1 / 58

Dan Sedlacek CTO, Systems Management Group Sterling Software

Java Security and Encryption. Dan Sedlacek CTO, Systems Management Group Sterling Software. Java Security and Encryption. What is the level of security provided by Java technology? What’s NOT provided for in Java How Java implements security How to extend Java security. Agenda.

sachi
Download Presentation

Dan Sedlacek CTO, Systems Management Group Sterling Software

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Java Security and Encryption Dan Sedlacek CTO, Systems Management Group Sterling Software

  2. Java Security and Encryption • What is the level of security provided by Java technology? • What’s NOT provided for in Java • How Java implements security • How to extend Java security

  3. Agenda • Java Security Overview • Applications and Applets • Java Language Security • Java Class Loaders • Security Manager • Access Controller • Security Policies • Authentication • Encryption

  4. Java Security OverviewWhat is Security? • Virus Protection • System Resource Access Control • Authentication of Author and Data • Data Privacy • Encryption • Auditing • Orange Book (C2, B1)

  5. Java Security OverviewWhat is Java Security? • Virus Protection - Yes • System Resource Access Control - Yes • Authentication of Author and Data - Yes • Data Privacy - Yes & No • Encryption - Optional • Auditing - Not Built-in • Orange Book (C2, B1) - No

  6. Applets and Applications • Applets • Run Under Control of a Browser • Are Subject to the Browser Security Policy • Applications • Establish their Own Security Policy • Default is No Security Manager

  7. Applets Browser Security Manager Very Restricted

  8. Applications Optional Security Manager Allowed to Play

  9. How Does Java Provide Security? • Java Language Security • Java Class Loaders • Digital Signatures • Java Security Manager • Java Access Controller • Encryption

  10. Java Language Security • Objects have access levels: • private: Accessible by defining class • package (default): Accessible by classes in the same package • protected: Same as package, with addition of access by any subclass • public: Accessible by any class

  11. Java Language Security • Access methods are strictly adhered to • No pointers (no access to arbitrary memory and automatic garbage collection) • “final” methods or variables cannot be changed • Variables MUST be initialized before use • Array bounds are enforced • Strict object casting rules

  12. Java Language Security • Object serialization can be a problem • Objects are externalized as series of bytes • Data may be tampered with before the object is reconstructed • Some solutions: • objects must be declared “serializable” • “private transient” disallows serialization • writeObject() and readObject() methods let you implement your own encryption

  13. Java Language Security Enforcement • Enforcement happens at different times • Compile time enforcement • Class load time enforcement • Runtime enforcement • It’s easy to get around compile-time enforcement - build your own classes for the JVM • Class loader and runtime enforcement are more difficult to get around

  14. Java Language SecurityEnforcement Java Source Bytecode Bytecode Verifier Java Compiler Class Loader Java Virtual Machine Runtime

  15. Java Language SecurityCompile Time Enforcement Java Source Bytecode Bytecode Verifier Java Compiler Class Loader Java Virtual Machine Runtime

  16. Java Language SecurityCompile Time Enforcement • Validate language syntax • Enforce method and variable access rules • Enforce variable initialization • Enforce some casting operations

  17. Java Language SecurityClass Load Time Enforcement Java Source Bytecode Bytecode Verifier Java Compiler Class Loader Java Virtual Machine Runtime

  18. Java Language SecurityClass Load Time Enforcement • Bytecode verifier is part of the VM • Bytecode verification • Verifies class file format • Final classes are not subclassed • Final methods are not overridden • Every class has a single superclass (except Object, of course)

  19. Java Language SecurityClass Load Time Enforcement • Bytecode verification (continued) • Verify that casting legality checks are in place • No operand stack overflows or underflows • All field and method accesses are legal • Bytecode verification may be delayed in some implementations

  20. Java Language SecurityRuntime Enforcement Java Source Bytecode Bytecode Verifier Java Compiler Class Loader Java Virtual Machine Runtime

  21. Java Language SecurityRuntime Enforcement • Array bounds checking • Throws ArrayIndexOutOfBoundsException • Object casting • Throws ClassCastException • Security Manager • Throws SecurityException • Depends on the Access Controller

  22. Java Class Loaders • Read bytecode into the JVM • Convert into class definitions • Works in conjunction with Security Manager and Access Controller • Knows where the class originated • Understands signed Jar files • Enforces namespace rules

  23. Java Class Loaders • Java applications can create and use different class loaders • Java applets use the browser-provided class loader

  24. Java Class LoadersNamespaces • Used to eliminate ambiguity between classes with the same name • Full name of a Java class is qualified by the name of the package: • java.lang.String • com.sun.java.swing.JTable • Default package

  25. Java Class LoadersNamespaces • Classes with different CODEBASEs are loaded by different instances of the class loader • Even if fully qualified class names are the same, namespaces make them unique • Namespaces enforce package protection

  26. Java Class LoadersHow they Work • Previously loaded classes are cached • Class loader optionally consults the Security Manager to see if the program is allowed to access the class • Internal class loader attempts to load the class from CLASSPATH • Class loader reads in an array of bytes • Bytecode verification is performed

  27. Java Class LoadersHow they Work • A class object is constructed from the bytecodes • Resulting class name is verified to be the requested class name • Base classes and classes referenced by static initializers are also loaded • Other referenced classes are loaded when the class references them

  28. Java Class LoadersHow they Work • An internal class loader (part of the JVM) loads the Java API classes when the VM starts up • In 1.1 internal class loader also loads all CLASSPATH classes • In 1.2 an instance of URLClassLoader loads classes from CLASSPATH • Browsers load classes for the applets from the applet’s CODEBASE using URL class

  29. Other Java Class Loaders • An RMI class loader (RMIClassLoader) is similar to an applet class loader • Uses HTTP to load classes from a remote host • Secure class loader associates protection domains with each class it loads • java.security.SecureClassLoader • Makes use of the access controller facilities • URL class loader (URLClassLoader) - general purpose class loader

  30. Java Class Loadersand JAR files • Java Archive files, or JAR files are Zip files with some additional information • JAR files contain many class files, and other files needed by an application • All classes in a JAR files are loaded at once • Signed classes must be in JAR files

  31. Java Class LoadersSecurity Implications • Class loaders are integral to Java’s security • Class loaders enforce namespace separation • Security Manager depends on the class loader to keep track of the class origin • Custom class loaders may be developed to handle load protocols other than HTTP, to implement class file encryption, and to implement special security policies.

  32. Java Security Manager • Security Manager is the sandbox guard • Default security manager provided by browsers to protect local system resources • Applications have a null security manager by default • Use the -usepolicy option to utilize the default security manager (that in turn uses the Access Controller)

  33. Java Security Manager Access Controller Class File Security Manager Class Loader Bytecode Verification Instantiated Object Core Java API

  34. Java Security Manager • java.lang.SecurityManager • Programs perform operations through the core Java API • Methods are invoked by the core Java API to check if an operation is allowable • A SecurityException is thrown if the operation is not allowable

  35. Java Security ManagerTrusted Classes • In general: • Core API classes are trusted • Classes that are loaded via the CLASSPATH are trusted • Specific permissions may be granted based on signature and codebase • Access Controller is called by the Security Manager to ascertain if a class is trust-worthy

  36. Java Security ManagerMethods • Protection for the Java Virtual Machine • System resource protection • File system access • Network access • Printing • Accessing the clipboard • Event queue access

  37. Java Security ManagerMethods • Access to security related operations • Protection against manipulating thread groups that were created by another entity

  38. Access Controller • Added in release 1.2 • Used by the security manager to determine security policy • Allows security policy to be configured without writing a custom security manager • System security file: • $JAVAHOME/lib/security/java.security • Security Manager still works with pre-version 1.2 classes

  39. Access ControllerSystem Security File • $JAVAHOME/lib/security/java.security • policy.provider=java.security.PolicyFile • policy.expandProperties=true • policy.allowSystemProperty=true • policy.url.1=file:${java.home}/lib/security/java.policy • policy.url.2=file:${user.home}/.java.policy • These policy files map code sources to sets of permissions

  40. Access ControllerRoles • Used by the security manager to determine access to resources • May be used by a program to check application-specific permissions • Used only if a security manager is being used

  41. Access ControllerConcepts • Code sources - Where the class comes from • Permissions - Ability to perform an operation • Policies - Set of permissions by code source • Protection domains - Permissions granted to classes from a particular code source

  42. Access ControllerCode Sources • java.security.CodeSource • CodeSource(URL url, PublicKey[] key[]) • public boolean equals(Object obj) • public final URL getLocation() • public final PublicKey[] getKeys()

  43. Access ControllerPermissions • java.security.Permissions • Permission properties: • Type (e.g. FilePermission) • Name (e.g. name of the file - supports wildcards) • Actions (e.g. read)

  44. Access ControllerPermissions • Java API permissions • Access controller is automatically called if a security manager is active • Arbitrary user-defined permissions • Name (e.g. CorporatePayroll) • Actions (e.g. read) • Access controller must be explicitly called

  45. Access ControllerJava API Permissions • Java API permissions • FilePermission (e.g. /etc/passwd, read) • SocketPermission (IP:port, accept, connect, listen, resolve) • PropertyPermission (e.g. java.version, read) • RuntimePermission (Runtime class operations, e.g. exit) • AWTPermission - Access to windowing resources

  46. Access ControllerJava API Permissions • Java API permissions • NetPermission - Multicast and HTTP authentication • SecurityPermission - Permission to use the security package • SerializablePermission - Object serialization • ReflectPermission - Reflection API • UnresolvedPermission - External permissions • AllPermission - Superuser

  47. Security Policies • java.security.Policy • Ties code sources to permissions • Default policy is provided in the system security file • Methods: • Permissions evaluate(CodeSource cs) • void refresh()

  48. Default Security Policy • Policy files specified by the system security file • Policy files specified by the: • policy.url.n entries • General format: • grant [signedBy <signer>][,codeBase <code source>] {permission <class> [<name> [, <action list>]];… permission <class> [<name> [, <action list>]];};

  49. Protection Domains • Java.security.ProtectionDomain • public ProtectionDomain(CodeSource cs, Permissions p) • public CodeSource getCodeSource() • public Permissions getPermissions() • public boolean implies(Permission p) • Represents one “grant” entry in the file

  50. Authentication • It’s a wide open Internet • System resources need to be protected from viruses and other attacks • Need for authentication • Author authentication • Where did the class come from • Data authentication • Was the class content modified?

More Related