1 / 17

cs205: engineering software university of virginia fall 2006

cs205: engineering software university of virginia fall 2006. Security in Java Real or Decaf?. (Duke suicide picture by Gary McGraw.). Project. Last problem set – final report is due last day of class Teams of 2-5: send me team requests before 11am Friday. Project Ideas.

madra
Download Presentation

cs205: engineering software university of virginia fall 2006

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. cs205: engineering software university of virginia fall 2006 Security in Java Real or Decaf? (Duke suicide picture by Gary McGraw.)

  2. Project • Last problem set – final report is due last day of class • Teams of 2-5: send me team requests before 11am Friday

  3. Project Ideas • Due next Wednesday • For now, no suggestions – you can do anything you want, as long as it: • Is small enough to finish by Dec 4 • Is complex enough that a successful project will demonstrate understanding of and ability to apply key concepts in CS205 • If you are really stuck...

  4. from Class 2... Buzzword Description “A simple, object-oriented, distributed, interpreted, robust, secure, architecture neutral, portable, high-performance, multithreaded, and dynamic language.” [Sun95]

  5. What is a secure programming language? • Language is designed so it cannot express certain computations considered insecure. • Language is designed so that (accidental) program bugs are likely to be caught by the compiler or run-time environment instead of leading to security vulnerabilities. A few attempt to do this: PLAN, packet filters

  6. Safe Programming Languages • Type Safety • Compiler and run-time environment ensure that bits are treated as the type they represent • Memory Safety • Compiler and run-time environment ensure that program cannot access memory outside defined storage • Control Flow Safety • Can’t jump to arbitrary addresses Is Java the first language to have them? No way! LISP had them all in 1960.

  7. Java Safety • Type Safety • Most types checked statically • Coercions, array assignments type checked at run time • Memory Safety • No direct memory access (e.g., pointers) • Primitive array type with mandatory run-time bounds checking • Control Flow Safety • Structured control flow, no arbitrary jumps

  8. Malicious Code Can a safe programming language protect you from malcode? • Code your servers in it to protect from buffer overflow bugs • Only allow programs from untrustworthy origins to run if the are programmed in the safe language

  9. Safe Languages? • But how can you tell program was written in the safe language? • Get the source code and compile it (most vendors, and all malicious attackers refuse to provide source code) • Special compilation service cryptographically signs object files generated from the safe language (SPIN, [Bershad96]) • Verify object files preserve safety properties of source language (Java)

  10. Alice User JVML malcode.java Java Source Code malcode.class JVML Object Code javac Compiler JavaVM Alice wants to know JVML code satisfies Java’s safety properties.

  11. Does JVML satisfy Java’s safety properties? No, we’ll learn some about JVML later...

  12. Trusted Computing Base Joe User Bytecode Verifier malcode.class JVML Object Code Java Bytecode Verifier Invalid “Okay” STOP JavaVM

  13. Bytecode Verifier • Checks class file is formatted correctly • Checks JVML code satisfies safety properties • Simulates program execution to know types are correct, but doesn’t need to examine any instruction more than once

  14. Verifying Safety Properties • Type safe • Stack and variable slots must store and load as same type • Memory safe • Must not attempt to pop more values from stack than are on it • Doesn’t access private fields and methods outside class implementation • Control flow safe • Jumps must be to valid addresses within function, or call/return

  15. Running Mistyped Code > java Simple Exception in thread "main" java.lang.VerifyError: (class: Simple, method: main signature: ([Ljava/lang/String;)V) Register 0 contains wrong type

  16. Joe User Java javac Compiler malcode.java malcode.class JVML Trusted Computing Base Java Bytecode Verifier Invalid “Okay” STOP JavaVM

  17. Charge • Next classes: understanding byte codes and the byte code verifier • Start thinking about project ideas and teams • Send team requests by email before 11am Friday

More Related