dr waitak wong department of information management chung hua university hsinchu taiwan l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan PowerPoint Presentation
Download Presentation
Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan

Loading in 2 Seconds...

play fullscreen
1 / 159

Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan - PowerPoint PPT Presentation


  • 134 Views
  • Uploaded on

Java & J2EE Application Security. Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan. Today's Agenda. About Security Application Security Java Security from the Ground Up Standalone Java Application Techniques

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan' - morpheus


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
dr waitak wong department of information management chung hua university hsinchu taiwan

Java & J2EE

Application Security

Dr. Waitak Wong

Department of Information Management

Chung Hua University, Hsinchu, Taiwan

slide2

Today's Agenda

  • About Security
  • Application Security
  • Java Security from the Ground Up
  • Standalone Java Application Techniques
  • Hacking Java Client-Sever Application
  • Java Network Applications: RMI
slide3

Today's Agenda (cont.)

  • Exploiting Java Web Tier Components
  • Web Services Security
  • Enterprise Java Beans Security
about security
About Security

Common Security Threats

Three concepts of CIA security model

Definition of security

common security threats
Common Security Threats
  • Identity interception
    • Steal your identity and use it as their own
  • Masquerading
    • Grab your identity and use it elsewhere with the intention of perpetrating fraud
  • Replay attack
    • Capture your request and replay that request
  • Data interception and manipulation
    • Read your data (such as credit card info)
common security threats6
Common Security Threats
  • Repudiation
    • Deny your/his completed transaction
  • Denial of Service
    • Terminate the service
three concepts of cia security model
Three concepts of CIA security model
  • Confidentiality
    • information must not be disclosed to any unauthorized person
  • Integrity
    • authorized actions (unauthorized data changes)
    • separation and protection for resources
    • error detection and correction (data corruption)
  • Availability
    • presence of objects or service in a usable form
    • capacity to meet service needs
    • adequate timeliness of a service
definition of security
Definition of security
  • Deter
    • Generate a feasible and believable deterrence
  • Detect
    • Detect how, when and where intrusion has taken place
  • Protect
    • Manage people and the Information System in an effective manner so as to protect against unauthorized usage
definition of security9
Definition of security
  • React
    • react to an intrusion
    • ensure that penetration does not happen again.
    • vulnerability is eliminated
  • Recover
    • recover all data and programs from a breach in security
application security not just technology it s a process

Application code

Application Level

Java/J2EE APIs

JVM

System Level

Operating System

Application Security- Not just technology; it’s a process… -
  • System-level Security Vs.

Application-level Security

system level security vs application level security
System-level Security Vs. Application-level Security
  • Defeating System-level security may not provide attackers with appropriate access to the application-level data, logic, or methods that they seek

Application-level

Security

Enterprise

Data

System-level

security

Attacker

system level security vs application level security cont
System-level Security Vs. Application-level Security (cont.)
  • Work together to build a secure system/application combination

Application-level

Security

System-level

security

Enterprise

Data

Attacker

Attacker

system level security vs application level security cont13

Application code

Application code

Application code

Java/J2EE APIs

Java/J2EE APIs

Java/J2EE APIs

JVM (Solaris)

JVM (IBM AIX)

JVM (MS Window)

OS (Solaris)

OS (IBM AIX)

OS (MS Window)

System-level Security Vs. Application-level Security (cont.)
  • It is more efficient to push some security responsibilities up to the application level instead of handling them at the operating-system level
java security from the ground up
Java Security from the Ground Up
  • Java Language Safety Features
  • Java Security Model
  • Java Security Architecture
java language safety features
Java Language Safety Features
  • Objects have access levels:
    • private: Accessible by defining class
    • package (default): Accessible by classes in the same package
    • protected: Same as package, with addition of access by any subclass
    • public: Accessible by any class
java language safety features16
Java Language Safety Features
  • Access methods are strictly adhered to
  • No pointers (no access to arbitrary memory and automatic garbage collection)
  • “final” methods or variables cannot be changed
  • Variables MUST be initialized before use
  • Array bounds are enforced
  • Strict object casting rules
java security enforcement18
Java Security Enforcement
  • Enforcement happens at different times
    • Compile time enforcement
    • Class load time enforcement
    • Runtime enforcement
compile time enforcement

Java Source

Bytecode

Bytecode

Verifier

Java Compiler

Class Loader

Java Virtual Machine

Runtime

Compile Time Enforcement
compile time enforcement20
Compile Time Enforcement

Validate language syntax

Enforce method and variable access rules

Enforce variable initialization

Enforce some casting operations

class load time enforcement

Java Source

Bytecode

Bytecode

Verifier

Java Compiler

Class Loader

Java Virtual Machine

Runtime

Class Load Time Enforcement
class load time enforcement22
Class Load Time Enforcement
  • Bytecode verification
    • Verifies class file format
    • Accesses objects as correct type
    • Final classes are not subclassed
    • Final methods are not overridden
    • Every class has a single superclass Verify that casting legality checks are in place
class load time enforcement23
Class Load Time Enforcement
  • No operand stack overflows or underflows
  • All field and method accesses are legal
  • Method calls use correct number & types of arguments
runtime enforcement

Java Source

Bytecode

Bytecode

Verifier

Java Compiler

Class Loader

Java Compiler

Java Virtual Machine

Runtime

Runtime Enforcement
runtime enforcement25
Runtime Enforcement
  • Array bounds checking
    • Throws ArrayIndexOutOfBoundsException
  • Object casting
    • Throws ClassCastException
  • Security Manager
    • Throws SecurityException
    • Depends on the Access Controller
java security model27
Java Security Model

Sandbox – a strictly defined arena where they cannot affect other

system resources. It provides virtually no flexibility.

components work with sandbox
Components work with Sandbox
  • Class loader
    • first link in the security chain
    • enforces the name space hierarchy
  • Byte code verification
    • checks that there are violations like stack overflows, name space violations, illegal data type casts, etc.
  • Security manager
    • It enforces the boundary of the sandbox
java security model cont30
Java Security Model (cont.)

JDK 1.1 security model

Applets either received unlimited access or were confined to the sandbox – there was no option for selective access to resources.

java security model cont38
Java Security Model (cont.)

Introduces the concept of a ProtectionDomain, which permits a highly

flexible security policy decoupled from its implementation

java security architecture
Java Security Architecture
  • The J2SE 1.3 introduced
    • policy-based access control
    • X.509 v3 implementation of certificate interfaces
    • tools for creating and managing security keys and certificates
java security architecture47
Java Security Architecture
  • J2SE 1.4 continued by adding
    • Java Authentication and Authorization Service (JAAS)
    • Java Cryptography Extension (JCE)
    • Java Secure Socket Extension (JSSE)
    • Features for Kerberos communication
jce architecture
JCE Architecture
  • Extension to JCA
  • Framework for multiple CSPs
  • Sun distributes a JCE provider
  • Designed for export
  • Provide a framework for encryption and decryption, key generation, key agreement, and Message Authentication Code (MAC).
  • Encryption allows symmetric, asymmetric, block, and stream ciphers, with addition support for secure streams and sealed objects.
jce v1 2 155
JCE v1.2.1
  • Unapproved providers cannot plug-in
  • Providers unusable without framework
  • Crypto strength is configured in jurisdiction policy files
jaas architecture
JAAS Architecture
  • Provides a Java security API to perform authentication and authorization security service for Java application
    • JAAS is designed to be pluggable.
    • Pluggable authentication
    • User-based authorization
    • Fine-grained access control capabilities
    • Framework for single sign-on
java secure sockets extension
Java Secure Sockets Extension
  • Provides Secure Socket Layer (SSL) connections over TCP/IP sockets.
java secure sockets extension cont
Java Secure Sockets Extension (cont.)
  • JSSE is a set of Java packages that enables secure Internet communications.
    • Standard socket APIs for SSL and TLS
    • Transport level Authentication, Integrity, and Privacy
    • Supports standard cipher suites
    • Includes https URL handler
j2se v1 4 merlin security
J2SE v1.4 "Merlin": Security
  • CertPath API
  • GSSAPI “Java Bindings”
  • Public Key Cryptography Standards (PKCS)
j2se v1 4 merlin cert path
J2SE v1.4 "Merlin" : Cert Path
  • Validation of Certification Paths
  • Building of Certification Paths
  • Creation of Certification Paths
  • Retrieval of certs/CRLs
j2se v1 4 merlin cert path72
J2SE v1.4 "Merlin": Cert Path

SPI (service provider interface) layer

j2se v1 4 merlin kerberos
J2SE v1.4 "Merlin": Kerberos
  • Network Authentication System
  • Internet Standard (RFC 1510)
  • Access via JAAS, JGSS, maybe JSSE
j2se v1 4 merlin kerberos features
J2SE v1.4 "Merlin": Kerberos Features
  • Single Sign-on in a Kerberized environment
  • Credential cache integrates with platform Kerberos
  • Interoperate with Solaris™ 8 software, Windows 2000, and MIT distributions
j2se v1 4 merlin pkcs
J2SE v1.4 "Merlin": PKCS
  • De-facto standards widely used today
  • Evolved to cover technologies from encryption to smartcards
  • Utilizes public key technology
road map security
Road Map: Security
  • End-to-end security
  • Integrated Security Services
  • Evolve with standards
  • Further performance improvements
standalone java application security techniques
Standalone Java Application SecurityTechniques
  • Encryption and secure digesting of sensitive data using JCE
  • Logging and auditing using the Java Logging API
encryption and secure digesting of sensitive data using jce
Encryption and secure digesting of sensitive data using JCE

- ,。、;:!?「『(【#%】)』」&*※○◎□㊣+-×÷<>=$¥€-

  • Defeat a casual unauthorized read or write attempt
    • Adding salt to the data
    • Generating a secret key
    • Encrypt the data
    • Data verification with message digests
encryption and secure digesting of sensitive data using jce cont

Key

Locked

Salt

MessageDigest

Encryption and secure digesting of sensitive data using JCE (cont.)

Encrypt

Digesting

Data

Encoding

AccountBalance

12345 300.3

54321 1000.52

Account Encrypted BalanceMessage Digest

12345 R/cT9Xhe44QwZEo+5yruroGmJOLljQTI vMY6nlyuZcFsdHWphVmPxAu1V3o=

54321 RIerr4ua0qatf/TYzVVMHpzARJJ+vQL4 Pc9XQrnv+tR7MD9I4KcsjN3xat0=

logging and auditing using the java logging api
Logging and auditing using the Java Logging API
  • Modification of data by an unauthorized user with an authorized user’s credentials
    • Log security-related messages and direct the log messages to a file, a database, a network socket, or even the console
logging and auditing using the java logging api cont
Logging and auditing using the Java Logging API (cont.)
  • Decide what to log
    • Successful and unsuccessful login attempt
    • Logouts and application shutdowns
    • Successfully accessing functionality
    • Unsuccessfully attempting to access any functionality
    • Severe application exceptions that could affect the integrity of application data or functionality
hacking java client server application
Hacking Java Client/Server Application
  • Attacking a client-server application (network) is easier than attacking a standalone application (physical access)
  • A two-tier application can be attacked
    • Outside of the application – Attack the database server
    • The network – Attack the data as it transits
    • Application itself – Attack the client side
attack the database server
Attack the database server
  • Application-level Database credential
    • Using application userid and pwd database credentials
    • No way to track the attacker (semi-anonymous)
attack the database server cont
Attack the database server (cont.)
  • JDBC Data Sources with JNDI authentication and embedded credential
    • Hiding the Database
    • Authenticate a particular user’s access to the Data Source with that user’s credentials.
attack the database server cont87
Attack the database server (cont.)
  • User-level Database passwords and JCE for encryption
    • Encrypt sensitive data, write it to database, and generate a message digest for each data record.
  • User-level database passwords and Stored Procedures or callable statements for access control
    • No users or application can directly access the application tables
attack the data as it transits
Attack the data as it transits
  • Packet sniffing
  • Solution:
    • Secure the Database connection
secure the database connection
Secure the Database connection

Use a secure JDBC driver

Use a secure SSL tunnel

Use JSSE to implement an SSL Tunneling Client and Server

Use JCE to encrypt the data at the Application Level

attack the client side
Attack the client side
  • Applets and WebStart applications, where remote class loading is a necessity
    • Attackers might succeed in placing unwanted or dangerous files on our client.

Remote code

Client codes that need remote class loading

Remote code

attack the client side cont
Attack the client side (cont.)
  • Solution:
    • Securing JAR files
    • Specify the classpath on the command line
    • Protecting Applet-based client
securing jar files
Securing JAR files
  • JAR file – a mechanism for distributing application code in an encapsulated form
  • Jar signer – To associate a digital signature with a JAR file, and to later verify the signature vs. an entry in keystore
  • Sealing package within a JAR file
    • Notify JVM that the packages contained in the JAR file are atomic.

Remark: keystore – a physical repository for the digital certificates that are used to verify that a file was sent by the entity you expected

specify the classpath on the command line
Specify the classpath on the command line

Don’t rely on the CLASSPATH environment variable, because that opens a door for attackers to insert their own classes

A good practice to always specify your application’s classpath on the command line in a read only startup script.

protecting applet based client
Protecting Applet-based client

Type confusion attack – attacker would develop bycode that could confuse as to the type of the object at a particular memory location

Took advantage of flaws (failure to stop illegal class casting or accessing an object’s private instance variables) in the bytecode verifiers embedded in particular VMs.

protecting applet based client cont
Protecting Applet-based client (cont.)
  • Problem: flaws in an underlying VM
  • Solution: Use the Java Plug-in
    • When the browser sees a special tag embedded in an HTML page indicating that a Java applet is presented, it ignores the browser’s built-in VM and invokes the Java Plug-in, which uses Sun’s JRE
    • With Java Plug-in, applets will run with the default Java Security manager.
protecting webstart based client
Protecting WebStart-based Client
  • Java WebStart  Java Network Launching Protocol (JNLP) and API
    • Combine the benefits of applet-based deployment with the benefits of standalone applications (no need for a web browser or applet container)
    • WebStart code is loaded remotely  it is vulnerable to well known hacking technique such as Server spoofing, class replacement, and tricking unknowledgable users into granting wide-ranging system access.
protecting webstart based client cont
Protecting WebStart-based Client (cont.)
  • Solution:
    • Regulated via the SignedBy attribute in javaws.policy file or the system policy file
    • Two additional security settings defined in the JNLP file for the application: AllPermissions attribute and the J2EE-Client attribute.
    • Including the JNLP files in the signed JAR file
java network applications rmi
Java Network Applications: RMI
  • The Dangers of RMI
  • Unauthorized Use of Server Side Functions
  • Loading class and jar files remotely
the dangers of rmi
The Dangers of RMI
  • RMI makes all method calls across network in plain text without any authentication.
    • Information could be read in transit by a packet sniffer
the dangers of rmi cont
The Dangers of RMI (cont.)
  • Solution:
    • Selective encryption
      • Encrypting the Account number and Balance
    • Encrypted communication channel
      • Using SSL connection between Client and Server
unauthorized use of server side functions
Unauthorized Use of Server Side Functions
  • Solution:
    • Alter the remote methods so that the server can verify the user’s identity
    • Authenticated communication channel
      • Create an authenticated socket class
      • Create a socket factory so that RMI can use the new socket
loading class and jar files remotely
Loading class and jar files remotely
  • RMI allows the class and JAR files to be loaded from a remote location for application distribution
  • Hackers could modify the JAR code and convince the users to run it. Then they could control the system.
  • Solution:
    • Alter the remote methods so that the server can verify the user’s identity
exploiting java web tier components
Exploiting Java Web Tier Components
  • A Java web application utilizes several technologies:
    • JSP and Servlets
    • Static HTML content
    • The Tomcat web container / web server
exploiting java web tier components cont
Exploiting Java Web Tier Components (cont.)
  • System-level security is extremely important for any web application
  • You can apply the following security measures to the web application:
    • Passing servlet parameters in the URL instead of in the HTTP header
    • Configuring certain servlets to deny HTTP GET request
exploiting java web tier components cont109
Exploiting Java Web Tier Components (cont.)
  • Implementing a solid web application exception handling
  • Overriding container defaults for directory listing and servlet invocation
  • Implementing a form-based authentication scheme
  • Resist “session stealing” attacks
  • Implementing and requiring HTTPS via SSL to be used for all browsers to container connection
web services security
Web Services Security
  • Web Services
  • Web Service Technologies
  • Quick Comparison Related Technologies
  • The Java Web Services Developer Pack
  • Web Services Application Vulnerabilities
  • Securing Web Services Application
  • Web Services Security Scheme
web services
Web Services
  • The ability to publish, discover, or invoke a set of services in a platform-independent manner, using XML and standard, web-based protocols for transport.
web services technologies
Web Services Technologies
  • Simple Object Access Protocol (SOAP)
      • Provide a platform neutral, XML-based mechanism to request services
  • Web Services Description Language (WSDL)
    • The interface description of the service
web services technologies cont
Web Services Technologies (cont.)
  • Universal Description Discovery and Integration (UDDI)
    • The naming service, where service providers can advertise their services to prospective clients
the java web services developer pack
The Java Web Services Developer Pack
  • Java technologies for web services
    • JAXM
      • A Java Interface to generate SOAP messages
    • JAX-RPC
      • An interface on top of JAXM provides RMI-like interface to web services
the java web services developer pack cont
The Java Web Services Developer Pack (cont.)
  • JAXR
    • Java access to UDDI-based registries
  • A Host for Web Services Endpoints
    • A reference implementation using servlets running on Jakarta Tomcat
web services application vulnerabilities
Web Services Application Vulnerabilities
  • The transport data is viewable or changeable with a common text editor
  • The WSDL metadata to invoke the service is usually available to the general public
  • Propagation of security identity or credentials between the client and service is not standard and can be quite problematic, especially in a workflow-based architecture
securing web services application
Securing Web Services Application
  • Securing the client/server connection
  • Connecting web services via secure tunneling over SSL
  • Authentication with web services
  • Implementing declarative authorization for web services
  • Implementing programmatic authorization for web services
securing web services application cont
Securing Web Services Application (cont.)
  • Confidentiality and integrity of payload information
  • Propagation of credential information
securing the client server connection
Securing the client/server connection
  • Use SSL/TLS for All Non-public Web Service Ports
    • J2EE provides an option for all communication with the application to use SSL/TLS or not
j2ee security architecture
J2EE Security Architecture
  • Covers both web-tier and EJB-tiers.
    • At Web-tier, the access control is performed against each web resource which is represented in the form of an URL
    • At EJB-tier, the access control can be applied against each business method of a bean.
  • The container can enforce access control based on roles defined in the web-tier and EJB-tier.
j2ee security architecture138
J2EE Security Architecture
  • A security role represents a grouping of principals and is associated with permissions, or authorization within the application.
  • A principal is assigned a role, and a role is granted permission to execute specific methods.
  • User credentials are represented in the form of Principal objects. The Principal objects are created from the actual user identity information that was entered by user.
ejb security architecture
EJB Security Architecture
  • EJBs have two options for managing security
    • Declarative security
      • Declarations made in the deployment descriptor dictate the security of the components.
      • Security boundaries are based on the beans and the methods provided by the beans
      • Security is based on which roles are allowed to use which beans and which methods they are allowed to execute within the beans.
ejb security architecture146
EJB Security Architecture
  • Programmatic security
    • The EJB API provides several methods that indicate the role of the caller and the principal of the caller to control the execution of application security
contact details
Contact Details:

Dr. Waitak Wong

Email: wtwong@mi.chu.edu.tw

Phone: 03-5186529

Department of Information Management

Chu Hua University

No. 707, Sec. 2, WuFu Rd.,

Hsinchu, Taiwan

grossary
Grossary
  • CSP – Cryptographic Service Provider
  • EJB – Enterprise Java Bean
  • IDL – Interface Description Language
  • IIOP – Internet Inter-ORB Protocol
  • JAAS – Java Authentication and Authorization Service
  • JCE – Java Cryptography Extension
  • JDBC – Java Database Connectivity
  • JNLP – Java Network Launching Protocol
grossary cont
Grossary (cont.)
  • JRMP – Java Remote Method Protocol
  • JSSE – Java Secure Socket Extension
  • JWSDP – Java Web Services Developer Pack
  • MAC – Message Authentication Code
  • PKCS – Public Key Cryptography System
  • RMI – Remote method Invocation
  • SSL – Secure Socket Layer
  • TLS – Transport Layer Security