Presentation is loading. Please wait.

Presentation is loading. Please wait.

COSC 4301 - Assignment 3 - Part 1 Java Security Susan Kovacs 19 April 2019 COSC 4301 - Assignment 3 - Part 1.

Published byŞebnem Sökmen Modified over 5 years ago

Similar presentations

Presentation on theme: "COSC 4301 - Assignment 3 - Part 1 Java Security Susan Kovacs 19 April 2019 COSC 4301 - Assignment 3 - Part 1."— Presentation transcript:

1 COSC 4301 - Assignment 3 - Part 1
Java Security Susan Kovacs 19 April 2019 COSC Assignment 3 - Part 1

2 COSC 4301 - Assignment 3 - Part 1
Topics of Discussion Why is security an issue? Types of security breaches Java’s approach the Language the Libraries Browsers Conclusion 19 April 2019 COSC Assignment 3 - Part 1

3 Why is security an issue?
4/19/2019 Why is security an issue? What is an applet? A Java program that is run from inside a web browser. The html page loaded into the web browser contains an <applet> tag, which tells the browser where to find the Java .class files. For example, Ask if anyone can define what an applet is. Explain what it is. Example. Ask why we use applets. Answer: Executable Content Define executable content: the idea of sending around data that is actually code to be executed. This is exciting because it provides power and expressiveness. Html tags & scripts that run on servers are extremely limited. Java’s portability property make it the perfect candidate. appletviewer 19 April 2019 COSC Assignment 3 - Part 1

4 Why is security an issue?
4/19/2019 Why is security an issue? The class files for an applet are automatically downloaded when a user goes to the containing Web page in a browser. It is therefore likely that a user will encounter applets from untrusted sources. Without any security, this would be a convenient way to spread viruses. 19 April 2019 COSC Assignment 3 - Part 1

5 COSC 4301 - Assignment 3 - Part 1
4/19/2019 Types of breaches Integrity Attacks Availability Attacks Disclosure Attacks Annoyance Attacks 19 April 2019 COSC Assignment 3 - Part 1

6 COSC 4301 - Assignment 3 - Part 1
4/19/2019 Types of breaches Integrity Attacks Deletion / modification of files Modification of memory currently in use Killing processes / threads 19 April 2019 COSC Assignment 3 - Part 1

7 COSC 4301 - Assignment 3 - Part 1
4/19/2019 Types of breaches Availability Attacks Allocating large amounts of memory Creating thousands of windows Creating high priority process / threads 19 April 2019 COSC Assignment 3 - Part 1

8 COSC 4301 - Assignment 3 - Part 1
4/19/2019 Types of breaches Disclosure Attacks Mailing information about your machine /etc/passwd Sending personal or company files to an adversary or competitor over the network 19 April 2019 COSC Assignment 3 - Part 1

9 COSC 4301 - Assignment 3 - Part 1
4/19/2019 Types of breaches Annoyance Attacks Displaying obscene pictures on your screen Playing unwanted sounds over your computer 19 April 2019 COSC Assignment 3 - Part 1

10 COSC 4301 - Assignment 3 - Part 1
4/19/2019 Java’s Approach ... The Language The Libraries Browsers 19 April 2019 COSC Assignment 3 - Part 1

11 COSC 4301 - Assignment 3 - Part 1
4/19/2019 The Language Access control Type-safe Absence of pointers Garbage collection Packages 19 April 2019 COSC Assignment 3 - Part 1

12 COSC 4301 - Assignment 3 - Part 1
4/19/2019 The Language Access control public private final Access to methods and variables is controlled via keywords public private final for example the File object - has a public method that can be called by anyone and a low level private method. The public method first performs security checks and then calls the private method final prevents a malicious programmer from subclassing a critical library class or overriding the methods of a class 19 April 2019 COSC Assignment 3 - Part 1

13 COSC 4301 - Assignment 3 - Part 1
4/19/2019 The Language Type-safe The compile time type and runtime type of variables are guaranteed to be compatible. Prevents the forging of access to objects to get around access control. File example: prevents the malicious code from casting a File object to the malicious code’s MyFile type which has the same layout as the File type but with all methods public. 19 April 2019 COSC Assignment 3 - Part 1

14 COSC 4301 - Assignment 3 - Part 1
4/19/2019 The Language Absence of pointers Pointers cannot be directly manipulated by user code. Prevents both malicious and accidental misuse of pointers. 19 April 2019 COSC Assignment 3 - Part 1

15 COSC 4301 - Assignment 3 - Part 1
4/19/2019 The Language Garbage collection Manual deallocation provides a round-about way of illegally casting. Java uses garbage collection to recover unused memory instead of relying on explicit user deallocation. Example: malicious code creates a new object of type MyFile, deallocates the memmory used by that object, keeping the pointer malicious code creates a File object which has the same size the new pointer can be made to be the same as the MyFile pointer malicious code can now access the private methods of the File object 19 April 2019 COSC Assignment 3 - Part 1

16 COSC 4301 - Assignment 3 - Part 1
4/19/2019 The Language Packages Provides namespace encapsulation. Prevents downloaded code from shadowing system library code with malicious code. Usefull because they allow downloaded code to be easily distinguished from local code Java guarantees that when a class is referenced the system first looks in the local namespace and then in the namespace of the referencing class 19 April 2019 COSC Assignment 3 - Part 1

17 COSC 4301 - Assignment 3 - Part 1
4/19/2019 The Libraries Security Manager Class Loader 19 April 2019 COSC Assignment 3 - Part 1

18 COSC 4301 - Assignment 3 - Part 1
4/19/2019 The Libraries Security Manager Contains methods which are intended to be called to check specific types of actions. It is intended to be subclassed and used to instantiate the desired security policy. Will use security manager when creating library code for a potentially dangerous system resource Examples: see sheet 19 April 2019 COSC Assignment 3 - Part 1

19 COSC 4301 - Assignment 3 - Part 1
4/19/2019 The Libraries Security Manager Example: Public boolean mkdir(String path) throws IOException { SecurityManager security = System.getSecurityManager(); if (security != null) security.checkWrite(path); return mkdir0(); } Will use security manager when creating library code for a potentially dangerous system resource Examples: see sheet 19 April 2019 COSC Assignment 3 - Part 1

20 COSC 4301 - Assignment 3 - Part 1
4/19/2019 The Libraries Class Loader Class loaders are responsible for importing binary data that defines the running program’s classes and interfaces. Two type: primordial & object To make applets as portable as possible, Java compiler doesn’t compile to machine code but only to bytecode. That’s what the class loader deals with difference between primordial & object: the primordial is part of the JVM implementation & there’s only one of them class loader objects are written in Java, compiled into class files, loaded into the virtual machine and instantiated all applet windows come up with a warning - because they’re not trusted because they’re loaded by an object class loader 19 April 2019 COSC Assignment 3 - Part 1

21 COSC 4301 - Assignment 3 - Part 1
4/19/2019 The Libraries Class Loader Due to JVM’s approach to loading classes, classes can by default only see other classes that were loaded by the same class loader. This allows for multiple name-spaces inside a single Java application To make applets as portable as possible, Java compiler doesn’t compile to machine code but only to bytecode. That’s what the class loader deals with difference between primordial & object: the primordial is part of the JVM implementation & there’s only one of them class loader objects are written in Java, compiled into class files, loaded into the virtual machine and instantiated read two other pages 19 April 2019 COSC Assignment 3 - Part 1

22 COSC 4301 - Assignment 3 - Part 1
4/19/2019 Browsers The Web browser defines and implements a security policy for running downloaded Java code. A Java enabled web browser includes: Java interpreter and runtime libraries classes to implement a Security Manager various Class Loaders It is in the browser that the class loaders & security managers become crucial. 19 April 2019 COSC Assignment 3 - Part 1

23 COSC 4301 - Assignment 3 - Part 1
4/19/2019 Examples import java.awt.*; import java.io.*; import java.lang.*; import java.applet.*; public class exitTest extends Applet { public void paint(Graphics g) { try { Runtime.getRuntime().exit(-1); } catch (SecurityException e) { g.drawString("Caught security exception trying to quit", 10, 10); } 19 April 2019 COSC Assignment 3 - Part 1

24 COSC 4301 - Assignment 3 - Part 1
4/19/2019 Examples Conclusion: An applet can't kill the browser that loaded it, unless you load the applet from a directory on your CLASSPATH. For further examples please visit 19 April 2019 COSC Assignment 3 - Part 1

25 COSC 4301 - Assignment 3 - Part 1
4/19/2019 Conclusion In order for a program to be useful, it needs to access certain resources. Therefore, the key is not to deny all access but rather to provide secured access in a controlled environment. Though Java is not yet perfected, it’s features and properties have allowed for a good balance of power and security. 19 April 2019 COSC Assignment 3 - Part 1

26 COSC 4301 - Assignment 3 - Part 1
Questions ... THANK YOU! 19 April 2019 COSC Assignment 3 - Part 1

27 COSC 4301 - Assignment 3 - Part 1
4/19/2019 References Flanagan, David. Java in a Nutshell. 2nd Ed. O’Reilly, California, 1997 Bank, Joseph. Java Security March 2004 Venners, Bill. Security and the class loader architecutre March 2004 Applet Security March 2004. 19 April 2019 COSC Assignment 3 - Part 1

Download ppt "COSC 4301 - Assignment 3 - Part 1 Java Security Susan Kovacs 19 April 2019 COSC 4301 - Assignment 3 - Part 1."

Similar presentations

Introduction to Java 2 Programming Lecture 10 Applets.

Introduction to Java 2 Programming Lecture 10 Applets.
Mobile Code Security Yurii Kuzmin. What is Mobile Code? Term used to describe general-purpose executables that run in remote locations. Web browsers come.

Mobile Code Security Yurii Kuzmin. What is Mobile Code? Term used to describe general-purpose executables that run in remote locations. Web browsers come.
Portability and Safety Mahdi Milani Fard Dec, 2006 Java.

Portability and Safety Mahdi Milani Fard Dec, 2006 Java.
Java Applet Security Diana Dong CS 265 Spring 2004.

Java Applet Security Diana Dong CS 265 Spring 2004.
Java security (in a nutshell)

Java security (in a nutshell)
Applet Security Gunjan Vohra. What is Applet Security? One of the most important features of Java is its security model. It allows untrusted code, such.

Applet Security Gunjan Vohra. What is Applet Security? One of the most important features of Java is its security model. It allows untrusted code, such.
Java Security. Overview Hermetically Sealed vs. Networked Executable Content (Web Pages & email) Java Security on the Browser Java Security in the Enterprise.

Java Security. Overview Hermetically Sealed vs. Networked Executable Content (Web Pages & ) Java Security on the Browser Java Security in the Enterprise.
Lab Information Security Using Java (Review) Lab#0 Omaima Al-Matrafi.

Lab Information Security Using Java (Review) Lab#0 Omaima Al-Matrafi.
Lab#1 (14/3/1431h) Introduction To java programming cs425

Lab#1 (14/3/1431h) Introduction To java programming cs425
The Java Language. Topics of this Course  Introduction to Java  The Java Language  Object Oriented Programming in Java  Exceptions Handling  Threads.

The Java Language. Topics of this Course  Introduction to Java  The Java Language  Object Oriented Programming in Java  Exceptions Handling  Threads.
Client Side Programming Using Java Applet Outcomes: You will be expected to know: – Java Applets and HTML file; –bytecode and platform independent programs;

Client Side Programming Using Java Applet Outcomes: You will be expected to know: – Java Applets and HTML file; –bytecode and platform independent programs;
1 Frameworks. 2 Framework Set of cooperating classes/interfaces –Structure essential mechanisms of a problem domain –Programmer can extend framework classes,

1 Frameworks. 2 Framework Set of cooperating classes/interfaces –Structure essential mechanisms of a problem domain –Programmer can extend framework classes,
Lecture 2: Do you speak Java?. From Problem to Program Last Lecture we looked at modeling with objects! Steps to solving a business problem –Investigate.

Lecture 2: Do you speak Java?. From Problem to Program Last Lecture we looked at modeling with objects! Steps to solving a business problem –Investigate.
1 Chapter 3 Programs and Packages. 2 Java Virtual Machine (JVM) Java programs execute on the JVM. The JVM is a virtual rather than a physical machine,

1 Chapter 3 Programs and Packages. 2 Java Virtual Machine (JVM) Java programs execute on the JVM. The JVM is a virtual rather than a physical machine,
Session-02. Objective In this session you will learn : What is Class Loader ? What is Byte Code Verifier? JIT & JAVA API Features of Java Java Environment.

Session-02. Objective In this session you will learn : What is Class Loader ? What is Byte Code Verifier? JIT & JAVA API Features of Java Java Environment.
Page 1 Sandboxing & Signed Software Paul Krzyzanowski Distributed Systems Except as otherwise noted, the content of this presentation.

Page 1 Sandboxing & Signed Software Paul Krzyzanowski Distributed Systems Except as otherwise noted, the content of this presentation.
Java Security Updated May 2007. Topics Intro to the Java Sandbox Language Level Security Run Time Security Evolution of Security Sandbox Models The Security.

Java Security Updated May Topics Intro to the Java Sandbox Language Level Security Run Time Security Evolution of Security Sandbox Models The Security.
Introduction to Java Programming. Contents 1. Java, etc. 2. Java's Advantages 3. Java's Disadvantages 4. Types of Java Code 5. Java Bytecodes 6. Steps.

Introduction to Java Programming. Contents 1. Java, etc. 2. Java's Advantages 3. Java's Disadvantages 4. Types of Java Code 5. Java Bytecodes 6. Steps.
JAVA v.s. C++ Programming Language Comparison By LI LU SAMMY CHU By LI LU SAMMY CHU.

JAVA v.s. C++ Programming Language Comparison By LI LU SAMMY CHU By LI LU SAMMY CHU.
OOP Languages: Java vs C++

OOP Languages: Java vs C++

Similar presentations

Ads by Google