Tollas Ferenc - Java security
-
Upload
veszpremimeetup -
Category
Technology
-
view
576 -
download
0
Transcript of Tollas Ferenc - Java security
Java Security Ferenc Tollas Sun Certified Developer for Java 2 PlatformSun Certified Programmer for JSE 5.0
Java is secure
Agenda
Java goals
Java Sandbox
Java Language Security
Bytecode verifier
Class loaders
Java Security Manager
Access Controller
JAAS
Java Cryptographic Extension (JCE)
Java goals
Originally developed by James Gosling
Goals:It should be "simple, object-oriented and familiar"
It should be "robust and secure"
It should be "architecture-neutral and portable"
It should execute with "high performance"
It should be "interpreted, threaded, and dynamic"
JDK 1.0 : January, 1996
Security requirements
Safe from malevolent programsPrograms should not be allowed to harm a user's computing environment, such as Trojan horses and harmful programs that replicate, like computer viruses.NonintrusivePrograms should be prevented from discovering private information on the host computer or the host computer's networkAuthenticated, Encrypted, Audited, Well-defined security specification.....Only the first two were within the province of Java's 1.0 default security model!
The other requirements were added in later versions of Java
How to provide the security related requirements:Java Language security
Java sandbox implementation
Pluggable Security Extensions
Java Sandbox
provide an environment where the program can play
must be configurable by an end user or system administrator
Protect: Memory
Files
Network
Minimal Sandbox: program has access to the CPU, the screen, keyboard, mouse and memory
Default Sandbox: CPU and its own memory as well as access to the web server from which it was loaded
Open sandbox : the program has access to whatever resources the host machine normally has access to
In early versions of Java, only applets were run within a sandbox.
In the Java 2 platform, all programs have the potential to run in a sandbox
Which is faster?Java's new or C's malloc?
Response:www.ibm.com/developerworks/java/library/j-jtp09275/index.html
Anatomy of a Java application
Bytecode Verifier:Java class files follow the rules of the Java language
Class Loader: loads all Java classes and can set permissions for each class it loads.
Security Manager:the primary interface between the core API and the operating system
Access Controller: allows or prevents most access from the core API to the operating system, uses the policy files..
Security package:SPI
Message digest
Key and certificate handling
Digital signatures
Encryption : JCE, JSSE
Authentication : JAAS
Debug what happens in the background: Djava.security.debug=all/access/failure
What is this:jre/lib/[arch]/client/clases.jsa
Elements of a sandbox
A sandbox is composed of five elements:Permissions : a specific action that code can performtype, name and action: permission java.io.FilePermission "/tmp/foo", "read";
every Java class carries a set of permissions that defines the activities that the class is allowed to perform
core Java API are always given permission to perform any action
application can define its own permissions
Code sources:location from which a class has been loaded. Combination of codebases and signers(alias listed in keystore).
Protection domains: basic concept of sandbox, it is an association of permissions with a particular code sourceDEMO
Elements of a sandbox
Policy files : contains one or more entries that define a protection domain.Global policy file:$JREHOME/lib/security/java.policy
User specific: $HOME/.java.policy
Result: union of permissions contained in the global and user policy files
IMPORTANT: deny setting new policy file: java.security :
policy.allowSystemProperty=trueKeystores: The certificates themselves are held in a location (usually a file) called the keystore.
java Djava.security.manager Djava.security.policy=
Java language security
Question: how Java operates on things that are in memory?
Objects, primitive types has access level: public, protected, default/package or private
Programs cannot access arbitrary memory locations, no pointer and casting between int and Object is illegal.
Entities that are declared as final must not be changed.
Variables may not be used before they are initialized->instance variables are initialized automatically
Array bounds must be checked on all array accesses.
Object serialization....Mark with java.io.Serializable, and use keyword transient
These rules must be enforced! Compiler enforcement. Is it enough???
Bytecode verifier
No interface, users/coders cannot interact with it
Checks:The class file has the correct format
Final classes are not subclassed, and final methods are not overridden.
Every class (except for java.lang.Object) has a single superclass.
There is no illegal data conversion of primitive data types (e.g., int to Object)
There are no operand stack overflows or underflows
Delayed bytecode verification
Runtime verification:array bounds checking, object casting
Class loaders
mechanism by which files are read into the JVM and converted into class definitions
Responsibility:The security manager is consulted to see if this program is allowed to access the class in question
Loads the class
The security manager is consulted to see if this program is allowed to create the class in question
The appropriate protection domain is created for the class
public FileInputStream(String name) throws FileNotFoundException { SecurityManager security = System.getSecurityManager( ); if (security != null) { security.checkRead(name); } try { open(name); // open( ) is a private method of this class } catch (IOException e) { throw new FileNotFoundException(name);} }Java Security Manager
determines whether many particular operations should be permitted or rejected
Djava.security.manager option installs a security manager
Partnership between the Ja5va API and the application
The SecurityException class is a subclass of the RuntimeException
Access Controller
Security Manager is based entirely on access controller
Uses the policy file; is built on permissions, protection domains, code sources and policies
the access controller can do everything the security manager can do; historic reasons
the access controller is only available in Java 1.2
Applications always interact with the SecurityManager
JAAS
Java Authentication and Authorization Service
enforce access controls based on who runs the code(policy files: where code came from)
Features:Single sign-on support
Pure Java
Pluggable Authentication Module framework fir authentication
JCE
Java Cryptographic Extension
Features:Support for a wide range of standard algorithms including RSA, DSA, AES, Triple DES, SHA, PKCS#5, RC2, and RC4.
Comprehensive API with support for a wide range of cryptographic services including digital signatures, message digests, ciphers (symmetric, asymmetric, stream & block), message authentication codes, key generators and key factories
JSSE
Java Secure Socket Extension
APIs and implementations for :Transport Layer Security (TLS),
Secure Sockets Layer (SSL),
Kerberos (accessible through GSS-API) and
full support for HTTPS over SSL/TLS.
Questions?