Professional Documents
Culture Documents
High-level Features:
Platform Security: Built-in language security features enforced by the Java compiler and virtual machine:
Strong data typing Automatic memory management Bytecode verification Secure class loading Comprehensive API
Cryptography
Support for a wide range of standard algorithms including RSA, DSA, AES, Triple DES, SHA, PKCS#5, RC2, and RC4. PKCS#11 cryptographic token support
digital signatures message digests ciphers (symmetric, asymmetric, stream & block) message authentication codes key generators and key factories
High-level Features:
Abstract authentication APIs that can incorporate a wide range of login mechanisms through a pluggable architecture. A comprehensive policy and permissions API that allows the developer to create and administer applications requiring fine-grained access to security-sensitive resources
High-level Features:
Transport Layer Security (TLS), Secure Sockets Layer (SSL), Kerberos (accessible through GSS-API), Simple Authentication and Security Layer (SASL). Support for HTTPS over SSL/TLS.
High-level Features:
Public Key Infrastructure (PKI) Tools for managing keys and certificates and comprehensive, abstract APIs with support for the following features and algorithms: Certificates and Certificate Revocation Lists (CRLs): X.509 Certification Path Validators and Builders: PKIX (RFC 3280), On-line Certificate Status Protocol (OCSP) KeyStores: PKCS#11, PKCS#12 Certificate Stores (Repositories): LDAP, java.util.
Language is type-safe, and easy to use. (So that mistakes are less likely.)
Done with language features such as Automatic memory management Garbage collection Range checking on strings and arrays.
JVM simulates execution of Java Byte Code. Compiler and bytecode verifier ensure that only legitimate Java bytecodes are executed. Bytecode verifier and JVM guarantee language safety at run time. Classloader defines a local name space:
Sandbox model allows code to run in a very restricted environment. Local code however has full access to valuable system resources.
Correctly signed applet is treated as trusted applet. Applets and signatures are delivered in the JAR (Java Archive) format. Untrusted applets run in the sandbox.
Easily configurable security policy. Easily extensible access control structure. Extension of security checks to all Java programs, including applications as well as applets.
The HotJava browser 1.0 allows the user to choose from a small number of different security levels.
Protection Domains
Set of objects that are currently directly accessible by a principal. Principal is an entity in the computer system to which permissions are granted. Serves to group and to isolate between units of protection. Protection domains are either system domains or application domains.
A domain conceptually encloses a set of classes whose instances are granted the same set of permissions. Protection domains are determined by the policy currently in effect. The Java application environment maintains a mapping from code (classes and instances) to their protection domains and then to their permissions.
Java thread can completely occur within a single protection domain. Can also involve application domain and system domain.
Examples:
Needs to interact with system domain that is the access point to an output stream.
Important:
Normal rule:
The permission set of an execution thread is the intersection of the permissions of all protection domains traversed by the execution thread. Exception: doPrivileged call
Enables a piece of trusted code to temporarily enable access to more resources than are available directly to the application that called it.
Example:
Application may not be allowed direct access to files that contain files, but the system utility displaying those fonts needs to obtain them on behalf of the user.
When access to a critical system resource (such as file I/O and network I/O) is requested:
Original Problem:
Users download programs that contain viruses and worms (even in commercial software). Java machines executes downloaded codes, which make the problem worse. Java programs are secure because they cannot install, run, or propagate viruses.
Key Database
Security Manager
Access Controller
Operating System
Bytecode verifier:
Ensures that Java class files follow the rules of Java. Enforces memory protections for all Java programs. Class loader sets permissions for each class it loads.
Class loader:
Key Database
Security Manager
Access Controller
Operating System
Access Controller
Security Manager
Allows / prevents most access from the core API to the operating system Based on policies set by the end user or system administrator.
Primary interface between the core API and the OS Responsible for allowing or preventing access to all system resources. Exists mainly for historical reasons: defers actions to access controller.
Key Database
Security Manager
Access Controller
Operating System
Security Package
Classes in java.security package and those in security extensions. Add security features to applications Provides bases for signing Java classes.
Key Database
Security Manager
Access Controller
Operating System
Key database
Set of keys used by the security infrastructure to create or verify digital signatures.
Key Database
Security Manager
Access Controller
Operating System
Java Sandbox
Permissions
Code sources
Type, name, and action of permission Location from which a class has been loaded (URL) Info on signer (if code is signed) Association of permissions with a particular code Entries that define protection domains
Protection Domains
Policy files
Keystores
However, C++ allows backdoors that give access to protected or private parts of objects
This is not a security problem if the code comes from the same entity. It is a security problem if trusted and untrusted code needs to comingle
Access methods are strictly adhered to. Programs cannot access arbitrary memory locations.
A public final variable could be changed. Attacker changes the values of EAST and WEST in GridBagConstraints and now all applets will change the layout of maps. A subclass overrides a final method and alters its behavior. Attacker overrides the SetPriority() method of the Thread class. A subclass can be created from a final class such as String. Suddenly, String objects are no longer constants.
Attacker declares a huge variable without initialization. Attacker can then read large part of memory hoping to find interesting stuff. Otherwise, buffer overflows by attacker allows overwriting of adjacent memory.
Memory integrity does not prevent the owner of the machine to use tools to look at the memory of an applet.
Needed to exchange objects between clients and servers. Needed to save objects to disk and recreate them later.
Compiler enforcement
A mini-theorem prover:
Class file has the correct format. Final classes are not subclassed and final methods are not overridden. Every class has a single superclass. There is no illegal data conversion of primitive types. There is no illegal data conversion of objects. There are no operand stack overflows or underflows. Java has a data stack (for methods) and an operand stack, the latter is protected.
Verification of tests for field and method access is delayed until code is actually executed. Array bounds checking Object casting
Runtime enforcement
Security Manager provides mechanisms for Java API to see if security related operations are allowed. Access Controller provides bases of the default implementation of the security manager. Class loader encapsulates information about security policies and classes.
Operating System
Program-Specific resources
Security Manager is in control of the security policy of an application. Determines whether particular operations should be permitted or denied. Access controller does pretty much the same. Historical development explains why there are two similar entities.
Java 2: Security manager relies more on access controller. Java 2: Access controller policies specified by policy files. Java 2: More flexible architecture. Large body of pre-Java 2 code freezes the main interface to security procedures, i.e. the security manager.
Operating System
Program-Specific resources
Native libraries are still outside of the scope of security manager and access controller.
Default setting:
Example:
Package java.example import java.applet.*; public class MaliciousApplet extends Applet { public void init() { try { Runtime.getRuntime().exec(rmdir foo); } catch (Exception e) { System.out.println(e); } } public static void main(String args[]) { MaliciousApplet a = new MaliciousApplet(); a.init(); }
3.
4.
Programmer makes request to Java API Java API asks security manager if this is allowed. Security manager either disallows by throwing an exception which the Java API throws back to the program. Otherwise, Java API completes operation and returns normally.
Code with runtime permission createSecurityManager can create and set a SecurityManager object. SecurityManager class provides a complete implementation for sandbox.
This is the one you call by specifying Djava.security.manager option to a Java application. Java Plug-in and appletviewer use a modified implementation of this class and install it before they load any applets.
File Access
Network Access
Prevents: Rogue applet connects to a third machine over the network. Rogue applets collects network information and hands it back to the web server.
Code sources: where did the code come from. Permissions Policies Protection Domains
Operating System
Program-Specific resources
Simple object
that reflects the URL (http, file, ) from which a class was loaded that contains the keys that were used to sign the class.
Class loaders are responsible for creating and manipulating code source objects.
Permissions
Consist of
Type
Name
e.g. java.io.FilePermission e.g. name of file showWindowWithoutWarningBanner read file, write file, delete file
Action
Allow Java API to negotiate access to resources. Allow programmer arbitrary permissions for use within their own programs.
Policy Class
Specify which permission applies to which code source. Only a single instance of policy class can be installed in the virtual machine at any one time.
Protection Domain:
Given class was loaded from the site specified in the code source. Was signed by the public keys specified in the source code. Has the permissions represented in the permission collection object.
locating and fetching the class file consulting the security policy defining the class object with the appropriate permissions
Lazy loading (on demand loading) Link-time checks for type safety. Programmers can define their own class loaders
Specify remote locations from which classes are loaded. Assign appropriate security attributes for them. Example: browser can load applets from different web pages using separate class loaders Thus maintaining a degree of isolation between those applet classes.
Root is abstract class: java.lang.ClassLoader Has subclass java.security.SecureClassLoader Has subclass java.net.URLClassLoader Utility program Appletviewer uses private class sun.applet.AppletClassLoader to load applets.
Implemented in sytem-native language loads classes from the local file system in a platformdependent manner.
Class loader can either load the class itself Or ask another class loader to do so.
Check if the class has already been loaded. If the current class loader has a specified delegation parent, delegate to the parent to try to load this class. If there is no parent, delegate to the primordial class loader. Call a customizable method to find the class elsewhere.
Symbolic reference is resolved at link time. Class loader for C is the initiating loader for class D. Class loader for C can delegate to a second class loader, etc. Delegation relationship is formed at run-time.
1. 2.
3.
4.
5. 6.
Consults security manager. If class loader has already loaded the class, find previously defined class object. Otherwise, class loader goes to parent to see whether the parent knows how to load the class. (Recursive call) Consults security manager to see if the program is allowed to create the class. Class file is read into a byte array. Create protection domain for the class.
Construct class object from bytecode. Get permissions associated with the code source. Resolve class: any immediate references to other classes must be found.
Consult default security model
7.
8.