1 / 59

Java Security Model

Java Security Model. COEN 351: E-Commerce Security. Java Security Model. High-level Features: Platform Security: Built-in language security features enforced by the Java compiler and virtual machine: Strong data typing Automatic memory management Bytecode verification Secure class loading

isleen
Download Presentation

Java Security Model

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Java Security Model COEN 351: E-Commerce Security

  2. Java Security Model • High-level Features: • Platform Security: Built-in language security features enforced by the Java compiler and virtual machine: • Strong data typing • Automatic memory management • Bytecode verification • Secure class loading • Cryptography • Comprehensive API • digital signatures • message digests • ciphers (symmetric, asymmetric, stream & block) • message authentication codes • key generators and key factories • Support for a wide range of standard algorithms including RSA, DSA, AES, Triple DES, SHA, PKCS#5, RC2, and RC4. • PKCS#11 cryptographic token support

  3. Java Security Model • High-level Features: • Authentication and Access Control • Abstract authentication APIs that can incorporate a wide range of login mechanisms through a pluggable architecture. • A comprehensive policy and permissions API that allows the developer to create and administer applications requiring fine-grained access to security-sensitive resources

  4. Java Security Model • High-level Features: • Secure Communications APIs and implementations: • Transport Layer Security (TLS), • Secure Sockets Layer (SSL), • Kerberos (accessible through GSS-API), • Simple Authentication and Security Layer (SASL). • Support for HTTPS over SSL/TLS.

  5. Java Security Model • High-level Features: • Public Key Infrastructure (PKI) • Tools for managing keys and certificates and comprehensive, abstract APIs with support for the following features and algorithms: • Certificates and Certificate Revocation Lists (CRLs): X.509 • Certification Path Validators and Builders: PKIX (RFC 3280), On-line Certificate Status Protocol (OCSP) • KeyStores: PKCS#11, PKCS#12 • Certificate Stores (Repositories): LDAP, java.util.

  6. Java 2 Platform Security • Language is type-safe, and easy to use. (So that mistakes are less likely.) • Done with language features such as • Automatic memory management • Garbage collection • Range checking on strings and arrays. • Code is executed in the Java Virtual Machine (JVM). • JVM simulates execution of Java Byte Code. • Compiler and bytecode verifier ensure that only legitimate Java bytecodes are executed. • Bytecode verifier and JVM guarantee language safety at run time. • Classloader defines a local name space: • An untrusted applet cannot interfere with the running of other programs. • JVM mediates access to crucial system resources. • SecurityManager class restricts the actions of Java code.

  7. Java 2 Platform Security • Original Sandbox Model • Code is executed in the Java Virtual Machine (JVM). • JVM simulates execution of Java Byte Code. • Sandbox model allows code to run in a very restricted environment. • Local code however has full access to valuable system resources.

  8. Java 2 Platform Security • JDK 1.1: “Signed Applet” • Correctly signed applet is treated as trusted applet. • Applets and signatures are delivered in the JAR (Java Archive) format. • Untrusted applets run in the sandbox.

  9. Java 2 Platform Security • Java 2 Platform Security • Fine-grained access control. • Previously, the application writer had to do substantial programming • (e.g., by subclassing and customizing the SecurityManager and ClassLoader classes). • The HotJava browser 1.0 allows the user to choose from a small number of different security levels. • Easily configurable security policy. • Easily extensible access control structure. • Extension of security checks to all Java programs, including applications as well as applets. • Trust of local code is no longer a built-in concept.

  10. Java 2 Platform Security

  11. Java 2 Platform Security: Protection Domains • Protection Domains • Set of objects that are currently directly accessible by a principal. • Principal is an entity in the computer system to which permissions are granted. • Serves to group and to isolate between units of protection. • Protection domains are either system domains or application domains.

  12. Java 2 Platform Security: Protection Domains

  13. Java 2 Platform Security:Protection Domains • A domain conceptually encloses a set of classes whose instances are granted the same set of permissions. • Protection domains are determined by the policy currently in effect. • The Java application environment maintains a mapping from code (classes and instances) to their protection domains and then to their permissions.

  14. Java 2 Platform Security: Protection Domains

  15. Java 2 Platform Security: Protection Domains • Java thread can completely occur within a single protection domain. • Can also involve application domain and system domain. • Examples: • Application prints out a message. • Needs to interact with system domain that is the access point to an output stream. • AWT system domain calls an applet’s paint method to display it. • Important: A less "powerful" domain cannot gain additional permissions as a result of calling or being called by a more powerful domain.

  16. Java 2 Platform Security: Protection Domains • Normal rule: • The permission set of an execution thread is the intersection of the permissions of all protection domains traversed by the execution thread. • Exception: doPrivileged call • Enables a piece of trusted code to temporarily enable access to more resources than are available directly to the application that called it. • Example: • Application may not be allowed direct access to files that contain files, but the system utility displaying those fonts needs to obtain them on behalf of the user.

  17. Java 2 Platform Security: Protection Domains • When access to a critical system resource (such as file I/O and network I/O) is requested: • the resource-handling code invokes a special AccessController class method • Evaluates the request • Decides if the request should be granted or denied.

  18. Java 2 Platform Security: Protection Domains • Each domain needs to implement additional protection of internal resources. • Example: • Banking application needs to maintain internal concepts of • checking accounts • deposits • withdrawals

  19. Java 2 Platform SecurityWhy: • Original Problem: • Users download programs that contain viruses and worms (even in commercial software). • Java machines executes downloaded codes, which make the problem worse. • Early work focuses on this issue: • Java programs are secure because they cannot install, run, or propagate viruses.

  20. Java 2 Platform SecurityWhy: Remote Class Files Signed Class Files Local Class Files Bytecode Verifier Class Loader Core API Class Files Core Java API Security Package Security Manager Access Controller Key Database Operating System

  21. Java 2 Platform SecurityWhy: • Bytecode verifier: • Ensures that Java class files follow the rules of Java. • Enforces memory protections for all Java programs. • Class loader: • Class loader sets permissions for each class it loads.

  22. Java 2 Platform SecurityWhy: Remote Class Files Signed Class Files Local Class Files Bytecode Verifier Class Loader Core API Class Files Core Java API Security Package Security Manager Access Controller Key Database Operating System

  23. Java 2 Platform SecurityWhy: • Access Controller • Allows / prevents most access from the core API to the operating system • Based on policies set by the end user or system administrator. • Security Manager • Primary interface between the core API and the OS • Responsible for allowing or preventing access to all system resources. • Exists mainly for historical reasons: defers actions to access controller.

  24. Java 2 Platform SecurityWhy: Remote Class Files Signed Class Files Local Class Files Bytecode Verifier Class Loader Core API Class Files Core Java API Security Package Security Manager Access Controller Key Database Operating System

  25. Java 2 Platform SecurityWhy: • Security Package • Classes in java.security package and those in security extensions. • Add security features to applications • Provides bases for signing Java classes. • Message digests • Keys and certificates • Digital signatures • Encryption • Authentication

  26. Java 2 Platform SecurityWhy: Remote Class Files Signed Class Files Local Class Files Bytecode Verifier Class Loader Core API Class Files Core Java API Security Package Security Manager Access Controller Key Database Operating System

  27. Java 2 Platform SecurityWhy: • Key database • Set of keys used by the security infrastructure to create or verify digital signatures.

  28. Java 2 Platform SecurityWhy: Remote Class Files Signed Class Files Local Class Files Bytecode Verifier Class Loader Core API Class Files Core Java API Security Package Security Manager Access Controller Key Database Operating System

  29. Java 2 Platform SecurityWhy: • Java Sandbox • Permissions • Type, name, and action of permission • Code sources • Location from which a class has been loaded (URL) • Info on signer (if code is signed) • Protection Domains • Association of permissions with a particular code • Policy files • Entries that define protection domains • Keystores

  30. Java 2 Platform SecurityWhy: • Comparison with C++ • C++ has same access levels • private, (default = package in Java), protected, public • However, C++ allows backdoors that give access to protected or private parts of objects • Casting into an arbitrary memory pointer will do that. • This is not a security problem if the code comes from the same entity. • It is a security problem if trusted and untrusted code needs to comingle

  31. Java 2 Platform SecurityWhy: • Java provides memory integrity • Access methods are strictly adhered to. • Programs cannot access arbitrary memory locations. • No pointers in Java. • Entities declared as final must not be changed. • Otherwise: • A public final variable could be changed. • Attacker changes the values of EAST and WEST in GridBagConstraints and now all applets will change the layout of maps. • A subclass overrides a final method and alters its behavior. • Attacker overrides the SetPriority() method of the Thread class. • A subclass can be created from a final class such as String. • Suddenly, String objects are no longer constants.

  32. Java 2 Platform SecurityWhy: • Java provides memory integrity • Variables may not be used before they are initialized. • Attacker declares a huge variable without initialization. • Attacker can then read large part of memory hoping to find interesting stuff. • Array bounds are checked on all array accesses • Otherwise, buffer overflows by attacker allows overwriting of adjacent memory. • Objects cannot be cast into other objects.

  33. Java 2 Platform SecurityWhy: • Memory integrity does not prevent the owner of the machine to use tools to look at the memory of an applet.

  34. Java 2 Platform SecurityWhy: • Object Serialization and Memory Integrity • Object serialization allows an object to be written as a series of bytes. • Needed to exchange objects between clients and servers. • Needed to save objects to disk and recreate them later.

  35. Java 2 Platform SecurityWhy: • Enforcement of language rules: • Compiler enforcement • Compiler enforces casting rules, …

  36. Java 2 Platform SecurityWhy: • Enforcement of language rules: • Byte code verifier • A mini-theorem prover: • Class file has the correct format. • Final classes are not subclassed and final methods are not overridden. • Every class has a single superclass. • There is no illegal data conversion of primitive types. • There is no illegal data conversion of objects. • There are no operand stack overflows or underflows. • Java has a data stack (for methods) and an operand stack, the latter is protected.

  37. Java 2 Platform SecurityWhy: • Enforcement of language rules: • Delayed bytecode verification • Verification of tests for field and method access is delayed until code is actually executed. • Runtime enforcement • Array bounds checking • Object casting

  38. Java 2 Platform Security:Security Manager • Security Manager provides mechanisms for Java API to see if security related operations are allowed. • Access Controller provides bases of the default implementation of the security manager. • Class loader encapsulates information about security policies and classes.

  39. Java 2 Platform Security:Security Manager Program Code Java API Native Libraries Security Manager Access Controller Operating System Program-Specific resources Coordination of Security Manager and Access Controller

  40. Java 2 Platform Security:Security Manager • Security Manager is in control of the security policy of an application. • Determines whether particular operations should be permitted or denied. • Access controller does pretty much the same. • Historical development explains why there are two similar entities. • Java 2: Security manager relies more on access controller. • Java 2: Access controller policies specified by policy files. • Java 2: More flexible architecture. • Large body of pre-Java 2 code freezes the main interface to security procedures, i.e. the security manager.

  41. Java 2 Platform Security:Security Manager Program Code Java API Native Libraries Security Manager Access Controller Operating System Program-Specific resources Coordination of Security Manager and Access Controller

  42. Java 2 Platform Security:Security Manager • Native libraries are still outside of the scope of security manager and access controller. • Ability to load these libraries can be restricted. • Security manager sometimes bypasses the access controller.

  43. Java 2 Platform Security:Security Manager • Default setting: • Java applications have no security manager. • Needs to be explicitly installed. • With the -Djava.security.manager option • Java applets have a strict security manager.

  44. Java 2 Platform Security:Security Manager Package java.example import java.applet.*; public class MaliciousApplet extends Applet { public void init() { try { Runtime.getRuntime().exec(“rmdir foo”); } catch (Exception e) { System.out.println(e); } } public static void main(String args[]) { MaliciousApplet a = new MaliciousApplet(); a.init(); } } • Example: • Security exception if run as applet. • No exception if run as application. • But you’ll end up deleting a directory.

  45. Java 2 Platform Security:Security Manager • Java API algorithm for a potentially dangerous operation: • Programmer makes request to Java API • Java API asks security manager if this is allowed. • Security manager either disallows by throwing an exception with the Java API throws back to the program. • Otherwise, Java API completes operation and returns normally.

  46. Java 2 Platform Security:Security Manager • Code with runtime permission createSecurityManager can create and set a SecurityManager object. • SecurityManager class provides a complete implementation for sandbox. • This is the one you call by specifying –Djava.security.manager option to a Java application. • Java Plug-in and appletviewer use a modified implementation of this class and install it before they load any applets.

  47. Java 2 Platform Security:Security Manager • Security Manager Methods • File Access • reading, writing, deleting • Network Access • socket creation and use. • Prevents: • Rogue applet connects to a third machine over the network. • Rogue applets collects network information and hands it back to the web server. • Protection of virtual machine • Protection of threads • Protection of system resources • E.g. untrusted classes cannot print, get clipboard, • Protection of security aspects • E.g. access to classes, packages, …

  48. Java 2 Platform Security:Access Controller • Access Controller is built upon • Code sources: where did the code come from. • Permissions • Policies • Protection Domains

  49. Java 2 Platform Security:Security Manager Program Code Java API Native Libraries Security Manager Access Controller Operating System Program-Specific resources Coordination of Security Manager and Access Controller

  50. Java 2 Platform Security:Access Controller • Code Source Class • Simple object • that reflects the URL (http, file, …) from which a class was loaded • that contains the keys that were used to sign the class. • Class loaders are responsible for creating and manipulating code source objects.

More Related