Presentation is loading. Please wait.

Presentation is loading. Please wait.

Java Security. Overview Hermetically Sealed vs. Networked Executable Content (Web Pages & email) Java Security on the Browser Java Security in the Enterprise.

Similar presentations


Presentation on theme: "Java Security. Overview Hermetically Sealed vs. Networked Executable Content (Web Pages & email) Java Security on the Browser Java Security in the Enterprise."— Presentation transcript:

1 Java Security

2 Overview Hermetically Sealed vs. Networked Executable Content (Web Pages & ) Java Security on the Browser Java Security in the Enterprise Java Security on the Network

3 JVM as Gatekeeper Indirect Execution Language Features (no pointers, type-safe) Class Loaders Bytecode Verifiers

4 Security Solutions Java Security on the Browser –Browser Security Managers –Sandbox –Digital Signatures Java Security in the Enterprise –Access Control –Authentication –Authorization –Confidentiality and Integrity Protection Java Security on the Network –Encryption

5 Java Application Server Presentation & Business Logic Servlet/JSP EJBs, RMI Objects JDBC Internet Browser Web Server

6 One Observation In all likelihood, security flaws will continue to be discovered (and patched) in Java VM implementations. Despite this, Java remains perhaps the most secure platform currently available. There have been few, if any, reported instances of malicious Java code exploiting security holes "in the wild". For practical purposes, the Java platform appears to be adequately secure, especially when contrasted with some of the insecure and virus-ridden alternatives. - David Flanagan, Java in a Nutshell

7 Types of Attack System Attack Data theft Masquerade Denial of Service Annoyance

8 Defending against Attack Class Computer Resources Bytecode Verifier Class Loader Security Manager

9 Class Loaders VM only loads class files that are needed for the execution of a program Every Java program has at least three class loaders: –Bootstrap class loader –Extension class loader –System class loader

10 Bootstrap class loader Loads system classes (rt.jar) Usually implemented in C Integral part of the JVM No ClassLoader object available

11 Other class loaders Extension class loader –Loads standard extensions (jre/lib/ext) System class loader –Loads application classes from CLASSPATH Both of the above are implemented in Java Both of the above are instances of the URLClassLoader class.

12 Namespaces Beyond just the fully resolved class and package name A class is determined by its full name and the class loader Useful for loading code from multiple sources Two classes in the same VM may have the same class and package name

13 Namespaces Internet Sun AppletKaos Applet Browser JVM com.sun.Car (Sun) com.sun.Car (Kaos) Class loader r1 Class loader r2 r1 r2 r1 r2

14 Bytecode Verification Inspects bytecodes from newly loaded class Checks instructions to make sure they are safe All classes except system classes are verified

15 Verification Checks Variables initialized before use Method calls match types of object references Rules for accessing private data and methods upheld Local variable accesses fall within the runtime stack The runtime stack does not overflow

16 Security Manager Determines if a specific operation is permitted –Accessing fields of another class using reflection –Accessing a file –Starting a print job –Accessing the AWT event queue –Exiting the virtual machine

17 Consulting the Security Manager public void exit(int status) { SecurityManager sec = System.getSecurityManager(); if( sec != null ) sec.checkExit(status); exitInternal(status); }

18 Permission Sets A security policy maps code sources to permission sets Code Source 1 Code base (location) certificates Code Source 2 Code base (location) certificates Permission Set 1 permission #1a permission #1b Permission Set 2 permission #2a permission #2b permission #2c

19 Policy Files Instructions that map code sources to permissions grant codebase “http://www.cs.weber.edu/classes” { permission java.io.FilePermission “/tmp/*”, “read,write”; };

20 Where are policy files? The file java.policy in the Java platform home directory The file. java.policy in the user home directory

21 Specifying policy files Assume a customized policy file called MyApp.policy Inside an application main method: System.setProperty(“java.security.policy”, “MyApp.policy”); On the command line: java –Djava.security.policy=MyApp.policy MyApp For applets: appletviewer -J–Djava.security.policy=MyApp.policy MyApp.html

22 Installing a Security Manager Inside an application main method: System.setSecurityManager(new SecurityManager()); On the command line: java –Djava.security.manager -Djava.security.policy=MyApp.policy MyApp

23 JAAS – Java Authentication and Authorization Service Authentication – ascertaining identity Authorization – map users to permissions Isolates Java applications from underlying technology used to implement authentication –UNIX logins –NT logins –Kerberos authentication –Certificate-based authentication

24 Digital Signatures Allows different levels of security Has the transmitted message been tampered with? Message Digest (SHA1, MD5) Public/Private Key (DSA) Certificate Signing

25 Encryption Obscures transmission of plain text Hides confidential information Java Cryptographic Extension (JCE) –Cipher class Data Encryption Standard (DES)


Download ppt "Java Security. Overview Hermetically Sealed vs. Networked Executable Content (Web Pages & email) Java Security on the Browser Java Security in the Enterprise."

Similar presentations


Ads by Google