security in java2 prabhu ram raghunathan srikanth e. musti deep kapadia
TRANSCRIPT
Security in Java2
Prabhu Ram Raghunathan Srikanth E. Musti Deep Kapadia
Is Java still secure? David M. Chess, John F. Morar
IBM TJ Watson Research Center
In the beginning there was: Passive Content Currently: Active Content : Macro,ActiveX etc. Digital Signature used by
Office2000, ActiveX Only macros signed by trusted parties are run.
Original Java Security Model The Sandbox
Security manager – construed guilty.
All programs on N/w assumed Untrusted
Untrusted Applets Prohibited from “damaging the system running them, or reveal private or confidential information”
Thou Shall Not : Interact with the local file system :
read,write,delete or rename files. Connect to another computer over the network. Accept network connections from any other
computer Alter System Properties (Environment Variables) Invoke a program or load a library. Cause the Java Interpreter to Exit. Prompt the user without an “Untrusted Applet”
warning or Create a new Security Manager.
Effect of Sand Boxing This set of limits for an applet is the sandbox. Good: A program can at best display
unwanted messages or snoop preferences etc.
Bad : Functionality trimmed. Escape : JDK 1.1 introduced Command Line
feature Developer signs JAR file digitally. Users indicate trust in some signers. a good start toward flexible security in Java A failure as it was too complex
Keeping up with the Joneses
Function Java 2 SDK Netscape Communicator
Microsoft Internet Explorer
Mechanism for delivering Signed Java
Java 2 signed JAR Netscape signed JAR Microsoft signed CAB
Signature Verification Algorithm
DSA/SHA1 RSA/SHA1 RSA/MD5
Certificate handling at client
Sun "keystores" for keys and certificates
Netscape proprietary key and certificate management
Microsoft proprietary key and certificate management
Request for privileges Applet attempts privileged action. An exception is thrown when action is not allowed.
Programmer defines the privileges required by calling privilege manager methods.
Code signer defines the privileges required when signing the CAB file.
Mechanism for storing policy information
Policy configuration files (can be located remotely) that are manually edited.
User prompted the first time privileges are requested. Proprietary method for storing persistent settings.
Privileges are configured in security zones that are stored in a Microsoft proprietary format.
Enter Java 2 Uses Java Runtime Environment & Java 2 plugin
. Page has HTML code directing the applet to
plugins. Semi Automatic Install on Demand. Security Manager on start up reads Policy Files. Each policy file can describe many principals,
and for each principal specify a number of privileges that should be granted applets associated with those principals. A principal can be everyone, a particular signer, a particular place that a program can be loaded from, or a combination of a signer and a place
Morar’s Example // Everyone can do these things grant { permission java.util.PropertyPermission
"user.haircolor"; permission java.io.FilePermission "c:\\temp\\
*", "read,write"; }; // These guys can read and write the directory
we set up for them grant signedBy "GoodGuys Inc." { permission java.io.FilePermission "c:\\
GoodGuys\\*", "read,write"; };
Morar’s Example
// Things signed by the security administrator and loaded
// from his server can do various magic
grant signedBy "secadmin", codeBase http://secadmin.example.com/admin/*" {
permission java.security.SecurityPermission "Security.insertProvider.*";
permission java.security.SecurityPermission "Security.removeProvider.*";
permission java.security.SecurityPermission "Security.setProperty.*";};
Java 2 Enhancements No centralized Security Management, but
definite steps towards it. it is possible to configure a system so that
both Java 2 plugins and Java applications use the same security manager and security policy.
The Java 2 security system provides more granular control than did previous versions of Java, but the range of available function in the sandbox is essentially the same. Consequently, there is no fundamentally new danger of viral spread in the new environment
Morar’s Final Words Various Java engines coexisting on
a machine could share a common security configuration as in JVM in Netscape, IE, Opera etc.
Risk is very low as possibilities of exploiting holes is limited.
Java2 is Secure.
Securing Java Gary McGraw Edward W. Felten
Security risk categories: * System modification * Invasion of Privacy * Denial of Service * Antagonism Java presents a multitiered approach to security: * Restricted access to file systems * Restricted access to browser internals * Load time & runtime checks to verify that byte code is
following the rules * A system for signing code and assigning it some level of
capability
Classes of Security attacksAttack class Explanation and consequences Java Defense
System modification
The most severe class of attacks. Applets that implement such attacks are attack applets. Consequences of these attacks: severe.
Strong
Invasion of Privacy
If you value your privacy, this attack class may be particularly odious. They are implemented by malicious applets. Include mail forging. Consequences of these attacks: moderate.
Strong
Denial of Service Also serious but not severely so, these attacks can bring a machine to a standstill. Also implemented by malicious applets. May require reboot. Consequences of these attacks: moderate.
Weak
Antagonism Merely annoying, this attack class is the most commonly encountered. Implemented by malicious applets. May require restart of browser. Consequences of these attacks: light to moderate.
Weak
Parts of default Sandbox
Parts of default Sandbox-The Verifier
The Verifier scrutinizes byte code before it is allowed to be run on a local VM.
Parts of default Sandbox-The Verifier(contd.)
Verification * Internal checks * Runtime checks Verification assures: * The class file has the correct format * Stacks will not be overflowed or underflowed * Byte code instructions all have parameters of the
correct type * No illegal data conversions (casts) occur * Private, public, protected, and default accesses are
legal * All register accesses and stores are valid
Parts of default Sandbox-The Class Loader
Code is loaded (from the disk or over the network) by a Class Loader.
Class Loaders perform 2 functions: * Finding the byte code.
* Class loaders define the namespaces seen by different classes and how those namespaces relate to each other
Class Loaders also need to make sure that important parts of the Java runtime environment are not replaced by impostor code
Parts of default Sandbox-The Class Loader(contd.)
Fake Security Manager – Class Spoofing
Spoofing occurs when someone or something pretends to be something it is not.
In this figure, an external class has arrived from the Internet and declares itself to be the Security Manager (in order to replace the real Security Manager). If external code were allowed to do this, Java's security system would be trivial to break.
Parts of default Sandbox-The Security Manager
The Security Manager implements a good portion of the entire security model.
How the Security Manager works:
The Security Manager keeps tabs on potentially dangerous calls to the native operating system (underlying the VM).
Parts of default Sandbox-The Security Manager(contd.)
The Java library's use of the Security Manager works as follows:
* A Java program makes a call to a potentially dangerous operation in the Java API.
* The Java API code asks the Security Manager whether the operation should be allowed.
* The Security Manager throws a SecurityException back to the Java API if the operation is denied. This exception propagates back to the Java program.
* If the operation is permitted, the Security Manager call returns without throwing an exception, and the Java API performs the requested dangerous operation and returns normally.
Capabilities of new security architecture in Java2
Fine-grained access control. Configurable security policy. Extensible access control structure. Security checks for all Java programs.
New security mechanisms in Sun’s Java2
Identity Permissions Implies Policy Protection domains Access control And privilege
Malicious Applets
Q) What can they do?A) Can attack the local system of a
Web surfer causing… Antagonism Invasion of Privacy Denial of Service
Malicious Applets…are known to Antagonize web surfers Forge mail from you to whomever the evil
applet's author chooses, saying whatever they wish while masquerading as you
Steal your CPU cycles to perform their own work while your legitimate processes languish
Crash your local system by using all available system resources
A simple DOS attack
The dreaded thread Create an applet that starts a thread with its priority
set to MAX_PRIORITY. This makes the thread run as quickly as possible and gives it a leg up in the ongoing competition between threads for CPU time.
Redefine the stop() method to null for the thread. Do something silly in the main part of the applet so
that it appears to be harmless. Show a picture or display some cute animation.
A simple DOS attack (cont’d) Have the thread sleep for a while to delay its malicious
activities. Such sleight of hand will have the effect of placing the blame somewhere else when the thread wakes back up to perform its dirty work.
When the thread wakes up, have it begin calculating in an infinite loop (or some other CPU-intensive activity that eats cycles). Such a computation will, in effect, bring the browser down by taking away all available computational resources.
Killing Off the Competition The Business Assassin
Matt LaDue’s Gamelan killer Stealing Cycles
Why have a fast CPU when you can use somebody else’s to do your work for you?
Forge Email (Old dog with new tricks)
Solutions Disable Java Know where you are on the
Internet Third party solutions Improve Java itself Someone tell Netscape and
Microsoft to update their JVM’s
Solutions (cont’d) Writing safer code Assess your risks Understanding Code Signing Easy to use signing tools Avoid signing your code as far as possible
But try not to throw the good out with the bad
Myths about signing Java code Signatures denote authorship If a signer is honest, the code is
secure Signatures imply
accountability/liability
The future: Challenges facing Mobile code New features introduce new security
holes New classes of attacks keep
appearing
Secure Distributed Programming Java as a “secure” true multiuser
system
Should we use Java at all