1 / 36

David Evans cs.virginia/evans

Lecture 19: Security in Java Real or Decaf?. David Evans http://www.cs.virginia.edu/evans. (Duke suicide picture by Gary McGraw.). CS201j: Engineering Software University of Virginia Computer Science. Java  : Programming Language.

kim
Télécharger la présentation

David Evans cs.virginia/evans

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Lecture 19: Security in Java Real or Decaf? David Evans http://www.cs.virginia.edu/evans (Duke suicide picture by Gary McGraw.) CS201j: Engineering Software University of Virginia Computer Science

  2. Java : Programming Language “A simple, object-oriented, distributed, interpreted, robust, secure, architecture neutral, portable, high-performance, multithreaded, and dynamic language.” [Sun95]    CS 201J Fall 2003

  3. What is a secure programming language? • Language is designed so it cannot express certain computations considered insecure. • Language is designed so that (accidental) program bugs are likely to be caught by the compiler or run-time environment instead of leading to security vulnerabilities. A few attempt to do this: PLAN, packet filters CS 201J Fall 2003

  4. Safe Programming Languages • Type Safety • Compiler and run-time environment ensure that bits are treated as the type they represent • Memory Safety • Compiler and run-time environment ensure that program cannot access memory outside defined storage • Control Flow Safety • Can’t jump to arbitrary addresses Which of these does C/C++ have? Is Java the first language to have them? No way! LISP had them all in 1960. CS 201J Fall 2003

  5. Java Safety • Type Safety • Most types checked statically • Coercions, array assignments type checked at run time • Memory Safety • No direct memory access (e.g., pointers) • Primitive array type with mandatory run-time bounds checking • Control Flow Safety • Structured control flow, no arbitrary jumps CS 201J Fall 2003

  6. Malicious Code Can a safe programming language protect you from malcode? • Code your servers in it to protect from buffer overflow bugs • Only allow programs from untrustworthy origins to run if the are programmed in the safe language CS 201J Fall 2003

  7. Safe Languages? • But how can you tell program was written in the safe language? • Get the source code and compile it (most vendors, and all malicious attackers refuse to provide source code) • Special compilation service cryptographically signs object files generated from the safe language (SPIN, [Bershad96]) • Verify object files preserve safety properties of source language (Java) CS 201J Fall 2003

  8. Joe User JVML malcode.java Java Source Code malcode.class JVML Object Code javac Compiler JavaVM Joe wants to know JVML code satisfies Java’s safety properties. CS 201J Fall 2003

  9. No! This code violates Java’s type rules. Does JVML satisfy Java’s safety properties? iconst_2 push integer constant 2 on stack istore_0 store top of stack in variable 0 as int aload_0 load object reference from variable 0 CS 201J Fall 2003

  10. Running Mistyped Code .method public static main([Ljava/lang/String;)V … iconst_2 istore_0 aload_0 iconst_2 iconst_3 iadd … return .end method > java Simple Exception in thread "main" java.lang.VerifyError: (class: Simple, method: main signature: ([Ljava/lang/String;)V) Register 0 contains wrong type CS 201J Fall 2003

  11. Trusted Computing Base Joe User Bytecode Verifier malcode.class JVML Object Code Java Bytecode Verifier Invalid “Okay” STOP JavaVM CS 201J Fall 2003

  12. Bytecode Verifier • Checks class file is formatted correctly • Magic number: class file starts with 0xCAFEBABE • String table, code, methods, etc. • Checks JVML code satisfies safety properties • Simulates program execution to know types are correct, but doesn’t need to examine any instruction more than once CS 201J Fall 2003

  13. Verifying Safety Properties • Type safe • Stack and variable slots must store and load as same type • Memory safe • Must not attempt to pop more values from stack than are on it • Doesn’t access private fields and methods outside class implementation • Control flow safe • Jumps must be to valid addresses within function, or call/return CS 201J Fall 2003

  14. Running Mistyped Code .method public static main([Ljava/lang/String;)V … iconst_2 istore_0 aload_0 iconst_2 iconst_3 iadd … return .end method > java Simple Exception in thread "main" java.lang.VerifyError: (class: Simple, method: main signature: ([Ljava/lang/String;)V) Register 0 contains wrong type CS 201J Fall 2003

  15. Running Mistyped Code .method public static main([Ljava/lang/String;)V … iconst_2 istore_0 aload_0 iconst_2 iconst_3 iadd … return .end method > java –noverify Simple result: 5 CS 201J Fall 2003

  16. Running Mistyped Code .method public static main([Ljava/lang/String;)V … ldc 201 istore_0 aload_0 iconst_2 iconst_3 iadd … return .end method > java –noverify Simple Unexpected Signal : EXCEPTION_ACCESS_VIOLATION (0xc0000005) occurred at PC=0x809DCEB Function=JVM_FindSignal+0x1105F Library=C:\j2sdk1.4.2\jre\bin\client\jvm.dll Current Java thread: at Simple.main(Simple.java:7) … # # HotSpot Virtual Machine Error : EXCEPTION_ACCESS_VIOLATION # Error ID : 4F530E43505002EF # Please report this error at # http://java.sun.com/cgi-bin/bugreport.cgi # # Java VM: Java HotSpot(TM) Client VM (1.4.2-b28 mixed mode) CS 201J Fall 2003

  17. Joe User Java javac Compiler malcode.java malcode.class JVML Trusted Computing Base Java Bytecode Verifier Invalid “Okay” STOP JavaVM CS 201J Fall 2003

  18. JavaVM • Virtual machine – interpreter for JVML programs • Has complete access to host machine • Bytecode verifier ensures some safety properties, JavaVM must ensure rest: • Type safety of run-time casts, array assignments • Memory safety: array bounds checking • Resource use policy CS 201J Fall 2003

  19. Reference Monitors CS 201J Fall 2003

  20. Monitor Speakers Network Disk Memory SuperSoaker 2000 Program Execution Program CS 201J Fall 2003

  21. Monitor Speakers Network Disk Memory SuperSoaker 2000 Program Execution Reference Monitor Program CS 201J Fall 2003

  22. Ideal Reference Monitor • Sees everything a program is about to do before it does it • Can instantly and completely stop program execution (or prevent action) • Has no other effect on the program or system Can we build this? Probably not unless we can build a time machine... CS 201J Fall 2003

  23. most things limited Real Ideal Reference Monitor • Sees everything a program is about to do before it does it • Can instantly and completely stop program execution (or prevent action) • Has no other effect on the program or system CS 201J Fall 2003

  24. Operating Systems • Provide reference monitors for most security-critical resources • When a program opens a file in Unix or Windows, the OS checks that the principal running the program can open that file • Doesn’t allow different policies for different programs • No flexibility over what is monitored • OS decides for everyone • Hence, can’t monitor inexpensive operations CS 201J Fall 2003

  25. Java Security Manager • (Non-Ideal) Reference monitor • Limits how Java executions can manipulate system resources • User/host application creates a subclass of SecurityManager to define a policy CS 201J Fall 2003

  26. JavaVM Policy Enforcment [JDK 1.0 – JDK 1.1] From java.io.File: public boolean delete() { SecurityManager security = System.getSecurityManager(); if (security != null) { security.checkDelete(path); } if (isDirectory()) return rmdir0(); else return delete0(); } checkDelete throws a SecurityExecption if the delete would violate the policy (re-thrown by delete) What could go seriously wrong with this?! CS 201J Fall 2003

  27. HotJava’s Policy (JDK 1.1.7) public class AppletSecurity extends SecurityManager { ... public synchronized void checkDelete(String file) throws Security Exception { checkWrite(file); } } CS 201J Fall 2003

  28. Note: no checking if not inApplet! Very important this does the right thing. AppletSecurity.checkWrite(some exception handling code removed) public synchronized void checkWrite(String file) { if (inApplet()) { if (!initACL) initializeACLs(); String realPath = (new File(file)).getCanonicalPath(); for (int i = writeACL.length ; i-- > 0 ;) { if (realPath.startsWith(writeACL[i])) return; } throw new AppletSecurityException ("checkwrite", file, realPath); } } CS 201J Fall 2003

  29. inApplet boolean inApplet() { return inClassLoader(); } Inherited from java.lang.SecurityManager: protected boolean inClassLoader() { return currentClassLoader() != null; } CS 201J Fall 2003

  30. currentClassLoader /** Returns an object describing the most recent class loader executing on the stack. Returns the class loader of the most recent occurrence on the stack of a method from a class defined using a class loader; returns null if there is no occurrence on the stack of a method from a class defined using a class loader. */ protected native ClassLoader currentClassLoader(); CS 201J Fall 2003

  31. Recap • java.io.File.delete calls SecurityManager.checkDelete before deleting • HotJava overrides SecurityManager with AppletSecurity to set policy • AppletSecurity.checkDelete calls AppletSecurity.checkWrite • AppletSecurity.checkWrite checks if any method on stack has a ClassLoader • If not no checks; if it does, checks ACL list CS 201J Fall 2003

  32. JDK 1.0 Trust Model • When JavaVM loads a class from the CLASSPATH, it has no associated ClassLoader (can do anything) • When JavaVM loads a class from elsewhere (e.g., the web), it has an associated ClassLoader CS 201J Fall 2003

  33. JDK Evolution • JDK 1.1: Signed classes from elsewhere and have no associated ClassLoader • JDK 1.2: • Different classes can have different policies based on ClassLoader • Explict enable/disable/check privileges • SecurityManager is now AccessController CS 201J Fall 2003

  34. What can go wrong? • Java API doesn’t call right SecurityManager checks (63 calls in java.*) • Font loading bug, synchronization • ClassLoader is tricked into loading external class as internal • Bug in Bytecode Verifier can be exploited to circumvent SecurityManager • Policy is too weak (allows damaging behavior) • Next class: how to break everything with a hair dryer! CS 201J Fall 2003

  35. Hostile Applets • See http://java.sun.com/sfaq/chronology.html (about 1 new vulnerability/month) • Easy to write “annoying” applets (policy is too imprecise; no way to constrain many resource operations) • Don’t try these until you finish PS5: http://www.cigital.com/hostile-applets/index.html CS 201J Fall 2003

  36. Charge • PS5 Due Tuesday • Two options for turning in PS5: read the notes carefully If your program works, you do not need to turn in a printout of all your code. CS 201J Fall 2003

More Related