code security
DESCRIPTION
Code Security. Gordon College Stephen Brinton. Virtual Machine Security. Building a fence around your code JVM – Java Virtual Machine Originally developed by Sun Microsystems Executes Java Bytecode Execution by: Interpretation (JVM) or Compilation (JIT) Common Language Runtime - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Code Security](https://reader035.vdocuments.us/reader035/viewer/2022062221/5681313a550346895d97b04d/html5/thumbnails/1.jpg)
Code Security
Gordon College
Stephen Brinton
![Page 2: Code Security](https://reader035.vdocuments.us/reader035/viewer/2022062221/5681313a550346895d97b04d/html5/thumbnails/2.jpg)
Virtual Machine Security• Building a fence around your code
– JVM – Java Virtual Machine• Originally developed by Sun Microsystems• Executes Java Bytecode
– Execution by: Interpretation (JVM) or Compilation (JIT)
– Common Language Runtime • Developed by Microsoft• Executes Common Intermediate Language (CIL)
– Verified and then run as native code on machine
![Page 3: Code Security](https://reader035.vdocuments.us/reader035/viewer/2022062221/5681313a550346895d97b04d/html5/thumbnails/3.jpg)
Java’s Security• Strongly Typed Compiler
– Eliminate programming bugs– Help enforce language semantics
• Bytecode verifier– Makes sure the rules of Java are followed in the compiled
code
• Classloader– Finds, loads, and defines classes (runs verifier on them)
• Security Manager– Main interface between the system and the Java Code
![Page 4: Code Security](https://reader035.vdocuments.us/reader035/viewer/2022062221/5681313a550346895d97b04d/html5/thumbnails/4.jpg)
Trusted vs Untrusted Code• Trusted
– Java API code – Code loaded from the classpath– resides outside the “sandbox”
• Untrusted– Code loaded from outside the classpath (usually from a
network)– Confined to the “sandbox”
• Java Apps (by default) live outside the sandbox and Java Applets are confined within the sandbox
![Page 5: Code Security](https://reader035.vdocuments.us/reader035/viewer/2022062221/5681313a550346895d97b04d/html5/thumbnails/5.jpg)
What’s a “Sandbox”?
• Applets run inside a “sandbox”– If you download code, it has to play within
the JVM (Sandbox)– SecurityManager is
called for certain methods, and can
forbid access
• JDK1.1 introduced the notions of code-signing and “trusted applets”
![Page 6: Code Security](https://reader035.vdocuments.us/reader035/viewer/2022062221/5681313a550346895d97b04d/html5/thumbnails/6.jpg)
SandboxesHow do you protect your computer bad code?
• The solution: Make untrusted code play within a sandbox.
• Need for varying security policies increases– You assign “permissions” to pieces of code– JDK 1.1 (digital signatures) – if user trusts the
digitally signed code – users could allow normally untrusted code to access resources
• Enforcement Mechanism for Policy (sandbox)?– Security Managers
![Page 7: Code Security](https://reader035.vdocuments.us/reader035/viewer/2022062221/5681313a550346895d97b04d/html5/thumbnails/7.jpg)
Java SandboxThe sandbox for untrusted Java applets, for
example, prohibits many activities, including:
• Reading or writing to the local disk• Making a network connection to any host, except
the host from which the applet came• Creating a new process• Loading a new dynamic library and directly calling
a native method
![Page 8: Code Security](https://reader035.vdocuments.us/reader035/viewer/2022062221/5681313a550346895d97b04d/html5/thumbnails/8.jpg)
Java Sandbox• The fundamental components responsible for
Java's sandbox are:
* Safety features built into the Java virtual machine (and the language)
* The class loader architecture
* The class file verifier
* The security manager and the Java API
![Page 9: Code Security](https://reader035.vdocuments.us/reader035/viewer/2022062221/5681313a550346895d97b04d/html5/thumbnails/9.jpg)
Creating a security manager in JDK 1.1 (that allows reading files, but disallows writing files)
public class MySecurityManager extends java.lang.SecurityManager {
public void checkRead(String file) throws SecurityException {// reading is allowed, so just return
return;}
public void checkWrite(String file) throws SecurityException {// writing is not allowed, so throw the exception
throw new SecurityException("Writing is not allowed");}
} // end MySecurityManager
![Page 10: Code Security](https://reader035.vdocuments.us/reader035/viewer/2022062221/5681313a550346895d97b04d/html5/thumbnails/10.jpg)
Creating a security manager in JDK 1.1 (that allows reading files, but only with extension “txt”)
public class MySecurityManager2 extends java.lang.SecurityManager {
public void checkRead(String file) throws SecurityException {
//check the file extension to see if it ends in ".txt"
int index=file.lastIndexOf('.');String result=file.substring(index, file.length());if(result.equalsIgnoreCase(".txt")){return;}else{throw new SecurityException("Cannot read file: "+file);}}
}
![Page 11: Code Security](https://reader035.vdocuments.us/reader035/viewer/2022062221/5681313a550346895d97b04d/html5/thumbnails/11.jpg)
Security Manager prior to JDK 1.2
Only way security was controlled prior to JDK 1.2
Advantages:– Easy to provide a binary security model (yes, you can or no, you can't) – Methods in the SecurityManager class are called by the Java
API; there's no need for you to call the code at all – Interface of this system is constant across all JVM platforms;
one security manager can run everywhere – Additional size of a simple security manager is negligible – Security manager & class loader work hand-in-hand to
ensure neither is compromised by accident or an act of evil
![Page 12: Code Security](https://reader035.vdocuments.us/reader035/viewer/2022062221/5681313a550346895d97b04d/html5/thumbnails/12.jpg)
Security Manager prior to JDK 1.2
Disadvantages:– Control of security is in the developer's hands, not
in a security specialist's hands – Not easy to provide a customizable security model
that varies from user to user – Only way to change an existing policy is to change
or subclass the existing security manager; not all users have the capability of programming in Java
– New security policies (non-system resource policies, for example) are difficult to implement
![Page 13: Code Security](https://reader035.vdocuments.us/reader035/viewer/2022062221/5681313a550346895d97b04d/html5/thumbnails/13.jpg)
Install a SecurityManager
• Applications don’t start, by default, with a SecurityManager
• You must install one, either from within the code, or
using a command line argument
java -Djava.security.manager
![Page 14: Code Security](https://reader035.vdocuments.us/reader035/viewer/2022062221/5681313a550346895d97b04d/html5/thumbnails/14.jpg)
Building a bigger and better sandbox
• To provide greater control to user and developer -– Traditional sandbox (java.security
package) was expanded to include:• AccessController class
– Muscle of the security manager – enforces policy
• Permission class• Policy class
![Page 15: Code Security](https://reader035.vdocuments.us/reader035/viewer/2022062221/5681313a550346895d97b04d/html5/thumbnails/15.jpg)
AccessController
java -new -usepolicy FileApp test.txt
![Page 16: Code Security](https://reader035.vdocuments.us/reader035/viewer/2022062221/5681313a550346895d97b04d/html5/thumbnails/16.jpg)
The Policytool
Policy Tool Main Window
![Page 17: Code Security](https://reader035.vdocuments.us/reader035/viewer/2022062221/5681313a550346895d97b04d/html5/thumbnails/17.jpg)
The Policytool
Policy Tool Edit Entry Window
![Page 18: Code Security](https://reader035.vdocuments.us/reader035/viewer/2022062221/5681313a550346895d97b04d/html5/thumbnails/18.jpg)
The Policytool
Policy Tool Add Grant Entry Window
![Page 19: Code Security](https://reader035.vdocuments.us/reader035/viewer/2022062221/5681313a550346895d97b04d/html5/thumbnails/19.jpg)
.NET Framework
• Different administrative software model
• Fixed location (traditional)
• Dynamic nature of software (present)– Dynamic downloads and execution– Remote execution– Security is essential
![Page 20: Code Security](https://reader035.vdocuments.us/reader035/viewer/2022062221/5681313a550346895d97b04d/html5/thumbnails/20.jpg)
Security Models
• Role-based security– Users have access to resources based on roles– Model used by most operating systems
• Code access security (new with .Net)– Also called “evidence-based security”– Even if user is trusted - the code may not be.– Tackles the problem with mobile code
Both models are found in .Net framework
![Page 21: Code Security](https://reader035.vdocuments.us/reader035/viewer/2022062221/5681313a550346895d97b04d/html5/thumbnails/21.jpg)
Code Access Securitymechanism of the CLR
– Manages code and depends on level of trust– CLR – will lessen and tighten its grip based on
permission and trust level• Very similar to the sandbox view
– Two aspects:• Control the access level given to an application
(assembly)• Control access to a particular resource (like a database)
![Page 22: Code Security](https://reader035.vdocuments.us/reader035/viewer/2022062221/5681313a550346895d97b04d/html5/thumbnails/22.jpg)
.Net execution• Runtime framework
– Runs both managed and unmanaged code• Managed - under control of runtime
– Has access to certain features: memory management, JIT, and security services
– MSIL (MS intermediate language)– Can be compiled to native code prior to execution
• Unmanaged - compiled for a certain system– Can not directly use the runtime
MSIL : object-oriented assembly language for an abstract, stack-based machine
![Page 23: Code Security](https://reader035.vdocuments.us/reader035/viewer/2022062221/5681313a550346895d97b04d/html5/thumbnails/23.jpg)
CILcommon intermediate language
C#
public double GetVolume()
{
double volume = height*width*thickness;
if(volume<0) return 0;
return volume;
}
.method public hidebysig instance float64 GetVolume() cil managed { // Code size 51 (0x33) .maxstack 2 .locals init ([0] float64 volume, [1] float64 CS$00000003$00000000) IL_0000: ldarg.0 IL_0001: ldfld float64 OOP.Aperture::height IL_0006: ldarg.0 IL_0007: ldfld float64 OOP.Aperture::width IL_000c: mul IL_000d: ldarg.0 IL_000e: ldfld float64 OOP.Aperture::thickness IL_0013: mul IL_0014: stloc.0 IL_0015: ldloc.0 IL_0016: ldc.r8 0.0 IL_001f: bge.un.s IL_002d IL_0021: ldc.r8 0.0 IL_002a: stloc.1 IL_002b: br.s IL_0031 IL_002d: ldloc.0 IL_002e: stloc.1 IL_002f: br.s IL_0031 IL_0031: ldloc.1 IL_0032: ret } // end of method Aperture::GetVolumeobject-oriented
assembly language for an abstract, stack-based machine
![Page 24: Code Security](https://reader035.vdocuments.us/reader035/viewer/2022062221/5681313a550346895d97b04d/html5/thumbnails/24.jpg)
CLRcommon language runtime
![Page 25: Code Security](https://reader035.vdocuments.us/reader035/viewer/2022062221/5681313a550346895d97b04d/html5/thumbnails/25.jpg)
CLRcommon language runtime
3 different runtimes1. A single CLR that runs all ASP.NET apps
2. Browsers (IE) uses a single CLR that executes all dowloaded controls
3. CLR used to execute commands run from the OS shell.
![Page 26: Code Security](https://reader035.vdocuments.us/reader035/viewer/2022062221/5681313a550346895d97b04d/html5/thumbnails/26.jpg)
Verification
• 2 Forms of verification done at runtime– MSIL - verified
• Invalid - JIT compiler cannot make native exe• Valid - can be made into native code• Type safe - interacts with types through
exposed contracts• Verifiable - can be proved to be type-safe
– Assembly metadata - validated• Metadata - describes aspects of the code file
![Page 27: Code Security](https://reader035.vdocuments.us/reader035/viewer/2022062221/5681313a550346895d97b04d/html5/thumbnails/27.jpg)
Verification
• Integrated with the compiler
• If code is trustedskip verification and compile
otherwise
MSIL verification
assembly metadata verification
if successful verification - compile
![Page 28: Code Security](https://reader035.vdocuments.us/reader035/viewer/2022062221/5681313a550346895d97b04d/html5/thumbnails/28.jpg)
Code Access Security
• Assigns permissions to assemblies based on assembly evidence
• Evidence identifies code: location, etc.
• Evidence is attached to assembly when loaded for execution
• Evidence limits what program can doOpt-in approach
![Page 29: Code Security](https://reader035.vdocuments.us/reader035/viewer/2022062221/5681313a550346895d97b04d/html5/thumbnails/29.jpg)
Permissions• Authority to perform protected
operations– Accessing files, registry, network, GUI,
execution environment, skip verification
• Assembly load time– Evidence -> grant permissions
![Page 30: Code Security](https://reader035.vdocuments.us/reader035/viewer/2022062221/5681313a550346895d97b04d/html5/thumbnails/30.jpg)
Evidence
• Zone
• URL
• Hash (encrypted value)
• Strong name - unique ID for program
• Site
• Application Directory
• Publisher certificate
![Page 31: Code Security](https://reader035.vdocuments.us/reader035/viewer/2022062221/5681313a550346895d97b04d/html5/thumbnails/31.jpg)
Evidence<System.Security.Policy.Zone version="1"> <Zone>MyComputer</Zone></System.Security.Policy.Zone><System.Security.Policy.Url version="1"> <Url> file:///C:/winnt/microsoft.net/framework/v1.0.2728/mscorlib.dll </Url></System.Security.Policy.Url><StrongName version="1" Key="00000000000000000400000000000000" Name="mscorlib" Version="1.0.2411.0"/><System.Security.Policy.Hash version="1"> <RawData>4D5A90000300000004000000FFFF0000B8000000000000... 0000000000000000000000000000000000000000000000000000 </RawData></System.Security.Policy.Hash>
![Page 32: Code Security](https://reader035.vdocuments.us/reader035/viewer/2022062221/5681313a550346895d97b04d/html5/thumbnails/32.jpg)
Evidence Based Security
• The loader discovers evidence of the origin of the code– Evidence is info about the assembly– Used to determine the permissions granted to an assembly– Evidence is the input to the security policy
• Publisher Authenticode signer• Strong Name public key+name+version• Site Web site of code origin• URL URL of code origin• Zone zone of code origin
– Extensible for new kinds of evidence (custom)
![Page 33: Code Security](https://reader035.vdocuments.us/reader035/viewer/2022062221/5681313a550346895d97b04d/html5/thumbnails/33.jpg)
Security Policy
Mapping {AssemblyEvidence}
{PermissionsGranted}
Control by administratorPolicy levels: * Enterprise Policy Level * Machine Policy Level * User Policy Level * Application Domain Policy Level
![Page 34: Code Security](https://reader035.vdocuments.us/reader035/viewer/2022062221/5681313a550346895d97b04d/html5/thumbnails/34.jpg)
Security Policy
Determining the set of granted permissions:
1. Policy levels evaluate the evidence and generate a set of permissions.
2. Permission sets calculated for each policy level are intersected with each other.
3. Resulting permission set is compared with the set of permissions the assembly declared necessary to run.
![Page 35: Code Security](https://reader035.vdocuments.us/reader035/viewer/2022062221/5681313a550346895d97b04d/html5/thumbnails/35.jpg)
Security Policy
![Page 36: Code Security](https://reader035.vdocuments.us/reader035/viewer/2022062221/5681313a550346895d97b04d/html5/thumbnails/36.jpg)
.NET Framework• Code groups
– Bring together code with similar characteristics• Evidence
– Information used to place code into code groups– where code is from (internet or intranet), publisher, strong name,
URI from download, etc.
• Arranged in a hierarchy
• Permissions– Actions you allow each code group to perform
• For example: “able to access the user interface”
– Managed by system admin. at the enterprise, machine and user levels
![Page 37: Code Security](https://reader035.vdocuments.us/reader035/viewer/2022062221/5681313a550346895d97b04d/html5/thumbnails/37.jpg)
.NET Framework
![Page 38: Code Security](https://reader035.vdocuments.us/reader035/viewer/2022062221/5681313a550346895d97b04d/html5/thumbnails/38.jpg)
.NET Framework
Condition: All code, Permission Set: Nothing Condition: Zone: Internet, Permission Set: Internet Condition: URL: www.monash.edu.au, Permission Set: MonashPSet Condition: Strong Name: m-Commerce, Permission Set: m-CommercePSet
![Page 39: Code Security](https://reader035.vdocuments.us/reader035/viewer/2022062221/5681313a550346895d97b04d/html5/thumbnails/39.jpg)
Microsoft Management Console snap-in
Condition: All code, Permission Set: Nothing Condition: Zone: Internet, Permission Set: Internet Condition: URL: www.monash.edu.au, Permission Set: MonashPSet Condition: Strong Name: m-Commerce, Permission Set: m-CommercePSet
![Page 40: Code Security](https://reader035.vdocuments.us/reader035/viewer/2022062221/5681313a550346895d97b04d/html5/thumbnails/40.jpg)
Permission Sets• FullTrust: Allows unrestricted access to system resources.• SkipVerification: Allows an assembly to skip verification.• Execution: Allows code to execute.• Nothing: No permissions. Not granting the permission to
execute effectively stops code from running• Internet: Appropriate for code coming from the Internet.
(Limited) Code will not receive access to the file system or registry, but can do limited user interface actions as well as use the safe file system called Isolated Storage.
Predefined Psets - can be accessed within code.
![Page 41: Code Security](https://reader035.vdocuments.us/reader035/viewer/2022062221/5681313a550346895d97b04d/html5/thumbnails/41.jpg)
Stack Walk
• When are the permissions generated by the code-access security module checked?– To determine whether code is authorized to access a
resource or perform an operation, the runtime's security system walks the call stack, comparing the granted permissions of each caller to the permission being demanded.
a protected resource may demand a stack walk
![Page 42: Code Security](https://reader035.vdocuments.us/reader035/viewer/2022062221/5681313a550346895d97b04d/html5/thumbnails/42.jpg)
Stack Walk
• When are the permissions generated by the code-access security module checked?– To determine whether code is authorized to access a
resource or perform an operation, the runtime's security system walks the call stack, comparing the granted permissions of each caller to the permission being demanded.
![Page 43: Code Security](https://reader035.vdocuments.us/reader035/viewer/2022062221/5681313a550346895d97b04d/html5/thumbnails/43.jpg)
Security Policy Topology
• Multiple policy levels of administration– Enterprise: policy distributed across organization– Machine: policy for all users of a machine– User: policy specific to logged on user
• Effective policy is the intersection of levels
Enterprise policy
Machine1 policy Machine2 policy
UserA
UserB
UserC
UserD
![Page 44: Code Security](https://reader035.vdocuments.us/reader035/viewer/2022062221/5681313a550346895d97b04d/html5/thumbnails/44.jpg)
Evaluating Policy Per Level
• Each Policy Level contains a set of code groups– Code groups are arranged in a tree– Every code group has a membership condition and a set of
granted permissions– An assembly is mapped to one of more code groups based
on the evidence that the assembly provides
ALL CODE? None
Internet? Intranet? Local?P1 P2 P3
YES
NO NOYES
![Page 45: Code Security](https://reader035.vdocuments.us/reader035/viewer/2022062221/5681313a550346895d97b04d/html5/thumbnails/45.jpg)
Completing Policy Resolve
• Matching code groups evaluated– Union of matching permission sets per level, this is
the permissions allowed by this level– Intersection of Policy Levels produces the final
ALLOWED permission set for the assembly• ALLOWED = Enterprise Machine User
![Page 46: Code Security](https://reader035.vdocuments.us/reader035/viewer/2022062221/5681313a550346895d97b04d/html5/thumbnails/46.jpg)
Policy Tools
• caspol.exe
• Console Management snap-in– .NET Framework 2.0 Configuration
![Page 47: Code Security](https://reader035.vdocuments.us/reader035/viewer/2022062221/5681313a550346895d97b04d/html5/thumbnails/47.jpg)
Example
caspol.exe –ldlook at the code groups on a machine
caspol.exe –listgroupslook at the code groups on a machine (more compact)
caspol.exe –resolvegroup simpleSecure.exeview an assembly’s code groupings (effective permission – intersection)
caspol.exe –resolveperm simpleSecure.exeview an assembly’s permissions (each code groups brings additional permissions)
![Page 48: Code Security](https://reader035.vdocuments.us/reader035/viewer/2022062221/5681313a550346895d97b04d/html5/thumbnails/48.jpg)
.NET Framework 2.0 Configuration
![Page 49: Code Security](https://reader035.vdocuments.us/reader035/viewer/2022062221/5681313a550346895d97b04d/html5/thumbnails/49.jpg)
Detail Information
“Building a bigger sandbox”http://www.javaworld.com/javaworld/jw-08-1998/jw-08-sandbox-p2.html
“Security in the .NET Framework” http://msdn2.microsoft.com/en-us/library/fkytk30f(vs.80).aspx
“Java vs. .NET Security”http://www.onjava.com/pub/a/onjava/2003/11/26/javavsdotnet.html