Java Security. Overview Hermetically Sealed vs. Networked Executable Content (Web Pages & email) Java Security on the Browser Java Security in the Enterprise.

Java Security

Overview

• Hermetically Sealed vs. Networked

• Executable Content (Web Pages & email)

• Java Security on the Browser• Java Security in the Enterprise• Java Security on the Network

JVM as Gatekeeper

• Indirect Execution• Language Features (no pointers,

type-safe)• Class Loaders• Bytecode Verifiers

Security Solutions

• Java Security on the Browser– Browser Security Managers– Sandbox– Digital Signatures

• Java Security in the Enterprise– Access Control– Authentication – Authorization– Confidentiality and Integrity Protection

• Java Security on the Network – Encryption

Java

Application Server

Application Server

Presentation& Business Logic

Servlet/JSPEJBs, RMI Objects

JDBC

Internet

Browser

Web Server

One Observation

In all likelihood, security flaws will continue to be discovered (and patched) in Java VM implementations. Despite this, Java remains perhaps the most secure platform currently available.  There have been few, if any, reported instances of malicious Java code exploiting security holes "in the wild". For practical purposes, the Java platform appears to be adequately secure, especially when contrasted with some of the insecure and virus-ridden alternatives.

- David Flanagan, Java in a Nutshell

Types of Attack

• System Attack• Data theft• Masquerade• Denial of Service• Annoyance

Defending against Attack

Class

ComputerResources

BytecodeVerifier

ClassLoader

SecurityManager

Class Loaders

• VM only loads class files that are needed for the execution of a program

• Every Java program has at least three class loaders:– Bootstrap class loader– Extension class loader– System class loader

Bootstrap class loader

• Loads system classes (rt.jar)• Usually implemented in C• Integral part of the JVM• No ClassLoader object available

Other class loaders

• Extension class loader– Loads standard extensions (jre/lib/ext)

• System class loader– Loads application classes from

CLASSPATH

• Both of the above are implemented in Java

• Both of the above are instances of the URLClassLoader class.

Namespaces

• Beyond just the fully resolved class and package name

• A class is determined by its full name and the class loader

• Useful for loading code from multiple sources

• Two classes in the same VM may have the same class and package name

Namespaces

Internet

Sun Applet Kaos Applet

Browser JVM

com.sun.Car (Sun)

com.sun.Car (Kaos)

Class loader r1

Class loader r2

www.sun.com

www.kaos.com

r1

r2r1 r2

Bytecode Verification

• Inspects bytecodes from newly loaded class

• Checks instructions to make sure they are safe

• All classes except system classes are verified

Verification Checks

• Variables initialized before use• Method calls match types of object

references• Rules for accessing private data and

methods upheld• Local variable accesses fall within

the runtime stack• The runtime stack does not overflow

Security Manager

• Determines if a specific operation is permitted– Accessing fields of another class

using reflection– Accessing a file– Starting a print job– Accessing the AWT event queue– Exiting the virtual machine

Consulting the Security Manager

public void exit(int status)

{

SecurityManager sec = System.getSecurityManager();

if( sec != null )

sec.checkExit(status);

exitInternal(status);

}

Permission Sets

• A security policy maps code sources to permission sets

Code Source 1Code base (location)

certificates

Code Source 2Code base (location)

certificates

Permission Set 1permission #1apermission #1b

Permission Set 2permission #2apermission #2bpermission #2c

Policy Files

• Instructions that map code sources to permissions

grant codebase “http://www.cs.weber.edu/classes”

{

permission java.io.FilePermission “/tmp/*”, “read,write”;

};

Where are policy files?

• The file java.policy in the Java platform home directory

• The file .java.policy in the user home directory

Specifying policy files

• Assume a customized policy file called MyApp.policy

• Inside an application main method:

System.setProperty(“java.security.policy”, “MyApp.policy”);

• On the command line:

java –Djava.security.policy=MyApp.policy MyApp

• For applets:

appletviewer -J–Djava.security.policy=MyApp.policy MyApp.html

Installing a Security Manager

• Inside an application main method:

System.setSecurityManager(new SecurityManager());

• On the command line:

java –Djava.security.manager

-Djava.security.policy=MyApp.policy MyApp

JAAS – Java Authentication and Authorization Service

• Authentication – ascertaining identity• Authorization – map users to permissions• Isolates Java applications from

underlying technology used to implement authentication– UNIX logins– NT logins– Kerberos authentication– Certificate-based authentication

Digital Signatures

• Allows different levels of security• Has the transmitted message been

tampered with?• Message Digest (SHA1, MD5)• Public/Private Key (DSA)• Certificate Signing

Encryption

• Obscures transmission of plain text• Hides confidential information• Java Cryptographic Extension

(JCE)– Cipher class

• Data Encryption Standard (DES)