COSC 4301 - Assignment 3 - Part 1 Java Security Susan Kovacs 19 April 2019 COSC 4301 - Assignment 3 - Part 1.

Slides:



Advertisements
Similar presentations
Introduction to Java 2 Programming Lecture 10 Applets.
Advertisements

Mobile Code Security Yurii Kuzmin. What is Mobile Code? Term used to describe general-purpose executables that run in remote locations. Web browsers come.
Portability and Safety Mahdi Milani Fard Dec, 2006 Java.
Java Applet Security Diana Dong CS 265 Spring 2004.
Java security (in a nutshell)
Applet Security Gunjan Vohra. What is Applet Security? One of the most important features of Java is its security model. It allows untrusted code, such.
Java Security. Overview Hermetically Sealed vs. Networked Executable Content (Web Pages & ) Java Security on the Browser Java Security in the Enterprise.
Lab Information Security Using Java (Review) Lab#0 Omaima Al-Matrafi.
Lab#1 (14/3/1431h) Introduction To java programming cs425
The Java Language. Topics of this Course  Introduction to Java  The Java Language  Object Oriented Programming in Java  Exceptions Handling  Threads.
Client Side Programming Using Java Applet Outcomes: You will be expected to know: – Java Applets and HTML file; –bytecode and platform independent programs;
1 Frameworks. 2 Framework Set of cooperating classes/interfaces –Structure essential mechanisms of a problem domain –Programmer can extend framework classes,
Lecture 2: Do you speak Java?. From Problem to Program Last Lecture we looked at modeling with objects! Steps to solving a business problem –Investigate.
1 Chapter 3 Programs and Packages. 2 Java Virtual Machine (JVM) Java programs execute on the JVM. The JVM is a virtual rather than a physical machine,
Session-02. Objective In this session you will learn : What is Class Loader ? What is Byte Code Verifier? JIT & JAVA API Features of Java Java Environment.
Page 1 Sandboxing & Signed Software Paul Krzyzanowski Distributed Systems Except as otherwise noted, the content of this presentation.
Java Security Updated May Topics Intro to the Java Sandbox Language Level Security Run Time Security Evolution of Security Sandbox Models The Security.
Introduction to Java Programming. Contents 1. Java, etc. 2. Java's Advantages 3. Java's Disadvantages 4. Types of Java Code 5. Java Bytecodes 6. Steps.
JAVA v.s. C++ Programming Language Comparison By LI LU SAMMY CHU By LI LU SAMMY CHU.
OOP Languages: Java vs C++
Java Security. Topics Intro to the Java Sandbox Language Level Security Run Time Security Evolution of Security Sandbox Models The Security Manager.
M. Taimoor Khan * Java Server Pages (JSP) is a server-side programming technology that enables the creation of dynamic,
Programming Languages and Paradigms Object-Oriented Programming.
Java Introduction Lecture 1. Java Powerful, object-oriented language Free SDK and many resources at
Chapter 34 Java Technology for Active Web Documents methods used to provide continuous Web updates to browser – Server push – Active documents.
University of Houston-Clear Lake Proprietary© 1997 Evolution of Programming Languages Basic cycle of improvement –Experience software difficulties –Theory.
Java Security Nathan Moore CS 665. Overview Survey of Java Inherent Security Properties Java Runtime Environment Java Virtual Machine Java Security Model.
Lecture :2 1.  DEFENTION : Java is a programming language expressly designed for use in the distributed environment of the Internet. It was designed.
Java 2 security model Valentina Casola. Components of Java the development environment –development lifecycle –Java language features –class files and.
CSC 205 – Java Programming II Applet. Types of Java Programs Applets Applications Console applications Graphics applications Applications are stand-alone.
Java Security Model For Mobile Code Abdo Achkar. Mobile Code A mobile object is a “self contained piece” of executable code. Definition:  Code that can.
What Is Java? According to Sun in a white paper: Java: A simple, object-oriented, network-savvy, interpreted, robust, secure, architecture-neutral, portable,
National Taiwan University Department of Computer Science and Information Engineering National Taiwan University Department of Computer Science and Information.
Intro to Applets. Applet Applets run within the Web browser environment Applets bring dynamic interaction and live animation to an otherwise static HTML.
Core Java Introduction Byju Veedu Ness Technologies httpdownload.oracle.com/javase/tutorial/getStarted/intro/definition.html.
1. An Introduction A Programming Language A Technology Java Development Kit Java API One Language: Three Editions Standard Edition Enterprise Edition.
Java JDBC API. A Java API To Access almost any kind of tabular data To Access almost any kind of tabular data Trademarked (not an acronym) Trademarked.
1 Java Servlets l Servlets : programs that run within the context of a server, analogous to applets that run within the context of a browser. l Used to.
Java Security cont’d. Using SecurityManager  The basic SecurityManager architecture is simple. Throughout the JDK, the Java security team had to:  Identify.
Duke CPS From C++ to Java l Java history: Oak, toaster-ovens, internet language, panacea l What it is ä O-O language, not a hybrid (cf. C++)
Java – in context Main Features From Sun Microsystems ‘White Paper’
CSI 3125, Preliminaries, page 1 Applet. CSI 3125, Preliminaries, page 2 Applet An applet is a Java program that runs in a Web browser. An applet can be.
Inheritance and Class Hierarchies Chapter 3. Chapter 3: Inheritance and Class Hierarchies2 Chapter Objectives To understand inheritance and how it facilitates.
Java Programming, Second Edition Chapter Twelve Advanced Inheritance Concepts.
Introduction to Programming 1 1 2Introduction to Java.
 It is a pure oops language and a high level language.  It was developed at sun microsystems by James Gosling.
Security Defined “Freedom from undesirable events”. (Neumann) There are usually three elements to security :  Confidentiality  Integrity  Availability.
Applications Active Web Documents Active Web Documents.
Object Oriented Programming in
CIS 200 Test 01 Review.
Java Programming Language
Text by: Lambert and Osborne
Java security (in a nutshell)
Introduction Enosis Learning.
Distributed Computing, M. L. Liu
Introduction Enosis Learning.
Distributed Computing, M. L. Liu
Unit 41 – Programing in Java
Your First Java Application
Security in Java Real or Decaf? cs205: engineering software
Java Programming Language
Interfaces.
Java applets 1/3/2019.
From C++ to Java Java history: Oak, toaster-ovens, internet language, panacea What it is O-O language, not a hybrid (cf. C++) compiled to byte-code, executed.
(Computer fundamental Lab)
Chap 1. Getting Started Objectives
Chap 4. Programming Fundamentals
JAVA APPLET PREPARED BY Mr. Jahanzaib Ahmed
G6DICP - Lecture 27 Java Applets.
APPLET PROGRAMMING.
Presentation transcript:

COSC 4301 - Assignment 3 - Part 1 Java Security Susan Kovacs 19 April 2019 COSC 4301 - Assignment 3 - Part 1

COSC 4301 - Assignment 3 - Part 1 Topics of Discussion Why is security an issue? Types of security breaches Java’s approach the Language the Libraries Browsers Conclusion 19 April 2019 COSC 4301 - Assignment 3 - Part 1

Why is security an issue? 4/19/2019 Why is security an issue? What is an applet? A Java program that is run from inside a web browser. The html page loaded into the web browser contains an <applet> tag, which tells the browser where to find the Java .class files. For example, Ask if anyone can define what an applet is. Explain what it is. Example. Ask why we use applets. Answer: Executable Content Define executable content: the idea of sending around data that is actually code to be executed. This is exciting because it provides power and expressiveness. Html tags & scripts that run on servers are extremely limited. Java’s portability property make it the perfect candidate. appletviewer http://foo.com/~jo/coolApplet.html 19 April 2019 COSC 4301 - Assignment 3 - Part 1

Why is security an issue? 4/19/2019 Why is security an issue? The class files for an applet are automatically downloaded when a user goes to the containing Web page in a browser. It is therefore likely that a user will encounter applets from untrusted sources. Without any security, this would be a convenient way to spread viruses. 19 April 2019 COSC 4301 - Assignment 3 - Part 1

COSC 4301 - Assignment 3 - Part 1 4/19/2019 Types of breaches Integrity Attacks Availability Attacks Disclosure Attacks Annoyance Attacks 19 April 2019 COSC 4301 - Assignment 3 - Part 1

COSC 4301 - Assignment 3 - Part 1 4/19/2019 Types of breaches Integrity Attacks Deletion / modification of files Modification of memory currently in use Killing processes / threads 19 April 2019 COSC 4301 - Assignment 3 - Part 1

COSC 4301 - Assignment 3 - Part 1 4/19/2019 Types of breaches Availability Attacks Allocating large amounts of memory Creating thousands of windows Creating high priority process / threads 19 April 2019 COSC 4301 - Assignment 3 - Part 1

COSC 4301 - Assignment 3 - Part 1 4/19/2019 Types of breaches Disclosure Attacks Mailing information about your machine /etc/passwd Sending personal or company files to an adversary or competitor over the network 19 April 2019 COSC 4301 - Assignment 3 - Part 1

COSC 4301 - Assignment 3 - Part 1 4/19/2019 Types of breaches Annoyance Attacks Displaying obscene pictures on your screen Playing unwanted sounds over your computer 19 April 2019 COSC 4301 - Assignment 3 - Part 1

COSC 4301 - Assignment 3 - Part 1 4/19/2019 Java’s Approach ... The Language The Libraries Browsers 19 April 2019 COSC 4301 - Assignment 3 - Part 1

COSC 4301 - Assignment 3 - Part 1 4/19/2019 The Language Access control Type-safe Absence of pointers Garbage collection Packages 19 April 2019 COSC 4301 - Assignment 3 - Part 1

COSC 4301 - Assignment 3 - Part 1 4/19/2019 The Language Access control public private final Access to methods and variables is controlled via keywords public private final for example the File object - has a public method that can be called by anyone and a low level private method. The public method first performs security checks and then calls the private method final prevents a malicious programmer from subclassing a critical library class or overriding the methods of a class 19 April 2019 COSC 4301 - Assignment 3 - Part 1

COSC 4301 - Assignment 3 - Part 1 4/19/2019 The Language Type-safe The compile time type and runtime type of variables are guaranteed to be compatible. Prevents the forging of access to objects to get around access control. File example: prevents the malicious code from casting a File object to the malicious code’s MyFile type which has the same layout as the File type but with all methods public. 19 April 2019 COSC 4301 - Assignment 3 - Part 1

COSC 4301 - Assignment 3 - Part 1 4/19/2019 The Language Absence of pointers Pointers cannot be directly manipulated by user code. Prevents both malicious and accidental misuse of pointers. 19 April 2019 COSC 4301 - Assignment 3 - Part 1

COSC 4301 - Assignment 3 - Part 1 4/19/2019 The Language Garbage collection Manual deallocation provides a round-about way of illegally casting. Java uses garbage collection to recover unused memory instead of relying on explicit user deallocation. Example: malicious code creates a new object of type MyFile, deallocates the memmory used by that object, keeping the pointer malicious code creates a File object which has the same size the new pointer can be made to be the same as the MyFile pointer malicious code can now access the private methods of the File object 19 April 2019 COSC 4301 - Assignment 3 - Part 1

COSC 4301 - Assignment 3 - Part 1 4/19/2019 The Language Packages Provides namespace encapsulation. Prevents downloaded code from shadowing system library code with malicious code. Usefull because they allow downloaded code to be easily distinguished from local code Java guarantees that when a class is referenced the system first looks in the local namespace and then in the namespace of the referencing class 19 April 2019 COSC 4301 - Assignment 3 - Part 1

COSC 4301 - Assignment 3 - Part 1 4/19/2019 The Libraries Security Manager Class Loader 19 April 2019 COSC 4301 - Assignment 3 - Part 1

COSC 4301 - Assignment 3 - Part 1 4/19/2019 The Libraries Security Manager Contains methods which are intended to be called to check specific types of actions. It is intended to be subclassed and used to instantiate the desired security policy. Will use security manager when creating library code for a potentially dangerous system resource Examples: see sheet 19 April 2019 COSC 4301 - Assignment 3 - Part 1

COSC 4301 - Assignment 3 - Part 1 4/19/2019 The Libraries Security Manager Example: Public boolean mkdir(String path) throws IOException { SecurityManager security = System.getSecurityManager(); if (security != null) security.checkWrite(path); return mkdir0(); } Will use security manager when creating library code for a potentially dangerous system resource Examples: see sheet 19 April 2019 COSC 4301 - Assignment 3 - Part 1

COSC 4301 - Assignment 3 - Part 1 4/19/2019 The Libraries Class Loader Class loaders are responsible for importing binary data that defines the running program’s classes and interfaces. Two type: primordial & object To make applets as portable as possible, Java compiler doesn’t compile to machine code but only to bytecode. That’s what the class loader deals with difference between primordial & object: the primordial is part of the JVM implementation & there’s only one of them class loader objects are written in Java, compiled into class files, loaded into the virtual machine and instantiated all applet windows come up with a warning - because they’re not trusted because they’re loaded by an object class loader 19 April 2019 COSC 4301 - Assignment 3 - Part 1

COSC 4301 - Assignment 3 - Part 1 4/19/2019 The Libraries Class Loader Due to JVM’s approach to loading classes, classes can by default only see other classes that were loaded by the same class loader. This allows for multiple name-spaces inside a single Java application To make applets as portable as possible, Java compiler doesn’t compile to machine code but only to bytecode. That’s what the class loader deals with difference between primordial & object: the primordial is part of the JVM implementation & there’s only one of them class loader objects are written in Java, compiled into class files, loaded into the virtual machine and instantiated read two other pages 19 April 2019 COSC 4301 - Assignment 3 - Part 1

COSC 4301 - Assignment 3 - Part 1 4/19/2019 Browsers The Web browser defines and implements a security policy for running downloaded Java code. A Java enabled web browser includes: Java interpreter and runtime libraries classes to implement a Security Manager various Class Loaders It is in the browser that the class loaders & security managers become crucial. 19 April 2019 COSC 4301 - Assignment 3 - Part 1

COSC 4301 - Assignment 3 - Part 1 4/19/2019 Examples import java.awt.*; import java.io.*; import java.lang.*; import java.applet.*; public class exitTest extends Applet { public void paint(Graphics g) { try { Runtime.getRuntime().exit(-1); } catch (SecurityException e) { g.drawString("Caught security exception trying to quit", 10, 10); } 19 April 2019 COSC 4301 - Assignment 3 - Part 1

COSC 4301 - Assignment 3 - Part 1 4/19/2019 Examples Conclusion: An applet can't kill the browser that loaded it, unless you load the applet from a directory on your CLASSPATH. For further examples please visit http://java.sun.com/sfaq/#examples 19 April 2019 COSC 4301 - Assignment 3 - Part 1

COSC 4301 - Assignment 3 - Part 1 4/19/2019 Conclusion In order for a program to be useful, it needs to access certain resources. Therefore, the key is not to deny all access but rather to provide secured access in a controlled environment. Though Java is not yet perfected, it’s features and properties have allowed for a good balance of power and security. 19 April 2019 COSC 4301 - Assignment 3 - Part 1

COSC 4301 - Assignment 3 - Part 1 Questions ... THANK YOU! 19 April 2019 COSC 4301 - Assignment 3 - Part 1

COSC 4301 - Assignment 3 - Part 1 4/19/2019 References Flanagan, David. Java in a Nutshell. 2nd Ed. O’Reilly, California, 1997 Bank, Joseph. Java Security. http://swissnet.ai.mit.edu/~jbank/javapaper/javapaper.html. 11 March 2004 Venners, Bill. Security and the class loader architecutre. http://www.javaworld.com/javaworld/jw-09-1997/jw-09-hood_p.html. 27 March 2004 Applet Security. http://java.sun.com/sfaq. 27 March 2004. 19 April 2019 COSC 4301 - Assignment 3 - Part 1

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.