javacslabcms.nju.edu.cn/problem_solving/images/8/89/java_safety_董杨静.pdf · outline 1 the java...
TRANSCRIPT
Java
Massimo Dong
November 27, 2017
Massimo Dong Java November 27, 2017 1 / 26
Outline
1 The Java LanguageJava Virtual Machine(JVM)
2 Java Memory ManagementReferences & Garbage CollectionArray Check*Heartbleed
3 Compile & Run Time CheckExceptionsType SafetyModifiersUndefined Behaviors
4 Java Rich Internet ApplicationsWeb Start ApplicationsSandboxSecurity ManagerSigning
Massimo Dong Java November 27, 2017 2 / 26
Java Virtual Machine(JVM)
Massimo Dong Java November 27, 2017 3 / 26
Outline
1 The Java LanguageJava Virtual Machine(JVM)
2 Java Memory ManagementReferences & Garbage CollectionArray Check*Heartbleed
3 Compile & Run Time CheckExceptionsType SafetyModifiersUndefined Behaviors
4 Java Rich Internet ApplicationsWeb Start ApplicationsSandboxSecurity ManagerSigning
Massimo Dong Java November 27, 2017 4 / 26
References vs Pointers
Java
ProblemSolving ref = new ProblemSolving();
...
C++
ProblemSolving *ptr = new ProblemSolving;
...
delete ptr;
Massimo Dong Java November 27, 2017 5 / 26
Java Reference
Java
static void foo(ProblemSolving ref){
ref.UD = 2;
}
public static void main(String[] argv){
ProblemSolving ref = new ProblemSolving();
foo(ref);
System.out.println(ref.UD);
}
2
Massimo Dong Java November 27, 2017 6 / 26
Java Reference
Java
static void foo(ProblemSolving ref){
ref.UD = 2;
}
public static void main(String[] argv){
ProblemSolving ref = new ProblemSolving();
foo(ref);
System.out.println(ref.UD);
}
2
Massimo Dong Java November 27, 2017 6 / 26
Java Arrays
An object is a class instance or an array.
Java
public class ArrayDemo{
public static void main(String[] argv){
int[] A = new int[10];
System.out.println(A instanceof Object);
}
}
true
Massimo Dong Java November 27, 2017 7 / 26
Java Arrays
An object is a class instance or an array.
Java
public class ArrayDemo{
public static void main(String[] argv){
int[] A = new int[10];
System.out.println(A instanceof Object);
}
}
true
Massimo Dong Java November 27, 2017 7 / 26
Java Arrays
An object is a class instance or an array.
Java
public class ArrayDemo{
public static void main(String[] argv){
int[] A = new int[10];
System.out.println(A instanceof Object);
}
}
true
Massimo Dong Java November 27, 2017 7 / 26
Array Check
Java
public class ArrayDemo{
public static void main(String[] argv){
int[] A = new int[10];
System.out.println(A[233]);
}
}
Exception in thread "main"
java.lang.ArrayIndexOutOfBoundsException: 233
at ArrayDemo.main(ArrayDemo.java:4)
Massimo Dong Java November 27, 2017 8 / 26
Array Check
Java
public class ArrayDemo{
public static void main(String[] argv){
int[] A = new int[10];
System.out.println(A[233]);
}
}
Exception in thread "main"
java.lang.ArrayIndexOutOfBoundsException: 233
at ArrayDemo.main(ArrayDemo.java:4)
Massimo Dong Java November 27, 2017 8 / 26
Heartbleed
Massimo Dong Java November 27, 2017 9 / 26
Heartbleed
Massimo Dong Java November 27, 2017 9 / 26
Heartbleed
C/C++
memcpy(bp, pl, payload);
pl = "ProblemSolving"
payload = 64 * 1024;
Massimo Dong Java November 27, 2017 10 / 26
Heartbleed
C/C++
memcpy(bp, pl, payload);
pl = "ProblemSolving"
payload = 64 * 1024;
Massimo Dong Java November 27, 2017 10 / 26
Heartbleed
C/C++
memcpy(bp, pl, payload);
pl = "ProblemSolving"
payload = 64 * 1024;
Massimo Dong Java November 27, 2017 10 / 26
Massimo Dong Java November 27, 2017 11 / 26
Massimo Dong Java November 27, 2017 12 / 26
Outline
1 The Java LanguageJava Virtual Machine(JVM)
2 Java Memory ManagementReferences & Garbage CollectionArray Check*Heartbleed
3 Compile & Run Time CheckExceptionsType SafetyModifiersUndefined Behaviors
4 Java Rich Internet ApplicationsWeb Start ApplicationsSandboxSecurity ManagerSigning
Massimo Dong Java November 27, 2017 13 / 26
Exceptions
Java
public static void main(String[] argv){
FileInputStream in = new FileInputStream("data.in");
}
error: unreported exception FileNotFoundException;
must be caught or declared to be thrown
FileInputStream in = new FileInputStream("data.in");
^
Massimo Dong Java November 27, 2017 14 / 26
Exceptions
Java
public static void main(String[] argv){
FileInputStream in = new FileInputStream("data.in");
}
error: unreported exception FileNotFoundException;
must be caught or declared to be thrown
FileInputStream in = new FileInputStream("data.in");
^
Massimo Dong Java November 27, 2017 14 / 26
Exceptions
Java
try{
FileInputStream in = new FileInputStream("data.in");
}catch(FileNotFoundException E){
System.out.println("File Not Found!");
}
Java
public static void main(String[] argv)
throws FileNotFoundException{
FileInputStream in = new FileInputStream("data.in");
}
Massimo Dong Java November 27, 2017 15 / 26
Exceptions
Java
try{
FileInputStream in = new FileInputStream("data.in");
}catch(FileNotFoundException E){
System.out.println("File Not Found!");
}
Java
public static void main(String[] argv)
throws FileNotFoundException{
FileInputStream in = new FileInputStream("data.in");
}
Massimo Dong Java November 27, 2017 15 / 26
Type Safety
C
int main(){
void (*foo)();
foo = 233;
foo();
}
warning:
assignment makes pointer from integer without a cast
foo = 233;
^
Massimo Dong Java November 27, 2017 16 / 26
Type Safety
C
int main(){
void (*foo)();
foo = 233;
foo();
}
warning:
assignment makes pointer from integer without a cast
foo = 233;
^
Massimo Dong Java November 27, 2017 16 / 26
Type Safety
Java
public static void main(String[] argv){
A a;
B b;
a = b;
}
C
int main(){
struct A *a;
struct B *b;
a = b;
}
Massimo Dong Java November 27, 2017 17 / 26
Modifiers
Access Modifiers
private
public
protected
Non Access Modifiers
static
final
abstract
synchronized and volatile
Massimo Dong Java November 27, 2017 18 / 26
Java
public static void main(String[] argv){
final int a;
a = 39;
}
public static void main(String[] argv){
final int a;
a = 39;
a = 40;
}
error: variable a might already have been assigned
Massimo Dong Java November 27, 2017 19 / 26
Java
public static void main(String[] argv){
final int a;
a = 39;
}
public static void main(String[] argv){
final int a;
a = 39;
a = 40;
}
error: variable a might already have been assigned
Massimo Dong Java November 27, 2017 19 / 26
Java
public static void main(String[] argv){
final int a;
a = 39;
}
public static void main(String[] argv){
final int a;
a = 39;
a = 40;
}
error: variable a might already have been assigned
Massimo Dong Java November 27, 2017 19 / 26
Undefined Behaviors
C
i = i++ + 1;
Undefined Behavior
Java
i = i++ + 1;
1
Massimo Dong Java November 27, 2017 20 / 26
Undefined Behaviors
C
i = i++ + 1;
Undefined Behavior
Java
i = i++ + 1;
1
Massimo Dong Java November 27, 2017 20 / 26
Undefined Behaviors
C
i = i++ + 1;
Undefined Behavior
Java
i = i++ + 1;
1
Massimo Dong Java November 27, 2017 20 / 26
Undefined Behaviors
C
i = i++ + 1;
Undefined Behavior
Java
i = i++ + 1;
1
Massimo Dong Java November 27, 2017 20 / 26
Undefined Behaviors
C
i = i++ + 1;
Undefined Behavior
Java
i = i++ + 1;
1
Massimo Dong Java November 27, 2017 20 / 26
Outline
1 The Java LanguageJava Virtual Machine(JVM)
2 Java Memory ManagementReferences & Garbage CollectionArray Check*Heartbleed
3 Compile & Run Time CheckExceptionsType SafetyModifiersUndefined Behaviors
4 Java Rich Internet ApplicationsWeb Start ApplicationsSandboxSecurity ManagerSigning
Massimo Dong Java November 27, 2017 21 / 26
Web Start Applications
Demo
Massimo Dong Java November 27, 2017 22 / 26
Sandbox
Java
try{
FileInputStream in = new FileInputStream("input.txt");
}catch(Exception E){
System.out.println(E);
}
java.security.AccessControlException:
access denied ("java.io.FilePermission" "input.txt" "read")
Massimo Dong Java November 27, 2017 23 / 26
Sandbox
Java
try{
FileInputStream in = new FileInputStream("input.txt");
}catch(Exception E){
System.out.println(E);
}
java.security.AccessControlException:
access denied ("java.io.FilePermission" "input.txt" "read")
Massimo Dong Java November 27, 2017 23 / 26
Sandbox
Java
try{
FileInputStream in = new FileInputStream("input.txt");
}catch(Exception E){
System.out.println(E);
}
java.security.AccessControlException:
access denied ("java.io.FilePermission" "input.txt" "read")
Massimo Dong Java November 27, 2017 23 / 26
Security Manager
Java
SecurityManager security = System.getSecurityManager();
if(security != null){
try{
security.checkRead("input.txt");
}catch(Exception E){
System.out.println(E);
return;
}
}
$javaws -nosecurity demo_no_codebase.jnlp
Massimo Dong Java November 27, 2017 24 / 26
Security Manager
Java
SecurityManager security = System.getSecurityManager();
if(security != null){
try{
security.checkRead("input.txt");
}catch(Exception E){
System.out.println(E);
return;
}
}
$javaws -nosecurity demo_no_codebase.jnlp
Massimo Dong Java November 27, 2017 24 / 26
Signing
Demo
Massimo Dong Java November 27, 2017 25 / 26
Signing
Demo
Massimo Dong Java November 27, 2017 25 / 26
References
https://docs.oracle.com
https://blogs.oracle.com
Massimo Dong Java November 27, 2017 26 / 26