Professional Documents
Culture Documents
1. Introduction
1.1 Introduction
1
Department of Computer Science & Engineering
The Transitive Trust In Java Virtual Machines
1.2 Motivation
TCG uses TPM as root of trust in a process that measures platform‟s software
environment. Starting from the TPM, TCG uses a series of measurements that record
summaries of executed (or executing) software on a platform to ensure transitive trust
from CRTM to BIOS boot block, to OS Loader, to OS Kernel, to OS and to the
application in order. In Trusted Platform, operations on computing platform must be
trusted and unfrosted entities, on other hand, malicious code, will not be prohibited.
Accordingly, TCG constructed a "chain of trust" that beginning from „root of trust‟ in
order to ensure the security of platform and applications.
2
Department of Computer Science & Engineering
The Transitive Trust In Java Virtual Machines
In recent studies about using root of trust to build trusted computing platform, R.
Sailer implemented transitive trust from operating system's executable code to
application in the Linux platform [3], HUANG Tao proposed a trusted bootstrap scenario
based on trusted server [4], LI Xiao Yong proposed a Dynamic Multi-path trust Chain
(DMPTC) in Windows environment [5]. In the bootstrap process, HUANG Tao validates
integrity at each layer transition with the trusted server, and only if the validating is
passed, the control right is passed to the next layer. As a result, system bootstrap process
is in a trusted state and identified as a trusted bootstrap process. DMPTC differentiates
static system software and dynamic application software, it controls loading and running
various executable codes by different policies, therefore, DMPTC built up a trusted
computing platform. The above-mentioned emphasizes on using system call to verify
executables‟ integrity and authenticity. However, Java language is platform-independent,
so that determines running of Java applications does not dependent on operating system,
and transitive trust in Java Virtual Machine (JVM) has its uniqueness. In this paper, the
main job is to study and implementation transitive trust in JVM.
3
Department of Computer Science & Engineering
The Transitive Trust In Java Virtual Machines
2.1 Concept
Transitive trust, that also known as “Inductive Trust”, is a process where Root of
Trust gives a trustworthy description of a second group of functions. Base on this
description, an interested entity can determine the trust that placed in this second group of
functions. If it is acceptable for the interested entity to determine the trust level of the
second group, the trust boundary is extended from the Root of Trust to the second group
of functions.
In the end-point computer platform, transitive trust of system starts from the root,
and rights of control transmits from the trusted bios to the trusted operation system
loader, then to the trusted operation system and trusted application. In operation system,
the transition of control power means the transition of execution right. Therefore, each of
transition need to be verified to ensure the next step codes will be trusted. Please refer to
the below Fig. 2.1 for more details.
Huang Tao proposed a method in his paper, he assumes BIOS is the root of trust,
and related executable entity and server are trusted. According to above constrains, it is
considered trust from power-on to the complete of bios executing during system booting.
The transitive trust begins from MBR, where after verified by a trusted server, then
4
Department of Computer Science & Engineering
The Transitive Trust In Java Virtual Machines
transferred to OS loader and operation system in turn to complete the trusted bootstrap
process.
DMPTC divides the transitive trust into two parts shown as figure 2.1. It is a static
one-way trust transition process during power-on to system loading. However the process
of trusted transition from static kernel boot to applications executing is dynamic and
multi-ways. HOOKAPI is used by DMPTC to verify the executables‟ integrity and
authenticity in system calls of CreateProcess() and LoadLibrary() based on Trusted
Software List (TSL),System calls will complete if the executables pass the authentication,
then “Trust” is transmitted to executable codes; otherwise, system calls will exit and
result will be record. Dynamic and multi-ways chain of trusted transition will be built to
ensure the security and trusted of platform and applications.
5
Department of Computer Science & Engineering
The Transitive Trust In Java Virtual Machines
2.2 Design
6
Department of Computer Science & Engineering
The Transitive Trust In Java Virtual Machines
3. Implementation
7
Department of Computer Science & Engineering
The Transitive Trust In Java Virtual Machines
From the Figure 3.1, we can see the bootstrap class loader loads the extension class
loader and the system classes; the extension class loader loads the application class loader
and extension classes; finally, the application class loader loads application classes. The
java.lang.ClassLoader class, which is the root of the class loader class hierarchy, use
loadClass(String name) method to load class by name. All class loaders, such as
SecureClassLoader and URLClassLoader, are abstract class inherited from the
java.lang.ClassLoader. The class either loads the class itself or delegate to the second
class loader to do it when a class loader is asked to load class. The delegation relationship
is formed when ClassLoader objects are created; it takes the form of a parent-child
relationship. The default implementations of the loadClass() method in the ClassLoader
abstract class, search for a class in the following order:
1. Call findLoadedClass() method to check whether class has already been loaded.
If the class has been loaded, loadClass() method will return a class object.
Otherwise,
2. If this class loader has a specified delegation parent, call the corresponding
loadClass() method of the parent, thereby delegating to the parent the task of
loading the class. If the class loader does not have a delegation parent, call the
findBootstrapClass0() method trying to load the class in system classes.
8
Department of Computer Science & Engineering
The Transitive Trust In Java Virtual Machines
3. If none of the class loaders in this class loader's delegation hierarchy loaded the
class, invoke the findClass() method to find the class using this class loader's
implementation-specific mechanism to locate the class.
9
Department of Computer Science & Engineering
The Transitive Trust In Java Virtual Machines
By analyzing source code of JDK 5.0, we know that all the class loader are not
overwritten the loadClass() method in the java.lang.ClassLoader. In this case, we can
modify the loadClass() method in java.lang.Classloader, make sure every class loader to
verify authenticity and integrity of class before its loading. The authentication based on
Trusted Class List (TCL), which is including all the trustworthy class file and its digest
list. When loading a class, we firstly find the absolute path of the class being loaded by
the class name before the class loader ask its delegation parent, then calculate the digest
of the class file, finally, verify the digest with the TCL. The loadClass() method will
continue if the class pass the authentication. “Trust” is allowed to transmit to the class;
otherwise, loadClass() method will exit and the result will be recorded. Assuming
bootstrap class loader is trusted, transitive trust will start from bootstrap class loader to
system classes and extension class loader, then go through extension classes and
application class loaders, and finally get to the Java applications.
Because of bootstrap class loader is identified by OS normally as other
applications, we can use DMPTC or other methods to verify integrity and authenticity of
bootstrap class loader, and use it as the “second root of trust‟ in Java platform. Therefore
the total transitive trust start from CRTM to BIOS boot block, and goes through, OS
Loader, OS Kernel, OS, the Java virtual machine and finally reaches trusted Java
applications, ensuring the trust of OS platform and Java platform. It is show as Fig 3.2.
10
Department of Computer Science & Engineering
The Transitive Trust In Java Virtual Machines
4. Analysis
11
Department of Computer Science & Engineering
The Transitive Trust In Java Virtual Machines
Conclusion
Based on control of class loading in JVM, verifying integrity and of loading class, this
paper implements transitive trust in Java environment and builds a Trusted Java platform.
Because of platform-independent of the Java language, the transitive trust is also platform
independent and the prototype system has strong applicability and usefulness in resisting
malicious Java programs and managing and controlling the Java applications. This paper
studied about control of class loading in JVM, and verifying integrity and authenticity
about classes loaded by JVM to guarantee Java running is trusted, so that it is possible to
build up a Trusted Java Platform and realize the trusted transition process in JVM. As a
conclusion, the prototype system is highly applicable and practical in resisting malicious
Java programs, because trusted transition is unrelated to independent Java platform.
12
Department of Computer Science & Engineering
The Transitive Trust In Java Virtual Machines
References
13
Department of Computer Science & Engineering