Presentation is loading. Please wait.

Presentation is loading. Please wait.

David Evans CS201j: Engineering Software University of Virginia Computer Science Lecture 19: Security in Java Real or.

Published byMilton Short Modified over 8 years ago

Similar presentations

Presentation on theme: "David Evans CS201j: Engineering Software University of Virginia Computer Science Lecture 19: Security in Java Real or."— Presentation transcript:

1 David Evans http://www.cs.virginia.edu/evans CS201j: Engineering Software University of Virginia Computer Science Lecture 19: Security in Java Real or Decaf? (Duke suicide picture by Gary McGraw.)

2 6 November 2003CS 201J Fall 20032 Java  : Programming Language “A simple, object-oriented, distributed, interpreted, robust, secure, architecture neutral, portable, high-performance, multithreaded, and dynamic language.” [Sun95]

3 6 November 2003CS 201J Fall 20033 What is a secure programming language? 1.Language is designed so it cannot express certain computations considered insecure. 2.Language is designed so that (accidental) program bugs are likely to be caught by the compiler or run- time environment instead of leading to security vulnerabilities. A few attempt to do this: PLAN, packet filters

4 6 November 2003CS 201J Fall 20034 Safe Programming Languages Type Safety –Compiler and run-time environment ensure that bits are treated as the type they represent Memory Safety –Compiler and run-time environment ensure that program cannot access memory outside defined storage Control Flow Safety –Can’t jump to arbitrary addresses Which of these does C/C++ have? Is Java the first language to have them? No way! LISP had them all in 1960.

5 6 November 2003CS 201J Fall 20035 Java  Safety Type Safety –Most types checked statically –Coercions, array assignments type checked at run time Memory Safety –No direct memory access (e.g., pointers) –Primitive array type with mandatory run- time bounds checking Control Flow Safety –Structured control flow, no arbitrary jumps

6 6 November 2003CS 201J Fall 20036 Malicious Code Can a safe programming language protect you from malcode? 1.Code your servers in it to protect from buffer overflow bugs 2.Only allow programs from untrustworthy origins to run if the are programmed in the safe language

7 6 November 2003CS 201J Fall 20037 Safe Languages? But how can you tell program was written in the safe language? –Get the source code and compile it (most vendors, and all malicious attackers refuse to provide source code) –Special compilation service cryptographically signs object files generated from the safe language (SPIN, [Bershad96]) –Verify object files preserve safety properties of source language (Java)

8 6 November 2003CS 201J Fall 20038 JVML javac Compiler malcode.java Java  Source Code malcode.class JVML Object Code JavaVM Joe User Joe wants to know JVML code satisfies Java  ’s safety properties.

9 6 November 2003CS 201J Fall 20039 Does JVML satisfy Java  ’s safety properties? iconst_2 push integer constant 2 on stack istore_0 store top of stack in variable 0 as int aload_0 load object reference from variable 0 No! This code violates Java  ’s type rules.

10 6 November 2003CS 201J Fall 200310 Running Mistyped Code > java Simple Exception in thread "main" java.lang.VerifyError: (class: Simple, method: main signature: ([Ljava/lang/String;)V) Register 0 contains wrong type.method public static main([Ljava/lang/String;)V … iconst_2 istore_0 aload_0 iconst_2 iconst_3 iadd … return.end method

11 6 November 2003CS 201J Fall 200311 Bytecode Verifier malcode.class JVML Object Code Java Bytecode Verifier Joe User JavaVM “Okay” Invalid STOP Trusted Computing Base

12 6 November 2003CS 201J Fall 200312 Bytecode Verifier Checks class file is formatted correctly –Magic number: class file starts with 0xCAFEBABE –String table, code, methods, etc. Checks JVML code satisfies safety properties –Simulates program execution to know types are correct, but doesn’t need to examine any instruction more than once

13 6 November 2003CS 201J Fall 200313 Verifying Safety Properties Type safe –Stack and variable slots must store and load as same type Memory safe –Must not attempt to pop more values from stack than are on it –Doesn’t access private fields and methods outside class implementation Control flow safe –Jumps must be to valid addresses within function, or call/return

14 6 November 2003CS 201J Fall 200314 Running Mistyped Code > java Simple Exception in thread "main" java.lang.VerifyError: (class: Simple, method: main signature: ([Ljava/lang/String;)V) Register 0 contains wrong type.method public static main([Ljava/lang/String;)V … iconst_2 istore_0 aload_0 iconst_2 iconst_3 iadd … return.end method

15 6 November 2003CS 201J Fall 200315 Running Mistyped Code > java –noverify Simple result: 5.method public static main([Ljava/lang/String;)V … iconst_2 istore_0 aload_0 iconst_2 iconst_3 iadd … return.end method

16 6 November 2003CS 201J Fall 200316 Running Mistyped Code > java –noverify Simple Unexpected Signal : EXCEPTION_ACCESS_VIOLATION (0xc0000005) occurred at PC=0x809DCEB Function=JVM_FindSignal+0x1105F Library=C:\j2sdk1.4.2\jre\bin\client\jvm.dll Current Java thread: at Simple.main(Simple.java:7) … # # HotSpot Virtual Machine Error : EXCEPTION_ACCESS_VIOLATION # Error ID : 4F530E43505002EF # Please report this error at # http://java.sun.com/cgi-bin/bugreport.cgi # # Java VM: Java HotSpot(TM) Client VM (1.4.2-b28 mixed mode).method public static main([Ljava/lang/String;)V … ldc 201 istore_0 aload_0 iconst_2 iconst_3 iadd … return.end method

17 6 November 2003CS 201J Fall 200317 Java javac Compiler malcode.java malcode.class JVML Joe User Java Bytecode Verifier JavaVM “Okay” Invalid STOP Trusted Computing Base

18 6 November 2003CS 201J Fall 200318 JavaVM Virtual machine – interpreter for JVML programs Has complete access to host machine Bytecode verifier ensures some safety properties, JavaVM must ensure rest: –Type safety of run-time casts, array assignments –Memory safety: array bounds checking –Resource use policy

19 6 November 2003CS 201J Fall 200319 Reference Monitors

20 6 November 2003CS 201J Fall 200320 Program Execution Program Monitor Speakers SuperSoaker 2000 Disk Memory Network

21 6 November 2003CS 201J Fall 200321 Program Execution Program Monitor Speakers SuperSoaker 2000 Disk Memory Network Reference Monitor

22 6 November 2003CS 201J Fall 200322 Ideal Reference Monitor 1.Sees everything a program is about to do before it does it 2.Can instantly and completely stop program execution (or prevent action) 3.Has no other effect on the program or system Can we build this? Probably not unless we can build a time machine...

23 6 November 2003CS 201J Fall 200323 Ideal Reference Monitor 1.Sees everything a program is about to do before it does it 2.Can instantly and completely stop program execution (or prevent action) 3.Has no other effect on the program or system Real most things limited

24 6 November 2003CS 201J Fall 200324 Operating Systems Provide reference monitors for most security-critical resources –When a program opens a file in Unix or Windows, the OS checks that the principal running the program can open that file Doesn’t allow different policies for different programs No flexibility over what is monitored –OS decides for everyone –Hence, can’t monitor inexpensive operations

25 6 November 2003CS 201J Fall 200325 Java Security Manager (Non-Ideal) Reference monitor –Limits how Java executions can manipulate system resources User/host application creates a subclass of SecurityManager to define a policy

26 6 November 2003CS 201J Fall 200326 JavaVM Policy Enforcment From java.io.File: public boolean delete() { SecurityManager security = System.getSecurityManager(); if (security != null) { security.checkDelete(path); } if (isDirectory()) return rmdir0(); else return delete0(); } [JDK 1.0 – JDK 1.1] What could go seriously wrong with this?! checkDelete throws a SecurityExecption if the delete would violate the policy (re-thrown by delete)

27 6 November 2003CS 201J Fall 200327 HotJava’s Policy (JDK 1.1.7) public class AppletSecurity extends SecurityManager {... public synchronized void checkDelete(String file) throws Security Exception { checkWrite(file); }

28 6 November 2003CS 201J Fall 200328 AppletSecurity.checkWrite (some exception handling code removed) public synchronized void checkWrite(String file) { if (inApplet()) { if (!initACL) initializeACLs(); String realPath = (new File(file)).getCanonicalPath(); for (int i = writeACL.length ; i-- > 0 ;) { if (realPath.startsWith(writeACL[i])) return; } throw new AppletSecurityException ("checkwrite", file, realPath); } Note: no checking if not inApplet! Very important this does the right thing.

29 6 November 2003CS 201J Fall 200329 inApplet boolean inApplet() { return inClassLoader(); } Inherited from java.lang.SecurityManager: protected boolean inClassLoader() { return currentClassLoader() != null; }

30 6 November 2003CS 201J Fall 200330 currentClassLoader /** Returns an object describing the most recent class loader executing on the stack. Returns the class loader of the most recent occurrence on the stack of a method from a class defined using a class loader; returns null if there is no occurrence on the stack of a method from a class defined using a class loader. */ protected native ClassLoader currentClassLoader();

31 6 November 2003CS 201J Fall 200331 Recap java.io.File.delete calls SecurityManager.checkDelete before deleting HotJava overrides SecurityManager with AppletSecurity to set policy AppletSecurity.checkDelete calls AppletSecurity.checkWrite AppletSecurity.checkWrite checks if any method on stack has a ClassLoader If not no checks; if it does, checks ACL list

32 6 November 2003CS 201J Fall 200332 JDK 1.0 Trust Model When JavaVM loads a class from the CLASSPATH, it has no associated ClassLoader (can do anything) When JavaVM loads a class from elsewhere (e.g., the web), it has an associated ClassLoader

33 6 November 2003CS 201J Fall 200333 JDK Evolution JDK 1.1: Signed classes from elsewhere and have no associated ClassLoader JDK 1.2: –Different classes can have different policies based on ClassLoader –Explict enable/disable/check privileges –SecurityManager is now AccessController

34 6 November 2003CS 201J Fall 200334 What can go wrong? Java API doesn’t call right SecurityManager checks (63 calls in java.*) –Font loading bug, synchronization ClassLoader is tricked into loading external class as internal Bug in Bytecode Verifier can be exploited to circumvent SecurityManager Policy is too weak (allows damaging behavior) Next class: how to break everything with a hair dryer!

35 6 November 2003CS 201J Fall 200335 Hostile Applets See http://java.sun.com/sfaq/chronology.html (about 1 new vulnerability/month) Easy to write “annoying” applets (policy is too imprecise; no way to constrain many resource operations) Don’t try these until you finish PS5: http://www.cigital.com/hostile-applets/index.html

36 6 November 2003CS 201J Fall 200336 Charge PS5 Due Tuesday Two options for turning in PS5: read the notes carefully If your program works, you do not need to turn in a printout of all your code.

Download ppt "David Evans CS201j: Engineering Software University of Virginia Computer Science Lecture 19: Security in Java Real or."

Similar presentations

© 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 16 Secure Coding in Java and.NET Part 1: Fundamentals.

© 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 16 Secure Coding in Java and.NET Part 1: Fundamentals.
Mobile Code Security Yurii Kuzmin. What is Mobile Code? Term used to describe general-purpose executables that run in remote locations. Web browsers come.

Mobile Code Security Yurii Kuzmin. What is Mobile Code? Term used to describe general-purpose executables that run in remote locations. Web browsers come.
Chapter 16 Java Virtual Machine. To compile a java program in Simple.java, enter javac Simple.java javac outputs Simple.class, a file that contains bytecode.

Chapter 16 Java Virtual Machine. To compile a java program in Simple.java, enter javac Simple.java javac outputs Simple.class, a file that contains bytecode.
Java security (in a nutshell)

Java security (in a nutshell)
Applet Security Gunjan Vohra. What is Applet Security? One of the most important features of Java is its security model. It allows untrusted code, such.

Applet Security Gunjan Vohra. What is Applet Security? One of the most important features of Java is its security model. It allows untrusted code, such.
Introduction to JAVA Vijayan Sugumaran School of Business Administration Oakland University Rochester, MI 48309.

Introduction to JAVA Vijayan Sugumaran School of Business Administration Oakland University Rochester, MI
Mobile Code Security Aviel D. Rubin, Daniel E. Geer, Jr. MOBILE CODE SECURITY, IEEE Internet Computing, 1998 Minkyu Lee 2007. 04. 23.

Mobile Code Security Aviel D. Rubin, Daniel E. Geer, Jr. MOBILE CODE SECURITY, IEEE Internet Computing, 1998 Minkyu Lee
Lab Information Security Using Java (Review) Lab#0 Omaima Al-Matrafi.

Lab Information Security Using Java (Review) Lab#0 Omaima Al-Matrafi.
Class 20: Verifying Bytecodes Fall 2010 UVa David Evans cs2220: Engineering Software Image: Joseph Featherston.

Class 20: Verifying Bytecodes Fall 2010 UVa David Evans cs2220: Engineering Software Image: Joseph Featherston.
CS216: Program and Data Representation University of Virginia Computer Science Spring 2006 David Evans Lecture 20: Hair-Dryer Attacks and Introducing x86.

CS216: Program and Data Representation University of Virginia Computer Science Spring 2006 David Evans Lecture 20: Hair-Dryer Attacks and Introducing x86.
Lab#1 (14/3/1431h) Introduction To java programming cs425

Lab#1 (14/3/1431h) Introduction To java programming cs425
George Blank University Lecturer. CS 602 Java and the Web Object Oriented Software Development Using Java Chapter 4.

George Blank University Lecturer. CS 602 Java and the Web Object Oriented Software Development Using Java Chapter 4.
Introduction to Java Kiyeol Ryu Java Programming Language.

Introduction to Java Kiyeol Ryu Java Programming Language.
Java for High Performance Computing Jordi Garcia Almiñana 14 de Octubre de 1998 de la era post-internet.

Java for High Performance Computing Jordi Garcia Almiñana 14 de Octubre de 1998 de la era post-internet.
Chapter 16 Java Virtual Machine. To compile a java program in Simple.java, enter javac Simple.java javac outputs Simple.class, a file that contains bytecode.

Chapter 16 Java Virtual Machine. To compile a java program in Simple.java, enter javac Simple.java javac outputs Simple.class, a file that contains bytecode.
Netprog 2002 Java Intro1 Crash Course in Java Based on notes from D. Hollinger Based in part on notes from J.J. Johns also: Java in a Nutshell Java Network.

Netprog 2002 Java Intro1 Crash Course in Java Based on notes from D. Hollinger Based in part on notes from J.J. Johns also: Java in a Nutshell Java Network.
Session-02. Objective In this session you will learn : What is Class Loader ? What is Byte Code Verifier? JIT & JAVA API Features of Java Java Environment.

Session-02. Objective In this session you will learn : What is Class Loader ? What is Byte Code Verifier? JIT & JAVA API Features of Java Java Environment.
Lecture 1: Overview of Java. What is java? Developed by Sun Microsystems (James Gosling) A general-purpose object-oriented language Based on C/C++ Designed.

Lecture 1: Overview of Java. What is java? Developed by Sun Microsystems (James Gosling) A general-purpose object-oriented language Based on C/C++ Designed.
Java Security Updated May 2007. Topics Intro to the Java Sandbox Language Level Security Run Time Security Evolution of Security Sandbox Models The Security.

Java Security Updated May Topics Intro to the Java Sandbox Language Level Security Run Time Security Evolution of Security Sandbox Models The Security.
JAVA v.s. C++ Programming Language Comparison By LI LU SAMMY CHU By LI LU SAMMY CHU.

JAVA v.s. C++ Programming Language Comparison By LI LU SAMMY CHU By LI LU SAMMY CHU.

Similar presentations

Ads by Google