1

CMSC 838 YCMSC 838 YClass Paper PresentationClass Paper Presentation

Prashant LambaPrashant Lamba

2

Mechanisms for Secure Modular Mechanisms for Secure Modular Programming in JAVAProgramming in JAVA

1.1. Lujo BauerLujo Bauer

2.2. Andrew W Appel Andrew W Appel

3.3. Edward W FeltenEdward W Felten

3

Theme of the PaperTheme of the Paper

To provide a new module system for java To provide a new module system for java which improves deficiencies of the java which improves deficiencies of the java package system.package system.

To emphasize the need of modular systems To emphasize the need of modular systems rather than Object oriented software rather than Object oriented software system.system.

4

Deficiencies in JAVA Package Deficiencies in JAVA Package SystemSystem

Limited ability for the control access to their Limited ability for the control access to their member class.member class.

No explicit interfacesNo explicit interfaces

Don’t support multiple view of modulesDon’t support multiple view of modules

Problems with dynamic linkingProblems with dynamic linking

5

Solution to the problemSolution to the problem

ML-style hierarchical module systemML-style hierarchical module system

o provides Explicit interfaceprovides Explicit interfaceo Multiple views of ModuleMultiple views of Module

More control over external modules with More control over external modules with which the code is linkedwhich the code is linked

6

Module SystemModule System

Source FilesSource Files Module description fileModule description file

Export Export Membership Membership ImportImport

InterfaceInterface ListList Statement Statement

7

Access

AccessList

Codegen

Frame

Proc

Access.Java

AccessList.Java

Codgen.Java

Frame.Java

Proc.Java

Tree…/Tree/

Temp../Temp/

Assem../Assem/

Util../Util

Abstract class Codgen{

Frame frame;

Abstract Assem.InstrList Codgen(Tree.Stm stm)

}

Codegen.Java

Export Interface Membership List Import Interface

8

9

Fixing Java PackagesFixing Java Packages

Export InterfacesExport Interfaces– Explicit export interfacesExplicit export interfaces

» Java package system lacks this featureJava package system lacks this feature

Membership ListMembership List– Deficiency of java package makes malicious Deficiency of java package makes malicious

code to be part of trusted application like code to be part of trusted application like application.application.

10

Fixing Java PackagesFixing Java Packages

Attack Scenario in Java Package System:Attack Scenario in Java Package System:

Class1.Java

Class2.java

Class3.java

Class4.java

Malicious Code class.Java

Package

Malicious Code class.Java

11

Fixing Java Packages

Hierarchical Scalability and Multiple Interface

Multiple view of an module is possible.

Example

Module M can have V1 and V2 view with class access A,B,C and A,D respectively

12

Module MO

Exporting A,B,C,and D

Multiple View of Module M0

Module M1

Importing M0.A,M0.B,M0.C

Module M2

Importing M0.A,M0.D

13

Fixing Java PackagesFixing Java Packages

Name-Space managementName-Space management

– Java packages are named it merely lifts Java packages are named it merely lifts the problem to package levelthe problem to package level..Example:Example:

We can have clash between the two classes We can have clash between the two classes called Util.Parsercalled Util.Parser

14

Solution:Solution:

Module system assigns the names viaModule system assigns the names via

import statementsimport statements..

15

Secure LinkingSecure Linking

Java uses Type checking mechanism for the Java uses Type checking mechanism for the secure dynamic linkingsecure dynamic linking– Problem:Problem:

Type checking guarantees that programs and Type checking guarantees that programs and libraries at least agree on the types they are libraries at least agree on the types they are usingusing..

Java uses code signature when a system Java uses code signature when a system must trust the behavior of a particular must trust the behavior of a particular executableexecutable..

– Problem:Problem:In this scheme also we don’t know about theIn this scheme also we don’t know about theproperties of the codeproperties of the code

16

Solution:Solution:– We allow the programmer to require We allow the programmer to require

certain properties of the modules on which certain properties of the modules on which his code depends.his code depends.

– The properties our system supports are The properties our system supports are keywords about the behavior of his codekeywords about the behavior of his code..

– It will cryptographically hash the < byte It will cryptographically hash the < byte code, module description, property name>code, module description, property name>

17

18

ImplementationImplementation

Module Description File

Java

Complier Java Source

Byte Code

JVMTrf 1

Trf 2

Trf 3

Class Loader

Trf = Transform

19

Execution in Virtual MachineExecution in Virtual Machine

Dynamic linking in JVM is managed by Class Dynamic linking in JVM is managed by Class Loader.Loader.

A request to load a class is may be allowed A request to load a class is may be allowed by the digital signature of the class.by the digital signature of the class.

The Class loader of the system described The Class loader of the system described uses module description file to set uses module description file to set appropriate environment.appropriate environment.

20

Class Loader manipulation leads to security Class Loader manipulation leads to security problems and Type system can be brokenproblems and Type system can be broken

– New JVM have stricter namespace New JVM have stricter namespace management policies.management policies.

» Machine verifies the encoded name of the Machine verifies the encoded name of the class(returned by load Class request) with which class(returned by load Class request) with which load class is invokedload class is invoked..

21

Problem:Problem:

In our Module system identifiers for class names hasIn our Module system identifiers for class names has

very little resemblance with the actual package namesvery little resemblance with the actual package names

they refer.they refer.

Solution:Solution:

Rewriting the byte code replacing the symbolicRewriting the byte code replacing the symbolic

name with actual name.name with actual name.

22

Future WorkFuture Work

Support for the Refection APISupport for the Refection API

Dynamic linking is an area that Dynamic linking is an area that deserves more study.deserves more study.