1 / 27

Java Security

Java Security. Susan Kovacs. Topics of Discussion. Why is security an issue? Types of security breaches Java’s approach the Language the Libraries Browsers Conclusion. Why is security an issue?. What is an applet?.

hwestbrooks
Télécharger la présentation

Java Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Java Security Susan Kovacs COSC 4301 - Assignment 3 - Part 1

  2. Topics of Discussion • Why is security an issue? • Types of security breaches • Java’s approach • the Language • the Libraries • Browsers • Conclusion COSC 4301 - Assignment 3 - Part 1

  3. Why is security an issue? What is an applet? A Java program that is run from inside a web browser. The html page loaded into the web browser contains an <applet> tag, which tells the browser where to find the Java .class files. For example, appletviewer http://foo.com/~jo/coolApplet.html COSC 4301 - Assignment 3 - Part 1

  4. Why is security an issue? The class files for an applet are automatically downloaded when a user goes to the containing Web page in a browser. It is therefore likely that a user will encounter applets from untrusted sources. Without any security, this would be a convenient way to spread viruses. COSC 4301 - Assignment 3 - Part 1

  5. Types of breaches • Integrity Attacks • Availability Attacks • Disclosure Attacks • Annoyance Attacks COSC 4301 - Assignment 3 - Part 1

  6. Types of breaches • Integrity Attacks • Deletion / modification of files • Modification of memory currently in use • Killing processes / threads COSC 4301 - Assignment 3 - Part 1

  7. Types of breaches • Availability Attacks • Allocating large amounts of memory • Creating thousands of windows • Creating high priority process / threads COSC 4301 - Assignment 3 - Part 1

  8. Types of breaches • Disclosure Attacks • Mailing information about your machine • /etc/passwd • Sending personal or company files to an adversary or competitor over the network COSC 4301 - Assignment 3 - Part 1

  9. Types of breaches • Annoyance Attacks • Displaying obscene pictures on your screen • Playing unwanted sounds over your computer COSC 4301 - Assignment 3 - Part 1

  10. Java’s Approach ... • The Language • The Libraries • Browsers COSC 4301 - Assignment 3 - Part 1

  11. The Language • Access control • Type-safe • Absence of pointers • Garbage collection • Packages COSC 4301 - Assignment 3 - Part 1

  12. The Language • Access control • public • private • final COSC 4301 - Assignment 3 - Part 1

  13. The Language • Type-safe The compile time type and runtime type of variables are guaranteed to be compatible. Prevents the forging of access to objects to get around access control. COSC 4301 - Assignment 3 - Part 1

  14. The Language • Absence of pointers Pointers cannot be directly manipulated by user code. Prevents both malicious and accidental misuse of pointers. COSC 4301 - Assignment 3 - Part 1

  15. The Language • Garbage collection Manual deallocation provides a round-about way of illegally casting. Java uses garbage collection to recover unused memory instead of relying on explicit user deallocation. COSC 4301 - Assignment 3 - Part 1

  16. The Language • Packages Provides namespace encapsulation. Prevents downloaded code from shadowing system library code with malicious code. COSC 4301 - Assignment 3 - Part 1

  17. The Libraries • Class Loader • Security Manager COSC 4301 - Assignment 3 - Part 1

  18. The Libraries • Security Manager Contains methods which are intended to be called to check specific types of actions. It is intended to be subclassed and used to instantiate the desired security policy. COSC 4301 - Assignment 3 - Part 1

  19. The Libraries • Security Manager Example: Public boolean mkdir(String path) throws IOException { SecurityManager security = System.getSecurityManager(); if (security != null) security.checkWrite(path); return mkdir0(); } COSC 4301 - Assignment 3 - Part 1

  20. The Libraries • Class Loader Class loaders are responsible for importing binary data that defines the running program’s classes and interfaces. Two type: primordial & object COSC 4301 - Assignment 3 - Part 1

  21. The Libraries • Class Loader Due to JVM’s approach to loading classes, classes can by default only see other classes that were loaded by the same class loader. This allows for multiple name-spaces inside a single Java application COSC 4301 - Assignment 3 - Part 1

  22. Browsers • The Web browser defines and implements a security policy for running downloaded Java code. • A Java enabled web browser includes: • Java interpreter and runtime libraries • classes to implement a Security Manager • various Class Loaders COSC 4301 - Assignment 3 - Part 1

  23. Examples import java.awt.*; import java.io.*; import java.lang.*; import java.applet.*; public class exitTest extends Applet { public void paint(Graphics g) { try { Runtime.getRuntime().exit(-1); } catch (SecurityException e) { g.drawString("Caught security exception trying to quit", 10, 10); } } } COSC 4301 - Assignment 3 - Part 1

  24. Examples Conclusion: An applet can't kill the browser that loaded it, unless you load the applet from a directory on your CLASSPATH. For further examples please visit http://java.sun.com/sfaq/#examples COSC 4301 - Assignment 3 - Part 1

  25. Conclusion In order for a program to be useful, it needs to access certain resources. Therefore, the key is not to deny all access but rather to provide secured access in a controlled environment. Though Java is not yet perfected, it’s features and properties have allowed for a good balance of power and security. COSC 4301 - Assignment 3 - Part 1

  26. Questions ... THANK YOU! COSC 4301 - Assignment 3 - Part 1

  27. References • Flanagan, David. Java in a Nutshell. 2nd Ed. O’Reilly, California, 1997 • Bank, Joseph. Java Security.http://swissnet.ai.mit.edu/~jbank/javapaper/javapaper.html. 11 March 2004 • Venners, Bill. Security and the class loader architecutre. http://www.javaworld.com/javaworld/jw-09-1997/jw-09-hood_p.html. 27 March 2004 • Applet Security. http://java.sun.com/sfaq. 27 March 2004. COSC 4301 - Assignment 3 - Part 1

More Related