Basic Security: Java vs .NET

Master SeminarAdvanced Software Engineering Topics

Prof. Jacques Pasquier-Rocha

Software Engineering GroupDepartment of Informatics

University of Fribourg, Switzerland

Author: David BuchmannSupervisor: Ghita Kouadri Mostéfaoui

15. Mai 2003

Overview

● Part 1: Theory– Introduction– Principles of Java and .NET– What kind of security?– Language security– Permission Management

● Part 2: Example with Java

Introduction

● Use downloaded code (web browser, distributed application)

● Need for strict control● Sandbox● Permission Management● Codebases resp. Trust zones

Overview

● Part 1: Theory– Introduction– Principles of Java and .NET– What kind of security?– Language security– Permission Management

● Part 2: Example with Java

Principles

● Compiler produces Byte Code

● Virtual Machine to interpret code

● Class Loader

● Code Verifier

● Access Control

● Interface for native code

Distribution

● Packages / Namespaces to avoid naming conflicts

● Reflection to analyse code● Code and resource libraries (JAR resp.

Assembly)

Remote Calls

● RMI resp. .NET Remoting● Use remote objects, marshalling of

parameter objects● Typical case of executing foreign code● See presentation of Robert Feldmann

Overview

● Part 1: Theory– Introduction– Principles of Java and .NET– What kind of security?– Language security– Permission Management

● Part 2: Example with Java

What kind of security?

Type Risk Solution Mechanism

Malevolent

Intrusive Spy out local system Sandbox

Faked

Spy on communication Encryption

Non-audited Safe logging

Incorrect Verify correctness

Destroy data, crash the system...

Check code before / while executing

VM, Virus Scanner

Restrict program to its own data

User trusts code not from expected origin

Authenticate author and user of code

Digital signatures

Unsafe channel

Encryption Standards

Remove traces of attack

Logging framework

Security holes, system crash

Human reviewing, no general solution

Overview

● Part 1: Theory– Introduction– Principles of Java and .NET– What kind of security?– Language security– Permission Management

● Part 2: Example with Java

Access to private data

● Public, protected, private, final

● Pointer, arrays● Casts, stack

corruption● Uninitialized

variables● Byte code verifier

Sandbox and native code

● .NET application domain, fixed at startup

● Java protection domain, dynamic● Old native code can be used, but not

controlled by the VM● Managed vs. unmanaged code

Overview

● Part 1: Theory– Introduction– Principles of Java and .NET– What kind of security?– Language security– Permission Management

● Part 2: Example with Java

Permissions

● Allow operations depending on protection domain

● Build groups of domains– Directory– URL– Signature– All Code

.NET Code Groups

Determining the group in Java

● Dynamically determine group● Based on the protection domain of

classes on the execution stack

Permission Description Java .NET

File System Read / write files, execute binaries X X

Network Connect to hosts, open a listen port X X

System Properties Read / write system properties X X

Runtime System Print, stop threads X X

Change Security Create a c lass loader, set security manager X

Reflection X X

Window System Create windows, access UI events X X

X

File Dialog X

Isolated Storage Use a private virtual file system X

Directory Service Use the Microsoft active directory X

Registry Access the windows registry X

Manipulate windows services X

OleDb, SQLClient Database access using Ole resp. ODBC X

Use the reflection API (potential access to private fields)

Show without warning

Applet windows are per default displayed with a warning line "J ava Applet Window"

Access a file which the user selected in a file open dialog

Service

Managing groups and permissions

● Java: Policy file– Java -Djava.security.policy=<java.policy>

● .NET caspol.exe front end– caspol.exe -addgroup 1.3 -site www.unifr.ch FullTrust

– caspol.exe -security off

– caspol.exe -addpset MyCustomSet permissions.xml

<PermissionSet class=“System.Security.NamedPermissionSet“ version=“1“ Name=“MyCustomSet“ Description=“An example set“> <IPermission class=“System.Security.Permissions. EnvironmentPermission, mscorlib, Version=1.0.3300.0, Culture=neutral, PublicKeyToken=b77a5c51934e089“ version=“1“ Unrestricted=“true“ /></PermissionSet>

Policy levels & flexibility

● .NET: machine, user, enterprise level – intersection of permissions

● Java: default policy, user - union of permissions

● Java can replace security manager, permission manager and class loader

Overview

● Part 1: Theory– Introduction– Principles of Java and .NET– What kind of security?– Language security– Permission Management

● Part 2: Example with Java

Downloaded code

● Downloaded code is in separate protection domain

No access to file system

● Downloaded code should not have access to the file system

Network access

● Downloaded code should only connect to the server it comes from

The calling stack

● Local code called by remote code is not trusted, but treated as if it was remote.

Conclusion

● Private and final not only for clean programming, but important for security

● Virtual machines to enforce proper code and access control

● Java and .NET very similar– Java more flexible– .NET better default framework – but no

replace

Java vs .NET

● Long used, security holes found

● Implement own security features

● Run on different platforms

● Integrate with different systems

● Many open source projects

● Integrated with windows infrastructure

● Good security implementation

● Use different languages

● Very professional Visual Studio .NET

● Will become important because of Microsofts marketing power

Thank You

Questions ?