Java Security
Overview
• Hermetically Sealed vs. Networked
• Executable Content (Web Pages & email)
• Java Security on the Browser• Java Security in the Enterprise• Java Security on the Network
JVM as Gatekeeper
• Indirect Execution• Language Features (no pointers,
type-safe)• Class Loaders• Bytecode Verifiers
Security Solutions
• Java Security on the Browser– Browser Security Managers– Sandbox– Digital Signatures
• Java Security in the Enterprise– Access Control– Authentication – Authorization– Confidentiality and Integrity Protection
• Java Security on the Network – Encryption
Java
Application Server
Application Server
Presentation& Business Logic
Servlet/JSPEJBs, RMI Objects
JDBC
Internet
Browser
Web Server
One Observation
In all likelihood, security flaws will continue to be discovered (and patched) in Java VM implementations. Despite this, Java remains perhaps the most secure platform currently available. There have been few, if any, reported instances of malicious Java code exploiting security holes "in the wild". For practical purposes, the Java platform appears to be adequately secure, especially when contrasted with some of the insecure and virus-ridden alternatives.
- David Flanagan, Java in a Nutshell
Types of Attack
• System Attack• Data theft• Masquerade• Denial of Service• Annoyance
Defending against Attack
Class
ComputerResources
BytecodeVerifier
ClassLoader
SecurityManager
Class Loaders
• VM only loads class files that are needed for the execution of a program
• Every Java program has at least three class loaders:– Bootstrap class loader– Extension class loader– System class loader
Bootstrap class loader
• Loads system classes (rt.jar)• Usually implemented in C• Integral part of the JVM• No ClassLoader object available
Other class loaders
• Extension class loader– Loads standard extensions (jre/lib/ext)
• System class loader– Loads application classes from
CLASSPATH
• Both of the above are implemented in Java
• Both of the above are instances of the URLClassLoader class.
Namespaces
• Beyond just the fully resolved class and package name
• A class is determined by its full name and the class loader
• Useful for loading code from multiple sources
• Two classes in the same VM may have the same class and package name
Namespaces
Internet
Sun Applet Kaos Applet
Browser JVM
com.sun.Car (Sun)
com.sun.Car (Kaos)
Class loader r1
Class loader r2
www.sun.com
www.kaos.com
r1
r2r1 r2
Bytecode Verification
• Inspects bytecodes from newly loaded class
• Checks instructions to make sure they are safe
• All classes except system classes are verified
Verification Checks
• Variables initialized before use• Method calls match types of object
references• Rules for accessing private data and
methods upheld• Local variable accesses fall within
the runtime stack• The runtime stack does not overflow
Security Manager
• Determines if a specific operation is permitted– Accessing fields of another class
using reflection– Accessing a file– Starting a print job– Accessing the AWT event queue– Exiting the virtual machine
Consulting the Security Manager
public void exit(int status)
{
SecurityManager sec = System.getSecurityManager();
if( sec != null )
sec.checkExit(status);
exitInternal(status);
}
Permission Sets
• A security policy maps code sources to permission sets
Code Source 1Code base (location)
certificates
Code Source 2Code base (location)
certificates
Permission Set 1permission #1apermission #1b
Permission Set 2permission #2apermission #2bpermission #2c
Policy Files
• Instructions that map code sources to permissions
grant codebase “http://www.cs.weber.edu/classes”
{
permission java.io.FilePermission “/tmp/*”, “read,write”;
};
Where are policy files?
• The file java.policy in the Java platform home directory
• The file .java.policy in the user home directory
Specifying policy files
• Assume a customized policy file called MyApp.policy
• Inside an application main method:
System.setProperty(“java.security.policy”, “MyApp.policy”);
• On the command line:
java –Djava.security.policy=MyApp.policy MyApp
• For applets:
appletviewer -J–Djava.security.policy=MyApp.policy MyApp.html
Installing a Security Manager
• Inside an application main method:
System.setSecurityManager(new SecurityManager());
• On the command line:
java –Djava.security.manager
-Djava.security.policy=MyApp.policy MyApp
JAAS – Java Authentication and Authorization Service
• Authentication – ascertaining identity• Authorization – map users to permissions• Isolates Java applications from
underlying technology used to implement authentication– UNIX logins– NT logins– Kerberos authentication– Certificate-based authentication
Digital Signatures
• Allows different levels of security• Has the transmitted message been
tampered with?• Message Digest (SHA1, MD5)• Public/Private Key (DSA)• Certificate Signing
Encryption
• Obscures transmission of plain text• Hides confidential information• Java Cryptographic Extension
(JCE)– Cipher class
• Data Encryption Standard (DES)