1 cs205: engineering software university of virginia fall 2006 Running Untrustworthy Code Project team requests: extended until 11pm tonight.

Slides:



Advertisements
Similar presentations
Mobile Code Security Yurii Kuzmin. What is Mobile Code? Term used to describe general-purpose executables that run in remote locations. Web browsers come.
Advertisements

Java Security John Mitchell CS 242 Reading: Chapter 13 (+Slides contain additional material) 2008.
Java Applet Security Diana Dong CS 265 Spring 2004.
Java security (in a nutshell)
Applet Security Gunjan Vohra. What is Applet Security? One of the most important features of Java is its security model. It allows untrusted code, such.
COEN 351: E-Commerce Security
Copyright © 2001 Qusay H. Mahmoud Case Study A Global Compute Engine Here we will discuss some implementation details: – Class Loaders – Compute Engine.
Mobile Code Security Aviel D. Rubin, Daniel E. Geer, Jr. MOBILE CODE SECURITY, IEEE Internet Computing, 1998 Minkyu Lee
CMSC 414 Computer (and Network) Security Lecture 13 Jonathan Katz.
Class 20: Verifying Bytecodes Fall 2010 UVa David Evans cs2220: Engineering Software Image: Joseph Featherston.
Security CS-328. The need for security In most of the programming classes that we’ve taken the emphasis has always been on getting the “job” done and.
Lab#1 (14/3/1431h) Introduction To java programming cs425
Remote Method Invocation
Security: Lessons Learned and Missed from Java Nathanael Paul David Evans University of Virginia ACSAC 2004.
CSE331: Introduction to Networks and Security Lecture 28 Fall 2002.
Remote Method Invocation Chin-Chih Chang. Java Remote Object Invocation In Java, the object is serialized before being passed as a parameter to an RMI.
1 CSE 380 Computer Operating Systems Instructor: Insup Lee and Dianna Xu University of Pennsylvania Fall 2003 Lecture Note: Protection Mechanisms.
Session-02. Objective In this session you will learn : What is Class Loader ? What is Byte Code Verifier? JIT & JAVA API Features of Java Java Environment.
Java Security Updated May Topics Intro to the Java Sandbox Language Level Security Run Time Security Evolution of Security Sandbox Models The Security.
CSE 451: Operating Systems Winter 2012 Processes Mark Zbikowski Gary Kimura.
Principles of Computer Programming (using Java) Review Haidong Xue Summer 2011, at GSU.
Java Security. Topics Intro to the Java Sandbox Language Level Security Run Time Security Evolution of Security Sandbox Models The Security Manager.
1 CS503: Operating Systems Part 1: OS Interface Dongyan Xu Department of Computer Science Purdue University.
Previous Next 06/18/2000Shanghai Jiaotong Univ. Computer Science & Engineering Dept. C+J Software Architecture Shanghai Jiaotong University Author: Lu,
David Evans CS201j: Engineering Software University of Virginia Computer Science Lecture 19: Security in Java Real or.
Composition and Evolution of Operating Systems Introduction to Operating Systems: Module 2.
Announcements Assignment 3 due. Invite friends, co-workers to your presentations. Course evaluations on Friday.
Recitation 4 Abstract classes, Interfaces. A Little More Geometry! Abstract Classes Shape x ____ y ____ Triangle area() base____ height ____ Circle area()
Java Security Nathan Moore CS 665. Overview Survey of Java Inherent Security Properties Java Runtime Environment Java Virtual Machine Java Security Model.
Java 2 security model Valentina Casola. Components of Java the development environment –development lifecycle –Java language features –class files and.
Operating Systems Lecture 7 OS Potpourri Adapted from Operating Systems Lecture Notes, Copyright 1997 Martin C. Rinard. Zhiqing Liu School of Software.
CE Operating Systems Lecture 3 Overview of OS functions and structure.
1 cs205: engineering software university of virginia fall 2006 Forgiveness and Permissions.
BEGINNING PROGRAMMING.  Literally – giving instructions to a computer so that it does what you want  Practically – using a programming language (such.
JAVA COURSE 1 Computer Engineering Association. Compile your first program Public class Hello{ public class Hello(){ System.out.println(“Hello”); } puclic.
Fall 2002CS 150: Intro. to Computing1 Streams and File I/O (That is, Input/Output) OR How you read data from files and write data to files.
Lecture 18 Page 1 CS 111 Online OS Use of Access Control Operating systems often use both ACLs and capabilities – Sometimes for the same resource E.g.,
Jaas Introduction. Outline l General overview of Java security Java 2 security model How is security maintained by Java and JVM? How can a programmer.
Java Security Session 19. Java Security / 2 of 23 Objectives Discuss Java cryptography Explain the Java Security Model Discuss each of the components.
Policy-Directed Code Safety David Evans April 1999 Software Devices and Systems MIT Lab for Computer Science.
David Evans CS588: Security and Privacy University of Virginia Computer Science Lecture 18: Malcode Countermeasures.
Lecture9 Page 1 CS 236 Online Operating System Security, Con’t CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
I/O Software CS 537 – Introduction to Operating Systems.
David Evans CS201j: Engineering Software University of Virginia Computer Science Lecture 10: Programming Exceptionally.
David Evans CS588: Cryptography University of Virginia Computer Science Lecture 21: Countering Malicious Code.
Cs205: engineering software university of virginia fall 2006 Programming Exceptionally David Evans
Lecture 4 Page 1 CS 111 Online Modularity and Memory Clearly, programs must have access to memory We need abstractions that give them the required access.
RealTimeSystems Lab Jong-Koo, Lim
Variable Scope & Lifetime
Introduction to Operating Systems Concepts
CS216: Program and Data Representation
Remote Method Invocation
Java security (in a nutshell)
Introduction Enosis Learning.
Topic: Java Security Models
Modularity and Memory Clearly, programs must have access to memory
Introduction Enosis Learning.
CS216: Program and Data Representation
Lecture 18: Java™ Decaffeinated CS551: Security and Privacy
Java Byte Codes (0xCAFEBABE) cs205: engineering software
null, true, and false are also reserved.
Security in Java Real or Decaf? cs205: engineering software
Exceptions Control Flow
Lecture 18: Deep C Garbage Collection CS201j: Engineering Software
Lecture 17: Defeating Malcode (Shameless Self-Promotion) Background
COSC Assignment 3 - Part 1 Java Security Susan Kovacs 19 April 2019 COSC Assignment 3 - Part 1.
Dynamic Exchange of Capabilities Between Mobile Agents
Function of Operating Systems
In Today’s Class.. General Kernel Responsibilities Kernel Organization
Outline Introduction Memory protection Buffer overflows
Presentation transcript:

1 cs205: engineering software university of virginia fall 2006 Running Untrustworthy Code Project team requests: extended until 11pm tonight

2 cs205: engineering software Demos Thunderhammer Mumps

3 cs205: engineering software How should we run code from untrusted sources?

4 cs205: engineering software Program Execution Program Monitor Speakers SuperSoaker 2000 Disk Memory Network

5 cs205: engineering software Program Execution Program Monitor Speakers SuperSoaker 2000 Disk Memory Network Reference Monitor

6 cs205: engineering software Ideal Reference Monitor 1.Sees everything a program is about to do before it does it 2.Can instantly and completely stop program execution (or prevent action) 3.Has no other effect on the program or system Can we build this? Probably not unless we can build a time machine...

7 cs205: engineering software Ideal Reference Monitor 1.Sees everything a program is about to do before it does it 2.Can instantly and completely stop program execution (or prevent action) 3.Has no other effect on the program or system Real most things limited

8 cs205: engineering software Operating Systems Provide reference monitors for most security-critical resources –When a program opens a file in Unix or Windows, the OS checks that the principal running the program can open that file Doesn’t allow different policies for different programs No flexibility over what is monitored –OS decides for everyone –Hence, can’t monitor inexpensive operations

9 cs205: engineering software Java Security Manager (Non-Ideal) Reference monitor –Limits how Java executions can manipulate system resources User/host application creates a subclass of SecurityManager to define a policy

10 cs205: engineering software JavaVM Policy Enforcment From java.io.File: public boolean delete() { SecurityManager security = System.getSecurityManager(); if (security != null) { security.checkDelete(path); } if (isDirectory()) return rmdir0(); else return delete0(); } [JDK 1.0 – JDK 1.1] What could go seriously wrong with this?! checkDelete throws a SecurityExecption if the delete would violate the policy (re-thrown by delete)

11 cs205: engineering software HotJava’s Policy (JDK 1.1.7) public class AppletSecurity extends SecurityManager {... public synchronized void checkDelete(String file) throws Security Exception { checkWrite(file); }

12 cs205: engineering software AppletSecurity.checkWrite (some exception handling code removed) public synchronized void checkWrite(String file) { if (inApplet()) { if (!initACL) initializeACLs(); String realPath = (new File(file)).getCanonicalPath(); for (int i = writeACL.length ; i-- > 0 ;) { if (realPath.startsWith(writeACL[i])) return; } throw new AppletSecurityException ("checkwrite", file, realPath); } Note: no checking if not inApplet! Very important this does the right thing.

13 cs205: engineering software inApplet boolean inApplet() { return inClassLoader(); } Inherited from java.lang.SecurityManager : protected boolean inClassLoader() { return currentClassLoader() != null; }

14 cs205: engineering software currentClassLoader /** Returns an object describing the most recent class loader executing on the stack. Returns the class loader of the most recent occurrence on the stack of a method from a class defined using a class loader; returns null if there is no occurrence on the stack of a method from a class defined using a class loader. */ protected native ClassLoader currentClassLoader();

15 cs205: engineering software Recap java.io.File.delete calls SecurityManager.checkDelete before deleting HotJava overrides SecurityManager with AppletSecurity to set policy AppletSecurity.checkDelete calls AppletSecurity.checkWrite AppletSecurity.checkWrite checks if any method on stack has a ClassLoader If not, no checks; if it does, checks ACL list

16 cs205: engineering software JDK 1.0 Trust Model When JavaVM loads a class from the CLASSPATH, it has no associated ClassLoader (can do anything) When JavaVM loads a class from elsewhere (e.g., the web), it has an associated ClassLoader

17 cs205: engineering software JDK Evolution JDK 1.1: Signed classes from elsewhere and have no associated ClassLoader JDK 1.2: –Different classes can have different policies based on ClassLoader –Explict enable/disable/check privileges –SecurityManager is now AccessController

18 cs205: engineering software Policy and Mechanism AccessController provides a mechanisms for enforcing a security policy –Can insert checking code before certain operations are allowed A security policy determines what the checking code allows

19 cs205: engineering software Charge Next classes: understanding byte codes and the byte code verifier Remember to send me your team requests if you have them Start thinking about project ideas and teams – project ideas due Wednesday

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.