columbia, pp.36-44, October 1998.

13
Department of Computer Science & Engineering