E N D
1. Software Security Pieter.Hartel@utwente.nl
2. 2
3. 3 Overview Java
Java Card
Code Certification
Attacks
Conclusions
4. Java & Java Card
5. 5 What is Java Safety? Definition: nothing bad will happen
Type safety
Memory safety
Java safety is limited
6. 6 What is Java Security? Access control to resources
Java security policy (what)
Policy manager assigns permissions to code base
Java security mechanisms (how)
Stack Inspection checks each frame Para 2.4 ACMCS paper
Security manager consists of two components:
Policy manager, which assigns permissions to a code source (basically the url where the class came from), specified in policy file
Access controller performs stack inspection to ensure that all stack frames of the current call permit access, basically the intersection of all permissions
There is a super user role which blurs the picture a bitPara 2.4 ACMCS paper
Security manager consists of two components:
Policy manager, which assigns permissions to a code source (basically the url where the class came from), specified in policy file
Access controller performs stack inspection to ensure that all stack frames of the current call permit access, basically the intersection of all permissions
There is a super user role which blurs the picture a bit
7. 7 How is Java implemented? Parsing
Type checking
Code generation Class loading
Byte code verification
Execution
ACMCS paper para 2.3
Class loading is basically a format check
Byte code verification is basically type checking
-Check that frames do not under or overflow
-Check that all byte codes are valid
-Check that variables are initialised before use etcACMCS paper para 2.3
Class loading is basically a format check
Byte code verification is basically type checking
-Check that frames do not under or overflow
-Check that all byte codes are valid
-Check that variables are initialised before use etc
8. 8 Java?JVM: Initialis. example
9. 9 Security through obscurity? Information needed for safe loading ? information needed for de-compilation
Only name obfuscation feasible
10. 10 Java card Basics
Processing APDUs (more...)
High level features
Persistent objects in EEPROM
Transient objects in RAM (Clear on Reset, Clear on Deselect)
Atomic operations and transactions
Applet firewall and controlled object sharing (more...)
No need for expensive message passing
11. 11 Java ? Java Card Java card is a subset of java
Subset of API, exceptions
No concurrency, no garbage collection
Java card is an extension of java
Transactions, sharable objects, persistence
However, a smart card is not a PC
Tamper resistant ?
Small, slow ? Credit card fraud drop by 75% over 5 years from 1992 in FranceCredit card fraud drop by 75% over 5 years from 1992 in France
12. 12 Java Card architecture
13. 13 Applet Development
14. 14 Applet naming AID = RID5 || PIX0..11
RID assigned by ISO to companies
PIX assigned by individual company
15. 15 Applet life cycle JCRE never stops
APDU controls applet, format:
install and process applet methods
16. 16 4 public void process(APDU apdu){
6 byte[] buffer = apdu.getBuffer();
7 byte cla = buffer[ISO7816.OFFSET_CLA];
8 byte ins = buffer[ISO7816.OFFSET_INS];
12 short bytesLeft = (short) (buffer[ISO7816.OFFSET_LC] & 0x00FF);
13 if(bytesLeft < (short)55) ISOException.throwIt( ISO7816.SW_WRONG_LENGTH );
15 short readCount = apdu.setIncomingAndReceive();
16 while(bytesLeft > 0){
18 bytesLeft -= readCount;
19 readCount = apdu.receiveBytes ( ISO7816.OFFSET_CDATA );
20 }
29 short le = apdu.setOutgoing();
30 if(le < (short)2) ISOException.throwIt( ISO7816.SW_WRONG_LENGTH );
31 apdu.setOutgoingLength( (short)3 );
34 buffer[0] = (byte)1; buffer[1] = (byte)2; buffer[3] = (byte)3;
35 apdu.sendBytes ( (short)0 , (short)3 );
37 }
Processing an APDU public class Test {
public static void main( String[] args ) {
byte[] buffer = { 0,1,2,-1,5 } ;
short aap = (short) (buffer[3] & 0x00FF);
int noot = (buffer[3] & 0x00FF);
int mies = (buffer[3]);
System.out.println( "aap=" + aap +
" noot= " + noot + " mies= " + mies ) ;
}
}
/* aap=255 noot= 255 mies= -1 */
public class Test {
public static void main( String[] args ) {
byte[] buffer = { 0,1,2,-1,5 } ;
short aap = (short) (buffer[3] & 0x00FF);
int noot = (buffer[3] & 0x00FF);
int mies = (buffer[3]);
System.out.println( "aap=" + aap +
" noot= " + noot + " mies= " + mies ) ;
}
}
/* aap=255 noot= 255 mies= -1 */
17. 17 Applet firewall Separates Applets
Protects against mistakes
Provides controlled sharing
Firewall partitions object space in different Contexts
18. 18 Contexts JCRE defines privileged context
Package defines regular context
Context defines ownership, stacked
Current context gets new object
Invoke, return, exception may context switch
19. 19 Client & Sever Communication
20. 20 Sharable Interface Object (1) A sharable interface object is like a normal object to the owner
Others can only access the methods defined in the shareable interface
21. 21 Sharable Interface Object (2)
22. 22 Java Card implementation Class loading
Byte code verification
CAP file generation
Digital signature
Class loading
Signature verification
Execution
23. 23 Signatures for code certification Producer of code c:
Hash the code c:
h=hash(c)
Sign with private key k: s=decrypt(k,h)
Send (c, s) to the consumer
Why not sign c? Consumer of code (c, s):
Hash code c:
h=hash(c)
Check s with public key K: h=encrypt(K,s)
Ok if h=h
Is then also h=h?
24. 24 Conclusions State of the art
Easier to program than assembly
Open issues
Garbage collection
Commercial success
Java (2 Billion phones, 1 Billion PCs)
Java card (4 Billion cards)
25. Code certification without signatures
26. 26 Self Certified Code Server (consumes code):
Publish safety policy = Given precondition + Weakest precondition Rules
Validation = Import code + proof and Check proof
Run Client (produces code):
Certification =
Generate proof and
Export Code + proof
Given precondition = calling convention
Weakest precondition Rules = when is program safe
Safety predicate => safety
Collect safety checks in safety predicateGiven precondition = calling convention
Weakest precondition Rules = when is program safe
Safety predicate => safety
Collect safety checks in safety predicate
27. 27 SCC Architecture
28. 28 Extended abstract machine op ::= n where n ? minint...maxint
|r0 |r1 |r2
instr ::= LD rd, n(rs) May read at rs+n
|ST rs, n(rd) May write at rd+n
|ADD rs, op, rd
|BEQ rs, n May jump to n if rs=0
|RET Semantics include safety checks
No loops... Semantics include safety checks
No loops...
29. 29 Code example: simple filter % Address of tag in r0
ADD r0, 8, r1 % Address of data in r1
LD r0, 8(r0) % Data in r0
LD r2,-8(r1) % Tag in r2
ADD r0, 1, r0 % Increment r0
BEQ r2,7 % Branch if tag = 0
ST r0, 0(r1)
RET Speculative scheduling
DEC Alpha styleSpeculative scheduling
DEC Alpha style
30. 30 Pre & post condition Precondition
r0 is word aligned
May read tag at r0
May read data at r0+8
May write data at r0+8 if tag?0.
Abstract Machine semantics
Generate safety conditions
Postcondition
true Nothing else is permittedNothing else is permitted
31. 31 Average runtime per packet
32. 32 High upfront cost
33. 33 Advantages/Disadvantages + No cryptography, no key management
+ Any policy possible
+ Can be used for unsafe language.
Does it scale up?
Window of opportunity from validation to execution (more...)
34. Attacks
35. 35 Vulnerability Time-of-check ? time-of-use
A single bit error gives 70% probability of taking over the JVM
36. 36 Memory error attack Cosmic ray Converts A ref to B ref
Subvert type system
70% success with millions of references Bits flip rarely
Heating causes the OS to crashBits flip rarely
Heating causes the OS to crash
37. 37 The experiment
38. 38 And the rest of the world? The Operating System is the main culprit
15,000 bugs in the Linux kernel, far more in Windows
An estimated 24 in the Minix-3 micro-kernel, drivers isolated...
Can the kernel be verified?
39. 39 Conclusions Java is a good starting point
Reduce the trusted computing base
Micro kernel
Verification works in the small
Security is not necessarily crypto
Out of the box thinking...