1 / 20

Java Security by Drew Dean Edward W. Felten and Dan S. Wallach

Java Security by Drew Dean Edward W. Felten and Dan S. Wallach. Topics. Introduction Java Semantics Taxonomy of Java Bugs Security Analysis Flexible Security for Applets Conclusion. Introduction. Java and the HotJava browser it supports are insecure due to Implementation errors

corinnar
Télécharger la présentation

Java Security by Drew Dean Edward W. Felten and Dan S. Wallach

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Java SecuritybyDrew Dean Edward W. Felten and Dan S. Wallach Computer Security: Art and Science

  2. Topics • Introduction • Java Semantics • Taxonomy of Java Bugs • Security Analysis • Flexible Security for Applets • Conclusion Computer Security: Art and Science

  3. Introduction • Java and the HotJava browser it supports are insecure due to • Implementation errors • Unintended interactions between browser features • Differences between the Java language and bytecode semantics • Weaknesses in the design of the language and bytecode format • Weaknesses in the design methodology used in creating Java and the browsers Computer Security: Art and Science

  4. Java Semantics • System Name Space • Shared by all name spaces • Always searched first • Prevents downloaded code from overriding a system class. Computer Security: Art and Science

  5. Java Semantics • Mechanism of Java runtime system to fetch bytecode • a Calls subclass of the abstract class ClassLoader • ClassLoader defines an interface for the runtime system to ask a Java program to provide a class. • Classes are transported across network as as byte streams, and reconstituted into class objects by subclasses of ClassLoader Computer Security: Art and Science

  6. Java Semantics (Contnd) • Safety of Java bytecode • Array stores require run time type checks as well as ordinary array bounds checks • Example: Suppose, A is a subtype of B. Java typing rules say that A[] is a subtype of B[]. Void proc (B[] x, B y) { X[0] = y; } • Dynamic checks introduces performance penalty Computer Security: Art and Science

  7. Java Security Mechanisms • SecurityManager class • Defines and implements a security policy • Issues • No security manager runs when Java runtime system starts • Web browser or other user agent has to install a security maneger before executing untrusted code. • The purpose of the SecurityManager classis to define an interface for access control. • Default SecurityManager implementation throws a SecurityException for all access checks, forcing the user agent to define and implement its own policy in a subclass of SecurityManager Computer Security: Art and Science

  8. Taxonomy of Java Bugs • Denial of Service Attacks • Busy waiting to consume CPU cycles and allocating memory until the system runs out, starving other threads and processes. • Applets can acquire locks on critical pieces of the browser to cripple it. • sysnchronized (Class.forName(“net.www.html.MeteredStream”)) { while (true) Thread.sleep(10000); } Computer Security: Art and Science

  9. Taxonomy of Java Bugs (Contd) • An attack can be programmed to occur after some time delay, causing the failure to occur when the user is viewing a different web page, thereby masking the source of the attack • Degradation of Service: significantly reduces the performance of the browser without stopping it. • The lock-based attack could be used to hold a critical system lock most of the time, releasing it only briefly and occasionally. Computer Security: Art and Science

  10. Taxonomy of Java Bugs (Contd) • Two versus Three Party Attacks • Two Party Attack : Requires that the web server the applet resides on participate in the attack • Three Party Attack: Can originate from anywhere on the internet, and might spread if it is hidden in a useful applet that gets used by many web pages. Computer Security: Art and Science

  11. Taxonomy of Java Bugs (Contd) Figure 2. A Three Party Attack — Charlie produces a Trojan horse applet. Bob likes it and uses it in his Web page. Alice views Bob’s Web page and Charlie’s applet establishes a covert channel to Charlie. The applet leaks Alice’s information to Charlie. No collusion with Bob is necessary. Computer Security: Art and Science

  12. Taxonomy of Java Bugs (Contd) • Information Available to Applets • At a minimum , an applet can consume all the free space in the file system • User’s login name, machine name, the contents of all environment variables • System.getenv() in HotJava has no security checks • Netscape and JDK do not allow access to environment variables by applets Computer Security: Art and Science

  13. Taxonomy of Java Bugs (contd) Figure 4. DNS subversion of Java: an applet travels from attacker.com to victim.org through normal channels. The applet then asks to connect to foo.attacker.com, which is resolved by attacker.com’s DNS server to be victim.org’s internal mail server which can then be attacked. Computer Security: Art and Science

  14. Taxonomy of Java Bugs (Contd) • Buffer Overflows • sprintf()-HotJava and the alpha release of JDK used stack allocated buffers, yet did not check for buffer overflows • Disclosing Storage Layout: The Java library allows an applet to learn where in memory its objects are stored • hashcode() casts the address of the object’s internal storage to an integer and returns it, thereby exposing more internal state than necessary. Computer Security: Art and Science

  15. Taxonomy of Java Bugs (Contd) • Public Proxy Variables • We can change the browser’s HTTP and FTP proxy servers. We can set up our own proxy server as a man-in-the-middle. • We can both watch and edit all the traffic to and from the HotJava browser. • Use the security manager’s put() method to store our desired proxy in the property manager’s database. If the user is then tricked into printing a web page, these settings will be saved to the disk, and will be the default setting next time the user starts HotJava. Computer Security: Art and Science

  16. Java Language and Bytecode Differences • Superclass constructors Attack: • Class CL extends ClassLoader { CL() { try { super(); } catch (Exception e) { }}ClassLoader gives an attacker the ability to defeat Java’s type system • David Hopwood Attack • Malicious code treated as trusted and can bypass runtime and access op system with full privilege of the user. Computer Security: Art and Science

  17. Java Language and Bytecode Weaknesses • Language Weaknesses • Has neither a formal semantics nor a formal description of its type system. • Package system provides only basic modules • Java allows methods to be called from the constructor • Bytecode Weaknesses • In Java bytecode, the verifier must show that all possible execution paths have the same virtual machine configuration-more complicated and hence more prone to error. • The present verifier cannot be proven correct because there is not a formal description of the type system Computer Security: Art and Science

  18. Security Analysis • Policy • Lack of a formally defined security policy • SecurityManager pitfalls • Not always invoked • Not tamperproof • Not verifiable • Integrity • Browser’s internal state is stored in public variables and classes which compromises Java runtime system’s integrity. • Accountability • The Java runtime system does not have a configurable audit system Computer Security: Art and Science

  19. Flexible Security for Applets • Networking • An applet should not be able to control the PORT commands sent on its behalf. • Distributed Applications • Applications such as audio/video conferencing, real-time multi-player games, factoring, can be used as applets • User Interface • Security policy should be flexible enough so as not to make the user disable security. • Applets should request capabilities when they are first loaded. The user’s response then should be logged, alleviating the need for future re-authorization. • Use trusted dialog boxes Computer Security: Art and Science

  20. Summary • Java lacks a well-defined, formal security policy that prevents the verification of an implementation • The Java language definition could be altered to reduce accidental leaks of information from public variables, and encourage better program structure with a richer module system than Java’s package construct. • Redesign of the Java language, the bytecode format and the runtime system is paramount. • Questions/Comments ??? Computer Security: Art and Science

More Related