JSM

Java Security Model
COEN 351: E-Commerce Security
Java Security Model
High-level Features:
Platform Security: Built-in language security features enforced by the Java compiler and virtual machine:
Strong data typing Automatic memory management Bytecode verification Secure class loading Comprehensive API

Cryptography
Support for a wide range of standard algorithms including RSA, DSA, AES, Triple DES, SHA, PKCS#5, RC2, and RC4. PKCS#11 cryptographic token support
digital signatures message digests ciphers (symmetric, asymmetric, stream & block) message authentication codes key generators and key factories
Java Security Model
Authentication and Access Control
Abstract authentication APIs that can incorporate a wide range of login mechanisms through a pluggable architecture. A comprehensive policy and permissions API that allows the developer to create and administer applications requiring fine-grained access to security-sensitive resources
Java Security Model
Secure Communications APIs and implementations:

Transport Layer Security (TLS), Secure Sockets Layer (SSL), Kerberos (accessible through GSS-API), Simple Authentication and Security Layer (SASL). Support for HTTPS over SSL/TLS.
Java Security Model
Public Key Infrastructure (PKI) Tools for managing keys and certificates and comprehensive, abstract APIs with support for the following features and algorithms: Certificates and Certificate Revocation Lists (CRLs): X.509 Certification Path Validators and Builders: PKIX (RFC 3280), On-line Certificate Status Protocol (OCSP) KeyStores: PKCS#11, PKCS#12 Certificate Stores (Repositories): LDAP, java.util.
Java 2 Platform Security
Language is type-safe, and easy to use. (So that mistakes are less likely.)

Code is executed in the Java Virtual Machine (JVM).

Done with language features such as Automatic memory management Garbage collection Range checking on strings and arrays.
JVM simulates execution of Java Byte Code. Compiler and bytecode verifier ensure that only legitimate Java bytecodes are executed. Bytecode verifier and JVM guarantee language safety at run time. Classloader defines a local name space:
JVM mediates access to crucial system resources.
An untrusted applet cannot interfere with the running of other programs.

SecurityManager class restricts the actions of Java code.
Original Sandbox Model
Code is executed in the Java Virtual Machine (JVM).
JVM simulates execution of Java Byte Code.
Sandbox model allows code to run in a very restricted environment. Local code however has full access to valuable system resources.
JDK 1.1: Signed Applet
Correctly signed applet is treated as trusted applet. Applets and signatures are delivered in the JAR (Java Archive) format. Untrusted applets run in the sandbox.
Fine-grained access control.
Previously, the application writer had to do substantial programming
Easily configurable security policy. Easily extensible access control structure. Extension of security checks to all Java programs, including applications as well as applets.
The HotJava browser 1.0 allows the user to choose from a small number of different security levels.
(e.g., by subclassing and customizing the SecurityManager and ClassLoader classes).
Trust of local code is no longer a built-in concept.
Java 2 Platform Security: Protection Domains
Protection Domains
Set of objects that are currently directly accessible by a principal. Principal is an entity in the computer system to which permissions are granted. Serves to group and to isolate between units of protection. Protection domains are either system domains or application domains.
Example: JDK 1.0 sandbox is a protection domain
A domain conceptually encloses a set of classes whose instances are granted the same set of permissions. Protection domains are determined by the policy currently in effect. The Java application environment maintains a mapping from code (classes and instances) to their protection domains and then to their permissions.
Java thread can completely occur within a single protection domain. Can also involve application domain and system domain.
Examples:
Application prints out a message.
Needs to interact with system domain that is the access point to an output stream.
AWT system domain calls an applets paint method to display it.
Important:
Normal rule:
The permission set of an execution thread is the intersection of the permissions of all protection domains traversed by the execution thread. Exception: doPrivileged call
Enables a piece of trusted code to temporarily enable access to more resources than are available directly to the application that called it.
Example:
Application may not be allowed direct access to files that contain files, but the system utility displaying those fonts needs to obtain them on behalf of the user.
When access to a critical system resource (such as file I/O and network I/O) is requested:
the resource-handling code invokes a special AccessController class method

Evaluates the request Decides if the request should be granted or denied.
Each domain needs to implement additional protection of internal resources. Example:
Banking application needs to maintain internal concepts of

checking accounts deposits withdrawals
Java 2 Platform Security Why:
Original Problem:
Users download programs that contain viruses and worms (even in commercial software). Java machines executes downloaded codes, which make the problem worse. Java programs are secure because they cannot install, run, or propagate viruses.
Early work focuses on this issue:

Remote Class Files Signed Class Files Local Class Files Bytecode Verifier Core API Class Files Security Package Core Java API Class Loader
Key Database
Security Manager
Access Controller
Operating System
Bytecode verifier:
Ensures that Java class files follow the rules of Java. Enforces memory protections for all Java programs. Class loader sets permissions for each class it loads.
Class loader:

Key Database
Security Manager
Access Controller
Operating System
Access Controller
Security Manager

Allows / prevents most access from the core API to the operating system Based on policies set by the end user or system administrator.
Primary interface between the core API and the OS Responsible for allowing or preventing access to all system resources. Exists mainly for historical reasons: defers actions to access controller.

Key Database
Security Manager
Access Controller
Operating System
Security Package
Classes in java.security package and those in security extensions. Add security features to applications Provides bases for signing Java classes.

Message digests Keys and certificates Digital signatures Encryption Authentication

Key Database
Security Manager
Access Controller
Operating System
Key database
Set of keys used by the security infrastructure to create or verify digital signatures.

Key Database
Security Manager
Access Controller
Operating System
Java Sandbox
Permissions
Code sources

Type, name, and action of permission Location from which a class has been loaded (URL) Info on signer (if code is signed) Association of permissions with a particular code Entries that define protection domains
Protection Domains
Policy files
Keystores
Comparison with C++
C++ has same access levels
private, (default = package in Java), protected, public
However, C++ allows backdoors that give access to protected or private parts of objects
Casting into an arbitrary memory pointer will do that.
This is not a security problem if the code comes from the same entity. It is a security problem if trusted and untrusted code needs to comingle
Java provides memory integrity
Access methods are strictly adhered to. Programs cannot access arbitrary memory locations.
No pointers in Java. Otherwise:
Entities declared as final must not be changed.
A public final variable could be changed. Attacker changes the values of EAST and WEST in GridBagConstraints and now all applets will change the layout of maps. A subclass overrides a final method and alters its behavior. Attacker overrides the SetPriority() method of the Thread class. A subclass can be created from a final class such as String. Suddenly, String objects are no longer constants.
Java provides memory integrity
Variables may not be used before they are initialized.

Attacker declares a huge variable without initialization. Attacker can then read large part of memory hoping to find interesting stuff. Otherwise, buffer overflows by attacker allows overwriting of adjacent memory.
Array bounds are checked on all array accesses
Objects cannot be cast into other objects.
Memory integrity does not prevent the owner of the machine to use tools to look at the memory of an applet.
Object Serialization and Memory Integrity
Object serialization allows an object to be

written as a series of bytes.
Needed to exchange objects between clients and servers. Needed to save objects to disk and recreate them later.
Enforcement of language rules:
Compiler enforcement
Compiler enforces casting rules,
Byte code verifier
A mini-theorem prover:

Class file has the correct format. Final classes are not subclassed and final methods are not overridden. Every class has a single superclass. There is no illegal data conversion of primitive types. There is no illegal data conversion of objects. There are no operand stack overflows or underflows. Java has a data stack (for methods) and an operand stack, the latter is protected.
Delayed bytecode verification
Verification of tests for field and method access is delayed until code is actually executed. Array bounds checking Object casting
Runtime enforcement

Java 2 Platform Security: Security Manager
Security Manager provides mechanisms for Java API to see if security related operations are allowed. Access Controller provides bases of the default implementation of the security manager. Class loader encapsulates information about security policies and classes.

Program Code Java API Native Libraries Security Manager Access Controller
Operating System
Program-Specific resources
Coordination of Security Manager and Access Controller

Security Manager is in control of the security policy of an application. Determines whether particular operations should be permitted or denied. Access controller does pretty much the same. Historical development explains why there are two similar entities.

Java 2: Security manager relies more on access controller. Java 2: Access controller policies specified by policy files. Java 2: More flexible architecture. Large body of pre-Java 2 code freezes the main interface to security procedures, i.e. the security manager.

Operating System
Native libraries are still outside of the scope of security manager and access controller.
Ability to load these libraries can be restricted.
Security manager sometimes bypasses the access controller.
Default setting:
Java applications have no security manager.
Needs to be explicitly installed.
With the -Djava.security.manager option
Java applets have a strict security manager.
Example:
Package java.example import java.applet.*; public class MaliciousApplet extends Applet { public void init() { try { Runtime.getRuntime().exec(rmdir foo); } catch (Exception e) { System.out.println(e); } } public static void main(String args[]) { MaliciousApplet a = new MaliciousApplet(); a.init(); }
Security exception if run as applet. No exception if run as application.
But youll end up deleting a directory.
Java API algorithm for a potentially dangerous operation:

1. 2.
3.
4.
Programmer makes request to Java API Java API asks security manager if this is allowed. Security manager either disallows by throwing an exception which the Java API throws back to the program. Otherwise, Java API completes operation and returns normally.
Code with runtime permission createSecurityManager can create and set a SecurityManager object. SecurityManager class provides a complete implementation for sandbox.
This is the one you call by specifying Djava.security.manager option to a Java application. Java Plug-in and appletviewer use a modified implementation of this class and install it before they load any applets.
Security Manager Methods
File Access
reading, writing, deleting socket creation and use.
Network Access
Prevents: Rogue applet connects to a third machine over the network. Rogue applets collects network information and hands it back to the web server.
Protection of virtual machine Protection of threads Protection of system resources
E.g. untrusted classes cannot print, get clipboard,

E.g. access to classes, packages,
Protection of security aspects
Java 2 Platform Security: Access Controller
Access Controller is built upon
Code sources: where did the code come from. Permissions Policies Protection Domains

Operating System
Code Source Class
Simple object
that reflects the URL (http, file, ) from which a class was loaded that contains the keys that were used to sign the class.
Class loaders are responsible for creating and manipulating code source objects.
Permissions
Consist of
Type
Name

e.g. java.io.FilePermission e.g. name of file showWindowWithoutWarningBanner read file, write file, delete file
Action
Allow Java API to negotiate access to resources. Allow programmer arbitrary permissions for use within their own programs.
Policy Class
Specify which permission applies to which code source. Only a single instance of policy class can be installed in the virtual machine at any one time.
Protection Domain:

Grouping of code source and permissions. When associated with a class:
Given class was loaded from the site specified in the code source. Was signed by the public keys specified in the source code. Has the permissions represented in the permission collection object.
Java 2 Platform Security: Secure Class Loading
Class Loader is responsible for:

Dynamic class loading:

locating and fetching the class file consulting the security policy defining the class object with the appropriate permissions
Lazy loading (on demand loading) Link-time checks for type safety. Programmers can define their own class loaders

Class loaders provide separate name spaces.

Specify remote locations from which classes are loaded. Assign appropriate security attributes for them. Example: browser can load applets from different web pages using separate class loaders Thus maintaining a degree of isolation between those applet classes.
Multiple instances of class loader objects in JVM:

Primordial Class Loader
Root is abstract class: java.lang.ClassLoader Has subclass java.security.SecureClassLoader Has subclass java.net.URLClassLoader Utility program Appletviewer uses private class sun.applet.AppletClassLoader to load applets.
Implemented in sytem-native language loads classes from the local file system in a platformdependent manner.
Class Loader Delegation:
Class Resolution Algorithm:

Class loader can either load the class itself Or ask another class loader to do so.
Check if the class has already been loaded. If the current class loader has a specified delegation parent, delegate to the parent to try to load this class. If there is no parent, delegate to the primordial class loader. Call a customizable method to find the class elsewhere.

class C { void f() { D d = new D(); } }
Class is defined in a machine-independent binary representation
Called the class file
Example: class file of C contains reference to class D.

Symbolic reference is resolved at link time. Class loader for C is the initiating loader for class D. Class loader for C can delegate to a second class loader, etc. Delegation relationship is formed at run-time.
1. 2.
Class loader performs:
3.
4.
5. 6.
Consults security manager. If class loader has already loaded the class, find previously defined class object. Otherwise, class loader goes to parent to see whether the parent knows how to load the class. (Recursive call) Consults security manager to see if the program is allowed to create the class. Class file is read into a byte array. Create protection domain for the class.
Construct class object from bytecode. Get permissions associated with the code source. Resolve class: any immediate references to other classes must be found.
Consult default security model
7.
8.
Java Security Problems
Security model does not protect against all bad things:
Applets that perform annoying tasks
e.g. using up CPU.
Installing a local class file or local native library:
An applet can call them if not prevented.
Newer versions of browsers mitigates the adverse potential.

JSM

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

JSM

Uploaded by

Copyright:

Available Formats

Java Security Model

COEN 351: E-Commerce Security

Java Security Model

Java Security Model

Authentication and Access Control

Java Security Model

Secure Communications APIs and implementations:

Java Security Model

Java 2 Platform Security

Code is executed in the Java Virtual Machine (JVM).

JVM mediates access to crucial system resources.

An untrusted applet cannot interfere with the running of other programs.

Java 2 Platform Security

Original Sandbox Model

Code is executed in the Java Virtual Machine (JVM).

JVM simulates execution of Java Byte Code.

Java 2 Platform Security

JDK 1.1: Signed Applet

Java 2 Platform Security

Java 2 Platform Security

Fine-grained access control.

Previously, the application writer had to do substantial programming

(e.g., by subclassing and customizing the SecurityManager and ClassLoader classes).

Trust of local code is no longer a built-in concept.

Java 2 Platform Security

Java 2 Platform Security: Protection Domains

Example: JDK 1.0 sandbox is a protection domain

Java 2 Platform Security: Protection Domains

Java 2 Platform Security: Protection Domains

Java 2 Platform Security: Protection Domains

Java 2 Platform Security: Protection Domains

Application prints out a message.

AWT system domain calls an applets paint method to display it.

Java 2 Platform Security: Protection Domains

Java 2 Platform Security: Protection Domains

the resource-handling code invokes a special AccessController class method

Evaluates the request Decides if the request should be granted or denied.

Java 2 Platform Security: Protection Domains

Each domain needs to implement additional protection of internal resources. Example:

Banking application needs to maintain internal concepts of

checking accounts deposits withdrawals

Java 2 Platform Security Why:

Early work focuses on this issue:

Java 2 Platform Security Why:

Java 2 Platform Security Why:

Java 2 Platform Security Why:

Java 2 Platform Security Why:

Java 2 Platform Security Why:

Java 2 Platform Security Why:

Message digests Keys and certificates Digital signatures Encryption Authentication

Java 2 Platform Security Why:

Java 2 Platform Security Why:

Java 2 Platform Security Why:

Java 2 Platform Security Why:

Java 2 Platform Security Why:

Comparison with C++

C++ has same access levels

private, (default = package in Java), protected, public

Casting into an arbitrary memory pointer will do that.

Java 2 Platform Security Why:

Java provides memory integrity

No pointers in Java. Otherwise:

Entities declared as final must not be changed.

Java 2 Platform Security Why: