Evaluating the Flexibility of the Java Sandbox

Slides:



Advertisements
Similar presentations
Towards Remote Policy Enforcement for Runtime Protection of Mobile Code Using Trusted Computing Xinwen Zhang Francesco Parisi-Presicce Ravi Sandhu
Advertisements

ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 14: Protection.
Java security (in a nutshell)
Java Security. Overview Hermetically Sealed vs. Networked Executable Content (Web Pages & ) Java Security on the Browser Java Security in the Enterprise.
Mobile Code Security Aviel D. Rubin, Daniel E. Geer, Jr. MOBILE CODE SECURITY, IEEE Internet Computing, 1998 Minkyu Lee
An Evaluation of the Google Chrome Extension Security Architecture
Java Security Model Lab#1 I. Omaima Al-Matrafi. Safety features built into the JVM Type-safe reference casting Structured memory access (no pointer arithmetic)
Protection. Goals of Protection Operating system consists of a collection of objects, hardware or software Each object has a unique name and can be accessed.
LAB#2 JAVA SECURITY OVERVIEW Prepared by: I.Raniah Alghamdi.
Bilkent University Department of Computer Engineering
Edward Tsai – CS 239 – Spring 2003 Strong Security for Active Networks CS 239 – Network Security Edward Tsai Tuesday, May 13, 2003.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 14: Protection.
1 Software Testing and Quality Assurance Lecture 30 – Testing Systems.
An Approach to Safe Object Sharing Ciaran Bryce & Chrislain Razafimahefa University of Geneva, Switzerland.
Chapter 14: Protection.
Java Security Updated May Topics Intro to the Java Sandbox Language Level Security Run Time Security Evolution of Security Sandbox Models The Security.
Jarhead Analysis and Detection of Malicious Java Applets Johannes Schlumberger, Christopher Kruegel, Giovanni Vigna University of California Annual Computer.
A Conservative Algorithm for Computing the Flow of Permissions in Java Programs Gleb Naumovich Polytechnic University Brooklyn, USA Presented by David.
Unit Testing & Defensive Programming. F-22 Raptor Fighter.
Java Security. Topics Intro to the Java Sandbox Language Level Security Run Time Security Evolution of Security Sandbox Models The Security Manager.
Page 19/4/2015 CSE 30341: Operating Systems Principles Raid storage  Raid – 0: Striping  Good I/O performance if spread across disks (equivalent to n.
1 22 August 2001 The Security Architecture of the M&M Mobile Agent Framework P. Marques, N. Santos, L. Silva, J. Silva CISUC, University of Coimbra, Portugal.
Announcements Assignment 3 due. Invite friends, co-workers to your presentations. Course evaluations on Friday.
Java 2 security model Valentina Casola. Components of Java the development environment –development lifecycle –Java language features –class files and.
Problem of the Day  Why are manhole covers round?
Encapsulation COMP 401, Fall 2014 Lecture 06 9/4/2014.
Silberschatz, Galvin and Gagne  Operating System Concepts Chapter 18: Protection Goals of Protection Objects and Domains Access Matrix Implementation.
Protection Nadeem Majeed Choudhary
Jaas Introduction. Outline l General overview of Java security Java 2 security model How is security maintained by Java and JVM? How can a programmer.
Chapter 1 Introduction. Chapter Goals To understand the activity of programming To learn about the architecture of computers To learn about machine code.
Introduction Program File Authorization Security Theorem Active Code Authorization Authorization Logic Implementation considerations Conclusion.
Android Permissions Demystified
A Flexible Access Control Service for Java Mobile Code HPCC lab 문 정 아.
Collaborative learning for security and repair in application communities MIT site visit April 10, 2007 Conclusion.
Saurav Karmakar. Chapter 14: Protection  Goals of Protection  Principles of Protection  Domain of Protection  Access Matrix  Implementation of Access.
Application Communities
More Security and Programming Language Work on SmartPhones
PROTECTION.
Operating Systems Protection Alok Kumar Jagadev.
Chapter 14: System Protection
Chapter 1 Introduction to Computers, Programs, and Java
Operating System Concepts
CS1101X Programming Methodology
Chapter 8 – Software Testing
Testing and Debugging.
Java security (in a nutshell)
Topic: Java Security Models
Chapter 14: Protection.
Chapter 14: Protection.
Setting Up and Supporting Clients Using Employee Development in ADP Workforce Now [Developer: Use this slide if you are not using audio. You can add.
Chapter 14: Protection.
Object-Oriented Design
Chapter 14: Protection.
Building Systems That Flexibly Control Downloaded Executable Content
Chapter 14: Protection.
Chapter 14: Protection.
Chapter 14: Protection.
Chapter 14: Protection.
Chapter 14: Protection.
Chapter 14: Protection.
Chapter 14: Protection.
Introducing Java.
Chapter 14: Protection.
Chapter 14: Protection.
Chapter 14: Protection.
Chapter 14: Protection.
Java Remote Method Invocation
White Box testing & Inspections
Chapter 14: Protection.
Presentation transcript:

Evaluating the Flexibility of the Java Sandbox By: Zack Coker, Michael Maass, Tianyuan Ding, Claire Le Goues, and Joshua Sunshine Maybe add a basic description of the sandbox before the motivation section. And then motivate the study more instead of the tool. Why do we want to see if people are using the sandbox correctly? At some point, go back through slides and remove unnecessary titles

Motivation Kaspersky Security Bulletin 2014 This side should hint at what you want messages you want to get across to the audience, or you should break it into another slide which covers the benefits of our approach (mabye new slide 4). Consider the headlines from a previous presentation. Kaspersky Security Bulletin 2014

Java Sandbox Untrusted Java Applications But Java has a sandbox to encapsulate untrusted applications from the rest of the computer

How is the Java sandbox actually used? Li Gong, the primary designer of the Java security architecture stated he didn’t know how extensively the “fined grained access control mechanism” (i.e. the Java sandbox) is used. [ACSAC 2009 Keynote]

Importance of investigating how security tools are used in practice Design more intuitive security mechanisms Possible language features Differentiate between malicious and benign code

Sandbox Example Sandboxed Socket Application SecurityManager Policy connect(“internal.auth:80”) checkConnect(“internal.auth”, 80) SecurityManager checkPermission(...) Policy AccessController implies(...) Allowed?     ✗SecurityException ✓ Do Nothing

Turn off Sandbox Example Sandboxed Application System.setSecurityManager(null) Allowed?     ✗SecurityException Sandbox Removed

Study In this work, we investigated how benign open source Java programs interact with the Java sandbox to: Characterize sandbox interactions Detect malicious applications Understand developer difficulties with the sandbox May need to change the last bullet later

Research Question How do benign open source Java applications interact with the security manager?

Possible Answers Four non-disjoint possibilities for all benign applications: Benign applications never disable the security manager. Benign applications never weaken a set security manger Benign applications do not change a set security manager Benign applications never modify the security manager if a self protecting security manager is set.

Not Self-protecting Permissions Risky Permissions RuntimePermission(“setSecurityManager") ReflectPermission(“suppressAccessChecks") RuntimePermission(“createClassLoader") SecurityPermission(“setPolicy") FilePermission(“<<ALL FILES>>", “write, execute") RuntimePermission(“accessClassInPackage.sun") SecurityPermission(“setProperty.package.access")

Methodology Collect large corpus of benign Java applications that use or interact with the security manager. Static analysis to trace where the Security Manager was set and initialized Manual code inspection (two annotators, check for agreement). Dynamic Analysis to verify sandbox interactions Goal: completely understand how benign applications interact with the security manager. Say rigorous

Qualitas Corpus Qualitas Corpus: 24 out of 112 Programs

Security Manager Interaction Classification Type of Benign Interaction Qualitas Corpus GitHub Total Sets a self-protecting manager 6 1 7 Changes set manager 5 3 8 Supports being sandboxed 10 13 Interacts only in unit tests 28/36 (78%) never change the sandbox settings once the settings are initially set

Possible Answers Four Possibilities: Benign applications never disable the security manager. Benign applications never weaken a set security manger Benign applications do not change a set security manager Benign applications never modify the security manager if a self protecting security manager is set.

Research Question Evaluation Benign applications do disable the security manager. Benign applications do weaken a set security manger Benign applications do change a set security manager Benign applications never modify the sandbox if a self protecting security manager is set.

Examples of Disabling the Security Manager package jtimelag; public class JTimelag { public static void main(String[] args) { System.setSecurityManager(null); Fenetre fen = new Fenetre(); fen.setVisible(true); } } Make diagram for system.exit

Not Sandboxed Requirement "//TODO Hack so that when the classloader loading the fwk is created we don't have funny permissions. This should be revisited." [ ]

Eclipse JVM

Eclipse Ant JVM

Enforcing Architectural Constraints Eclipse System.exit() Ant JVM

Weakening the Security Manager? Permission List Forbidden List vs. Using the sandbox as a blacklist instead of a whitelist (stating what is allowed instead of what is not allowed). Look up what Freemind allowed or didn’t allow.

<permissions> <grant class=”java. security <permissions> <grant class=”java.security.AllPermission”/> <revoke class=“java.util.PropertyPermission”/> [https://ant.apache.org/manual/Types/permissions.html]

Takeaways from empirical study Applications interact with the sandbox for non security related reasons Harder to design exploit mitigations Sandbox complexity and flexibility leads to insecurity A majority of applications in the dataset (78%) never change the security manager if a self-protecting security manager is set

Can we differentiate benign and malicious applications? Empirical validation

Detection Rules Privilege Escalation Rule: If a self-protecting security manager is set, a class cannot load a more privileged class. Security Manager Rule: Once a self-protecting security manager is set, the manager cannot change

Validation Results CVE-ID Privilege Escalation Security Manager 2011-3544 Attack Succeeded Attack Blocked 2012-0507 2012-4681 2012-5076 2013-0422 2013-0431 2013-1488 2013-2423 2013-2460 2013-2465 Say to exlude JNTI exploits

Conclusion – Importance of Investigating Security Tools Improve security mechanisms: Java’s flexibility and complexity leads to misuse. Possible language features: People use the security manager for non-security reasons, such as preventing sub-applications from exiting; Java would benefit from supporting these features separately. Differentiate malicious and benign code: a language-level tool that notices when privilege escalation/weakening of security manager occurs could catch future exploits.