Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Defined “Freedom from undesirable events”. (Neumann) There are usually three elements to security :  Confidentiality  Integrity  Availability.

Published byDaniella Norton Modified over 7 years ago

Similar presentations

Presentation on theme: "Security Defined “Freedom from undesirable events”. (Neumann) There are usually three elements to security :  Confidentiality  Integrity  Availability."— Presentation transcript:

1

2

3 Security Defined “Freedom from undesirable events”. (Neumann) There are usually three elements to security :  Confidentiality  Integrity  Availability

4 What is Security? Safe from malevolent programs Non-intrusive Authenticated Encrypted Audited Verified C2 or B1 certified

5 Why Java Security is important? Java security is important to a number of distinct sets of people Web users Developers of Java code System administrators

6 Guidelines for Java Web Users Web sites visited Learn about Java security Java environment Security updates Security alerts Apply drastic measures Assess your risks

7 Guidelines for Java Developers Rule 1: Don't Depend on Initialization Rule 2: Limit Access Rule 3: Make Everything Final Rule 4: Don't Depend on Package Scope

8 Developers of Java Code Cont. Rule 5: Don't Use Inner Classes Rule 6: Avoid Signing Your Code Rule 7: Archive file

9 Rule 8:Classes Uncloneable public final void clone() throws java.lang.CloneNotSupportedException { throw new java.lang.CloneNotSupportedException(); }

10 Rule 9: Classes Unserializeable private final void writeObject(ObjectOutputStream out) throws java.io.IOException { throw new java.io.IOException("Object cannot be serialized"); }

11 Rule 10: Classes Undeserializeable private final void readObject(ObjectInputStream in) throws java.io.IOException { throw new java.io.IOException("Class cannot be deserialized"); }

12 Rule 11:Don't Compare Classes by Name if(a.getClass( ) == b.getClass()){ // objects have the same class }else{ // objects have different classes } Rule 12: Secrets Stored in Your Code Won't Protect You

13 Other People Security Effects System Administrator –Install, configure and manage the products –For managers who decide which products are developed and they are developed.

14 Java Security Manager Class that allows applications to implement a security policy Useful to determine a possibly unsafe or sensitive operation The application can allow or disallow the operation

15 Java Security Manager Descends from class java.lang.SecurityManager For each potentially unsafe action, there is a method in the security manager that defines whether or not that action is allowed by the sandbox.

16 Method’s Classification The methods in the Security Manager can be broadly classified into groups  Methods protecting file access e.g. checkRead(String file)  Methods protecting network access: e.g. checkAccept(String host, int port)

17 Method’s Classification  Methods protecting program threads  Methods protecting the JVM e.g. checkExit(int status)  Methods protecting system resources e.g. checkPrintJobAccess( )  Methods protecting Java security aspects e.g. checkSystemClipboardAccess( )

18 Anatomy of a Java Application

19 The bytecode verifiers The class loader The access controller The security manager The security package The key database

20 The Bytecode Verifier  The bytecode verifier ensures that Java class files follow the rules of the Java language.  In terms of resources, the bytecode verifier helps enforce memory protections for all Java programs.

21 Class Loader / Access Controller The class loader One or more class loaders load classes that are not found on the CLASSPATH The access controller The access controller allows (or prevents) most access from the core API to the operating system.

22 The Security Manager Primary interface between the core API and the operating system Allowing or preventing access to all system resources The access controller used for decision making Responsibility on actions

23 Security Package / Key Database Security Package Basis for authenticating signed Java classes.  The security provider interface Message digests Keys and certificates Digital signatures Encryption (an optional extension to the security package) The key database / digital signature

24 Potential Threats There are four basic categories of potential attacks Java applets could facilitate:  Attacks that modify the system  Attacks that invade a user's privacy  Attacks that deny legitimate use of the machine by hogging resources  Attacks that antagonize a user

25 Potential Threats ATTACK CLASS EXPLANATION AND CONSEQUENCES JAVA DEFENSE Invasion of Privacy If you value your privacy, this attack class may be particularly odious. They are implemented by malicious applets. Include mail forging. Consequences of these attacks: moderate. Strong Denial of Service Also serious but not severely so, these attacks can bring a machine to a standstill. Also implemented by malicious applets. May require reboot. Consequences of these attacks: moderate. Weak Antagonism Merely annoying, this attack class is the most commonly encountered. Implemented by malicious applets. May require restart of browser. Consequences of these attacks: light to moderate. Weak

26 Invasion of Privacy Disclosing information about a user or host machine that should not be publicized  On Unix machines, if someone gains access to the /etc/passwd file (which contains usernames and encrypted passwords) he or she could mount a password - cracking attack. A successful password - cracking attack

27 Denial of Service System resources become unavailable. There are many subcategories of denial of service attacks. Some examples include:  Completely filling a file system  Using up all available file pointers  Allocating all of a system's memory  Creating thousands of windows, effectively denying access to the output screen or window event queue  Using all of the machine's cycles (CPU time) by creating many high-priority threads

28 Antagonism Sometimes seemingly antagonistic attacks may be the result of simple programming errors. Examples:  Playing unwanted sound files through a speaker  displaying obscene pictures on a monitor

29 Java Risks in Perspective Stopping the worst potential attacks that hostile applets might carry out System modification and invasion of privacy attacks One kind of mobile code that everyone wants to avoid is a computer virus

30 Java Sandbox Restriction of programs Damage can be done in the sandbox, but will not affect other applications, system resources, and files. Three steps of defense:  Byte Code Verifier  Class Loader  Security Manager They depend on each other Each part must do its job properly

31 Java Sandbox Java is designed so that programs can be dynamically loaded over the network and run locally Restriction on programs Damage can be done in the sandbox, but will not affect other applications, system resources, and files.

32 Java Sandbox Three steps of defense:  Byte Code Verifier  Class Loader  Security Manager They depend on each other Each part must do its job properly

33 Type Safety Programs are prevented from accessing memory in inappropriate ways A program cannot perform an operation on an object unless that operation is valid for that object Most essential element of Java’s security

34 Type Safety Example

35 Type Safety Class tag / Dynamic type checking Static type checking Guarantees security Prevent arbitrary access to memory using typing constraints Encapsulation

36 Where to Find More Information on Java securingjava.com developer.com javaWorld.com unix.org.ua Jia, Xiaoping. Object-Oriented Software Development Using Java. 2 nd Ed. Addison Wesley. 2001

Download ppt "Security Defined “Freedom from undesirable events”. (Neumann) There are usually three elements to security :  Confidentiality  Integrity  Availability."

Similar presentations

Mobile Code Security Yurii Kuzmin. What is Mobile Code? Term used to describe general-purpose executables that run in remote locations. Web browsers come.

Mobile Code Security Yurii Kuzmin. What is Mobile Code? Term used to describe general-purpose executables that run in remote locations. Web browsers come.
Java Applet Security Diana Dong CS 265 Spring 2004.

Java Applet Security Diana Dong CS 265 Spring 2004.
Applet Security Gunjan Vohra. What is Applet Security? One of the most important features of Java is its security model. It allows untrusted code, such.

Applet Security Gunjan Vohra. What is Applet Security? One of the most important features of Java is its security model. It allows untrusted code, such.
Dan Sedlacek CTO, Systems Management Group Sterling Software Java Security and Encryption.

Dan Sedlacek CTO, Systems Management Group Sterling Software Java Security and Encryption.
Java Security. Overview Hermetically Sealed vs. Networked Executable Content (Web Pages & email) Java Security on the Browser Java Security in the Enterprise.

Java Security. Overview Hermetically Sealed vs. Networked Executable Content (Web Pages & ) Java Security on the Browser Java Security in the Enterprise.
Mobile Code Security Aviel D. Rubin, Daniel E. Geer, Jr. MOBILE CODE SECURITY, IEEE Internet Computing, 1998 Minkyu Lee 2007. 04. 23.

Mobile Code Security Aviel D. Rubin, Daniel E. Geer, Jr. MOBILE CODE SECURITY, IEEE Internet Computing, 1998 Minkyu Lee
Java Security Model Lab#1 I. Omaima Al-Matrafi. Safety features built into the JVM Type-safe reference casting Structured memory access (no pointer arithmetic)

Java Security Model Lab#1 I. Omaima Al-Matrafi. Safety features built into the JVM Type-safe reference casting Structured memory access (no pointer arithmetic)
LAB#2 JAVA SECURITY OVERVIEW Prepared by: I.Raniah Alghamdi.

LAB#2 JAVA SECURITY OVERVIEW Prepared by: I.Raniah Alghamdi.
Object Orientated Programming

Object Orientated Programming
Web Security A how to guide on Keeping your Website Safe. By: Robert Black.

Web Security A how to guide on Keeping your Website Safe. By: Robert Black.
Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.

Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.
Lecture 11 Reliability and Security in IT infrastructure.

Lecture 11 Reliability and Security in IT infrastructure.
Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.

Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.
Java PAL.  Contains the development kit and the runtime environment ( aka the Java Virtual Machine )  Download Link:

Java PAL.  Contains the development kit and the runtime environment ( aka the Java Virtual Machine )  Download Link:
CONTENTS:-  What is Event Log Service ?  Types of event logs and their purpose.  How and when the Event Log is useful?  What is Event Viewer?  Briefing.

CONTENTS:-  What is Event Log Service ?  Types of event logs and their purpose.  How and when the Event Log is useful?  What is Event Viewer?  Briefing.
Page 1 Sandboxing & Signed Software Paul Krzyzanowski Distributed Systems Except as otherwise noted, the content of this presentation.

Page 1 Sandboxing & Signed Software Paul Krzyzanowski Distributed Systems Except as otherwise noted, the content of this presentation.
Java Security Updated May 2007. Topics Intro to the Java Sandbox Language Level Security Run Time Security Evolution of Security Sandbox Models The Security.

Java Security Updated May Topics Intro to the Java Sandbox Language Level Security Run Time Security Evolution of Security Sandbox Models The Security.
D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.

D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.
Java Security. Topics Intro to the Java Sandbox Language Level Security Run Time Security Evolution of Security Sandbox Models The Security Manager.

Java Security. Topics Intro to the Java Sandbox Language Level Security Run Time Security Evolution of Security Sandbox Models The Security Manager.
Securing Windows 7 Lesson 10. Objectives Understand authentication and authorization Configure password policies Secure Windows 7 using the Action Center.

Securing Windows 7 Lesson 10. Objectives Understand authentication and authorization Configure password policies Secure Windows 7 using the Action Center.

Similar presentations

Ads by Google