1 / 22

Security Capabilities and Potentials of Java

Security Capabilities and Potentials of Java. D. Smarkusky, S. Demurjian, M. Bastarrica, and T.C. Ting Computer Science & Engineering Department The University of Connecticut Storrs, Connecticut 06269-3155. {debs,steve,cecilia,ting}@engr.uconn.edu http://www.engr.uconn.edu/~steve

kendis
Download Presentation

Security Capabilities and Potentials of Java

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security Capabilities and Potentials of Java D. Smarkusky, S. Demurjian, M. Bastarrica, and T.C. Ting Computer Science & Engineering Department The University of Connecticut Storrs, Connecticut 06269-3155 {debs,steve,cecilia,ting}@engr.uconn.edu http://www.engr.uconn.edu/~steve (860) 486 - 4818

  2. Overview of Presentation • Background and Motivation • Enterprise Computing and Security • Emergence of Java • An Overview of Java • Security Capabilities of Java • User-Role Based Security (URBS) and Java • Advanced Security Features and URBS • Concluding Remarks and Future Work

  3. Enterprise Computing and SecurityC/S and Distributed Object Computing • Authentication • Is the Client who S/he Says they are? • Authorization • Does the Client have Permission to do what S/he Wants? • Privacy • Is Anyone Intercepting Client/Server Communications? • Enforcement Mechanism • Centralized and Distributed “Code” • Enforces Security Policy at Runtime

  4. Enterprise Computing and SecurityC/S and Distributed Object Computing • Assurance • Are the Security Privileges for Each Client Adequate to Support their Activities? • Do the Security Privileges for Each Client Meet but Not Exceed their Capabilities? • Consistency • Are the Defined Security Privileges for Each Client Internally Consistent? • Least-Privilege Principle: Just Enough Access • Are the Defined Security Privileges for Related Clients Globally Consistent? • Mutual-Exclusion: Read for Some-Write for Others

  5. Emergence of Java • Java is Emerging as the OO Language of Choice • Java’s Pervasiveness in Educational Institutions from Freshman to Graduate Courses • Java’s Utilization in … • Distributed Internet-Based Applications of All Types • Legacy/COTS Integration for Enterprise Computing • General-Purpose, Single-CPU Development • Distributed Object Computing Must Consider Security as First Class Citizen • Exploit Java Security API and URBS?

  6. An Overview of Java • Java is a Third Generation, General Purpose, Platform Independent, Concurrent, Class-Based, Object-Oriented Language and Environment • Java Composed of JDK and JRE • Java Language • Java Packages (Libraries) • javac Compiler to Bytecode (p-code) • JDB Java Debugger • Java Interpreter - Platform Specific • JDK: Java Development Environmenthttp://www.javasoft.com/products/jdk/1.2/ • JRE: Java Runtime Environmenthttp://www.javasoft.com/products/jdk/1.2/jre/index.html

  7. Java Visualization

  8. The Java API Packages • Application Programming Interface (API) • Java Defined - Building Blocks/Libraries • Java Platform 1.2 Core API java.applet java.rmi java.awt java.rmi.dgc java.awt.datatransfer java.rmi.registry java.awt.event java.rmi.server java.awt.image java.security java.beans java.security.acl java.io java.security.interfaces java.lang java.sql java.lang.reflect java.text java.math java.util java.net java.util.zip • Focus on java.security

  9. Security Capabilities of Java • Sandbox and Applet Level Security • Downloaded Applets are Confined in a Targeted Portion of System During Execution • Execution of Untrusted Code in Trusted Way • What is Sandbox? • Area of Web-Browser Dedicated to Applet • Applet Limited to Sandbox to Prohibit Access to Local Machine/Environment • Utilizes Class Loader, Bytecode Verifier, and Security Manager • Three Components Maintain System Integrity • How Does this Occur?

  10. Security Capabilities of Java • Class Loader - Only Load Correct Classes • Bytecode Verifier - Classes in Correct Format • Security Manager - Untrusted Classes Can’t Execute Dangerous Instructions nor Access Protected System Resources • Role of Security Managers • Enforces Boundaries of Sandbox • All Java Classes ask Manager for Permission to Perform Certain Operations • Implements/Imposes Appl. Security Policy • Java Interface Class Implementable by Users • Integrated with Exception Handling of Java

  11. Security Capabilities of Java Digital Signatures and JAR Files • When Can Applets Become Applications? • Trusted Publisher (Originator of Applet) • Signed Applet is Authenticated • Java Security Manager May Allow Applet out of Sandbox to be Application • How is Information Transmitted and Exchanged? • JAR: Archived (Compressed) Files • Bundling of Code/Data into Java Archive • Associated Digital Signature for Verification • Transmission via Object Serialization

  12. Security Capabilities of Java Message Digest and Key Management • Message Digest • “Speedy” Alternative to Public Key Encryption • Generation of a Short, Unique Representation of Message that is Encrypted and Used as Digital Signature • Message Digest Algorithms (MD5, SHA, …) • Key Management • Integrated Key Management for Java Programs and Applets • Ability to Encode/Decode • Java API for Generating, Certifying, and Manipulating Keys

  13. Security Capabilities of JavaAccess Control List (ACLs) • Control Access to Resources by Permissions • Classical Security Technique for • Data Structure to Protect Resources • SE to Define Read/Write Permissions Based on Users and User Groups • Manipulation of List of Access Privileges • Support Negative and Positive Permissions • Paradigm of Individual vs. Group • Individual Permissions Override Group • See Paper for Detailed Discussion and References

  14. User-Role Based Security and Java public class PatientRecord { private: Data/Methods as Needed; public: write_medical_history(); write_prescription(); get_medical_history(); get_diagnosis(); set_payment_mode(); etc… } For MDs Only For MDs and Nurses For Admitting • Public Interface is Union of All Privileges for All Potential Users No Explicit way to Prohibit Access • Customizable Public Interface of Class • Access to Public Interface is Variable and Based on User Needs and Responsibilities • Only Give Exactly What’s Needed and No More

  15. User-Role Subclassing Approach in Java public class MD_PatientRecord extends PatientRecord { public: set_payment_mode() {return;} } public class PatientRecord { private: Data/Methods; public: write_medical_history(); write_prescription(); get_medical_history(); get_diagnosis(); set_payment_mode(); } public class Nurse_PatientRecord extends PatientRecord { public: write_medical_history() {return;} write_prescription() {return;} set_payment_mode() {return;} } • Subclasses of PatientRecord Turn Off Methods Not Available • Software Creates Nurse_PatientRecord or MD_PatientRecord Instance • Method Calls Against Subclass Return Null for Turned Off Methods • GUI Tool Works Differently Based on User Role with Same Code

  16. A Basic Exception Approach in Java Exploit Exception Handling for Dynamic Behavior of Tool by Role public class PatientRecord { // private data has been omitted public void set_payment_mode(int mode) { // Insurance_Mode is private data of PatientRecord return(set_int_check_valid_UR(Insurance_Mode, mode)); } public void set_int_check_valid_UR(int i1, int i2) { try { // See if Current_User can execute method check_UR(); } // catch block to process raised exceptions catch (Unauthorized_UR UR_Exception) { system.out.println(“Attempt to access by unauthorized UR”); } i1 = i2; } public void Check_UR()throws Unauthorized_UR { // Incomplete - only to illustrate the concepts!!! if (compareTo(Current_User.Get_User_Role(), “Admitting”)!=0) throw new Unauthorized_UR(); // raises exception } } Once the Current_User is Set, the Rest of the Tool Code Works without that Knowledge Thus, Software Engineers Don’t Need to Know or See the DAC/ URBS Details!!

  17. Applicability of URBS Approaches • All Supported by C++, Eiffel, and Ada95 • User-Role Subclassing Approach • Requires SW Engineer to Understand URBS • Supported by Java • Basic Exception Approach • Minimizes SW Engineer Exposure to URBS • Elegant in Java Due to Exceptions • User-Role Class Library Approach (not shown) • Requires Multiple Inheritance • Unsupported in Java - only Design-Level Multiple Inheritance via Interfaces • Generic Exception Approach (not shown) • Exceptions plus Generics Improves Reuse • Unsupported in Java - no Templates

  18. Advanced Security Features and URBS • Focus on the Potentials of Java • What Other Aspects of Java Can be Exploited? • Packages in Java • Access Control Lists in java.security API • The Class Class in java.lang API • Aglets - Java Agents • Examine the Ability of Above to Support URBS • Leverage Advanced Features to Enhance and Strengthen URBS Approaches • Utilize Advanced Features as Starting Point to Explore New Security Solutions

  19. Packages In Java • Allows Related Classes to be Grouped into a Larger Abstraction • Similar to Ada95 Packages • E.g., Package PatientInfo ContainsPrescription, PatientGUI, PatientRecord, … • Utilization of Packages for URBS • URSA - Form a Package of PatientRecord, MD_PatientRecord and Nurse_PatientRecord • Only MD_and Nurse Subclasses Visible Outside of Package • Overall, Packages Enhance the Control and Visibility to Fine-Tune Who Can See What When

  20. Access Control Lists in java.security API • ACLs Can be Utilized to Control Method Access • ACL Composed of ACL Entries • ACL Entry Set of Permissions (Allowable Method Accesses) for Each UR • Utilize ACLs as Implementation Vehicle for URSA, BEA, and Other Approaches • java.security.acl.ACL Provides Following: • addEntry() and removeEntry() • CheckPermission(): Can UR Utilize Method? • add-, check-, and remove- Permission() • SetPrincipal: UR for which Permissions (Methods) are Assigned/Prohibited • Etc…

  21. The Class Class in java.lang API • Class and Object Classes Contains Meta-Data • Methods Defined that Apply to All System and User Defined Classes • Class has Methods that Return List of Public Methods, List of Member Variables, etc. • Utilization of Class Class for URBS • For All Approaches, Dynamically Retrieve All Public Methods for Verifying UR Permissions • In Conjunction with ACL, Powerful Tool to Dynamically Enforce UR Permissions When • Assigned/Prohibited Methods Change • Application Classes Evolve or Added • Simplifies Maintenance of Security Policy

  22. Concluding Remarks • Explored the Security Capabilities and Potentials of Java, including: • Brief Review of java.security API Digital Signatures, Message Digests, Key Management, and ACLs • Realization and Limitations of URBS in Java • Advanced Security Features and the Potential for URBS and Security for DOC • Future Work • Legacy/COTS and Interoperability • Emerging Technologies Middleware and OODBSs

More Related