COEN 351: E-Commerce Security Java Security Model COEN 351: E-Commerce Security

Java Security Model High-level Features: Platform Security: Built-in language security features enforced by the Java compiler and virtual machine: Strong data typing Automatic memory management Bytecode verification Secure class loading Cryptography Comprehensive API digital signatures message digests ciphers (symmetric, asymmetric, stream & block) message authentication codes key generators and key factories Support for a wide range of standard algorithms including RSA, DSA, AES, Triple DES, SHA, PKCS#5, RC2, and RC4. PKCS#11 cryptographic token support

Java Security Model High-level Features: Authentication and Access Control Abstract authentication APIs that can incorporate a wide range of login mechanisms through a pluggable architecture. A comprehensive policy and permissions API that allows the developer to create and administer applications requiring fine-grained access to security-sensitive resources

Java Security Model High-level Features: Secure Communications APIs and implementations: Transport Layer Security (TLS), Secure Sockets Layer (SSL), Kerberos (accessible through GSS-API), Simple Authentication and Security Layer (SASL). Support for HTTPS over SSL/TLS.

Java Security Model High-level Features: Public Key Infrastructure (PKI) Tools for managing keys and certificates and comprehensive, abstract APIs with support for the following features and algorithms: Certificates and Certificate Revocation Lists (CRLs): X.509 Certification Path Validators and Builders: PKIX (RFC 3280), On-line Certificate Status Protocol (OCSP) KeyStores: PKCS#11, PKCS#12 Certificate Stores (Repositories): LDAP, java.util.

Java 2 Platform Security Language is type-safe, and easy to use. (So that mistakes are less likely.) Done with language features such as Automatic memory management Garbage collection Range checking on strings and arrays. Code is executed in the Java Virtual Machine (JVM). JVM simulates execution of Java Byte Code. Compiler and bytecode verifier ensure that only legitimate Java bytecodes are executed. Bytecode verifier and JVM guarantee language safety at run time. Classloader defines a local name space: An untrusted applet cannot interfere with the running of other programs. JVM mediates access to crucial system resources. SecurityManager class restricts the actions of Java code.

Java 2 Platform Security Original Sandbox Model Code is executed in the Java Virtual Machine (JVM). JVM simulates execution of Java Byte Code. Sandbox model allows code to run in a very restricted environment. Local code however has full access to valuable system resources.

Java 2 Platform Security JDK 1.1: “Signed Applet” Correctly signed applet is treated as trusted applet. Applets and signatures are delivered in the JAR (Java Archive) format. Untrusted applets run in the sandbox.

Java 2 Platform Security Fine-grained access control. Previously, the application writer had to do substantial programming (e.g., by subclassing and customizing the SecurityManager and ClassLoader classes). The HotJava browser 1.0 allows the user to choose from a small number of different security levels. Easily configurable security policy. Easily extensible access control structure. Extension of security checks to all Java programs, including applications as well as applets. Trust of local code is no longer a built-in concept.

Java 2 Platform Security

Java 2 Platform Security: Protection Domains Set of objects that are currently directly accessible by a principal. Principal is an entity in the computer system to which permissions are granted. Serves to group and to isolate between units of protection. Protection domains are either system domains or application domains. Example: JDK 1.0 sandbox is a protection domain

Java 2 Platform Security: Protection Domains

Java 2 Platform Security: Protection Domains A domain conceptually encloses a set of classes whose instances are granted the same set of permissions. Protection domains are determined by the policy currently in effect. The Java application environment maintains a mapping from code (classes and instances) to their protection domains and then to their permissions.

Java 2 Platform Security: Protection Domains

Java 2 Platform Security: Protection Domains Java thread can completely occur within a single protection domain. Can also involve application domain and system domain. Examples: Application prints out a message. Needs to interact with system domain that is the access point to an output stream. AWT system domain calls an applet’s paint method to display it. Important: A less "powerful" domain cannot gain additional permissions as a result of calling or being called by a more powerful domain.

Java 2 Platform Security: Protection Domains Normal rule: The permission set of an execution thread is the intersection of the permissions of all protection domains traversed by the execution thread. Exception: doPrivileged call Enables a piece of trusted code to temporarily enable access to more resources than are available directly to the application that called it. Example: Application may not be allowed direct access to files that contain files, but the system utility displaying those fonts needs to obtain them on behalf of the user.

Java 2 Platform Security: Protection Domains When access to a critical system resource (such as file I/O and network I/O) is requested: the resource-handling code invokes a special AccessController class method Evaluates the request Decides if the request should be granted or denied.

Java 2 Platform Security: Protection Domains Each domain needs to implement additional protection of internal resources. Example: Banking application needs to maintain internal concepts of checking accounts deposits withdrawals

Java 2 Platform Security Why: Original Problem: Users download programs that contain viruses and worms (even in commercial software). Java machines executes downloaded codes, which make the problem worse. Early work focuses on this issue: Java programs are secure because they cannot install, run, or propagate viruses.

Java 2 Platform Security Why: Remote Class Files Signed Class Files Local Class Files Bytecode Verifier Class Loader Core API Class Files Core Java API Security Package Security Manager Access Controller Key Database Operating System

Java 2 Platform Security Why: Bytecode verifier: Ensures that Java class files follow the rules of Java. Enforces memory protections for all Java programs. Class loader: Class loader sets permissions for each class it loads.

Java 2 Platform Security Why: Remote Class Files Signed Class Files Local Class Files Bytecode Verifier Class Loader Core API Class Files Core Java API Security Package Security Manager Access Controller Key Database Operating System

Java 2 Platform Security Why: Access Controller Allows / prevents most access from the core API to the operating system Based on policies set by the end user or system administrator. Security Manager Primary interface between the core API and the OS Responsible for allowing or preventing access to all system resources. Exists mainly for historical reasons: defers actions to access controller.

Java 2 Platform Security Why: Remote Class Files Signed Class Files Local Class Files Bytecode Verifier Class Loader Core API Class Files Core Java API Security Package Security Manager Access Controller Key Database Operating System

Java 2 Platform Security Why: Security Package Classes in java.security package and those in security extensions. Add security features to applications Provides bases for signing Java classes. Message digests Keys and certificates Digital signatures Encryption Authentication

Java 2 Platform Security Why: Remote Class Files Signed Class Files Local Class Files Bytecode Verifier Class Loader Core API Class Files Core Java API Security Package Security Manager Access Controller Key Database Operating System

Java 2 Platform Security Why: Key database Set of keys used by the security infrastructure to create or verify digital signatures.

Java 2 Platform Security Why: Remote Class Files Signed Class Files Local Class Files Bytecode Verifier Class Loader Core API Class Files Core Java API Security Package Security Manager Access Controller Key Database Operating System

Java 2 Platform Security Why: Java Sandbox Permissions Type, name, and action of permission Code sources Location from which a class has been loaded (URL) Info on signer (if code is signed) Protection Domains Association of permissions with a particular code Policy files Entries that define protection domains Keystores

Java 2 Platform Security Why: Comparison with C++ C++ has same access levels private, (default = package in Java), protected, public However, C++ allows backdoors that give access to protected or private parts of objects Casting into an arbitrary memory pointer will do that. This is not a security problem if the code comes from the same entity. It is a security problem if trusted and untrusted code needs to comingle

Java 2 Platform Security Why: Java provides memory integrity Access methods are strictly adhered to. Programs cannot access arbitrary memory locations. No pointers in Java. Entities declared as final must not be changed. Otherwise: A public final variable could be changed. Attacker changes the values of EAST and WEST in GridBagConstraints and now all applets will change the layout of maps. A subclass overrides a final method and alters its behavior. Attacker overrides the SetPriority() method of the Thread class. A subclass can be created from a final class such as String. Suddenly, String objects are no longer constants.

Java 2 Platform Security Why: Java provides memory integrity Variables may not be used before they are initialized. Attacker declares a huge variable without initialization. Attacker can then read large part of memory hoping to find interesting stuff. Array bounds are checked on all array accesses Otherwise, buffer overflows by attacker allows overwriting of adjacent memory. Objects cannot be cast into other objects.

Java 2 Platform Security Why: Memory integrity does not prevent the owner of the machine to use tools to look at the memory of an applet.

Java 2 Platform Security Why: Object Serialization and Memory Integrity Object serialization allows an object to be written as a series of bytes. Needed to exchange objects between clients and servers. Needed to save objects to disk and recreate them later.

Java 2 Platform Security Why: Enforcement of language rules: Compiler enforcement Compiler enforces casting rules, …

Java 2 Platform Security Why: Enforcement of language rules: Byte code verifier A mini-theorem prover: Class file has the correct format. Final classes are not subclassed and final methods are not overridden. Every class has a single superclass. There is no illegal data conversion of primitive types. There is no illegal data conversion of objects. There are no operand stack overflows or underflows. Java has a data stack (for methods) and an operand stack, the latter is protected.

Java 2 Platform Security Why: Enforcement of language rules: Delayed bytecode verification Verification of tests for field and method access is delayed until code is actually executed. Runtime enforcement Array bounds checking Object casting

Java 2 Platform Security: Security Manager Security Manager provides mechanisms for Java API to see if security related operations are allowed. Access Controller provides bases of the default implementation of the security manager. Class loader encapsulates information about security policies and classes.

Java 2 Platform Security: Security Manager Program Code Java API Native Libraries Security Manager Access Controller Operating System Program-Specific resources Coordination of Security Manager and Access Controller

Java 2 Platform Security: Security Manager Security Manager is in control of the security policy of an application. Determines whether particular operations should be permitted or denied. Access controller does pretty much the same. Historical development explains why there are two similar entities. Java 2: Security manager relies more on access controller. Java 2: Access controller policies specified by policy files. Java 2: More flexible architecture. Large body of pre-Java 2 code freezes the main interface to security procedures, i.e. the security manager.

Java 2 Platform Security: Security Manager Program Code Java API Native Libraries Security Manager Access Controller Operating System Program-Specific resources Coordination of Security Manager and Access Controller

Java 2 Platform Security: Security Manager Native libraries are still outside of the scope of security manager and access controller. Ability to load these libraries can be restricted. Security manager sometimes bypasses the access controller.

Java 2 Platform Security: Security Manager Default setting: Java applications have no security manager. Needs to be explicitly installed. With the -Djava.security.manager option Java applets have a strict security manager.

Java 2 Platform Security: Security Manager Package java.example import java.applet.*; public class MaliciousApplet extends Applet { public void init() { try { Runtime.getRuntime().exec(“rmdir foo”); } catch (Exception e) { System.out.println(e); } public static void main(String args[]) { MaliciousApplet a = new MaliciousApplet(); a.init(); Example: Security exception if run as applet. No exception if run as application. But you’ll end up deleting a directory.

Java 2 Platform Security: Security Manager Java API algorithm for a potentially dangerous operation: Programmer makes request to Java API Java API asks security manager if this is allowed. Security manager either disallows by throwing an exception which the Java API throws back to the program. Otherwise, Java API completes operation and returns normally.

Java 2 Platform Security: Security Manager Code with runtime permission createSecurityManager can create and set a SecurityManager object. SecurityManager class provides a complete implementation for sandbox. This is the one you call by specifying –Djava.security.manager option to a Java application. Java Plug-in and appletviewer use a modified implementation of this class and install it before they load any applets.

Java 2 Platform Security: Security Manager Security Manager Methods File Access reading, writing, deleting Network Access socket creation and use. Prevents: Rogue applet connects to a third machine over the network. Rogue applets collects network information and hands it back to the web server. Protection of virtual machine Protection of threads Protection of system resources E.g. untrusted classes cannot print, get clipboard, Protection of security aspects E.g. access to classes, packages, …

Java 2 Platform Security: Access Controller Access Controller is built upon Code sources: where did the code come from. Permissions Policies Protection Domains

Java 2 Platform Security: Security Manager Program Code Java API Native Libraries Security Manager Access Controller Operating System Program-Specific resources Coordination of Security Manager and Access Controller

Java 2 Platform Security: Access Controller Code Source Class Simple object that reflects the URL (http, file, …) from which a class was loaded that contains the keys that were used to sign the class. Class loaders are responsible for creating and manipulating code source objects.

Java 2 Platform Security: Access Controller Permissions Consist of Type e.g. java.io.FilePermission Name e.g. name of file “showWindowWithoutWarningBanner” Action read file, write file, delete file Allow Java API to negotiate access to resources. Allow programmer arbitrary permissions for use within their own programs.

Java 2 Platform Security: Access Controller Policy Class Specify which permission applies to which code source. Only a single instance of policy class can be installed in the virtual machine at any one time.

Java 2 Platform Security: Access Controller Protection Domain: Grouping of code source and permissions. When associated with a class: Given class was loaded from the site specified in the code source. Was signed by the public keys specified in the source code. Has the permissions represented in the permission collection object.

Java 2 Platform Security: Secure Class Loading Class Loader is responsible for: locating and fetching the class file consulting the security policy defining the class object with the appropriate permissions Dynamic class loading: Lazy loading (on demand loading) Link-time checks for type safety. Programmers can define their own class loaders Specify remote locations from which classes are loaded. Assign appropriate security attributes for them. Class loaders provide separate name spaces. Example: browser can load applets from different web pages using separate class loaders Thus maintaining a degree of isolation between those applet classes.

Java 2 Platform Security: Secure Class Loading Multiple instances of class loader objects in JVM: Root is abstract class: java.lang.ClassLoader Has subclass java.security.SecureClassLoader Has subclass java.net.URLClassLoader Utility program Appletviewer uses private class sun.applet.AppletClassLoader to load applets. Primordial Class Loader Implemented in sytem-native language loads classes from the local file system in a platform-dependent manner.

Java 2 Platform Security: Secure Class Loading Class Loader Delegation: Class loader can either load the class itself Or ask another class loader to do so. Class Resolution Algorithm: Check if the class has already been loaded. If the current class loader has a specified delegation parent, delegate to the parent to try to load this class. If there is no parent, delegate to the primordial class loader. Call a customizable method to find the class elsewhere.

Java 2 Platform Security: Secure Class Loading Class is defined in a machine-independent binary representation Called the class file Example: class file of C contains reference to class D. Symbolic reference is resolved at link time. Class loader for C is the initiating loader for class D. Class loader for C can delegate to a second class loader, etc. Delegation relationship is formed at run-time. class C { void f() { D d = new D(); … }

Java 2 Platform Security: Secure Class Loading Class loader performs: Consults security manager. If class loader has already loaded the class, find previously defined class object. Otherwise, class loader goes to parent to see whether the parent knows how to load the class. (Recursive call) Consults security manager to see if the program is allowed to create the class. Class file is read into a byte array. Create protection domain for the class. Consult default security model Construct class object from bytecode. Get permissions associated with the code source. Resolve class: any immediate references to other classes must be found.

Java Security Problems Security model does not protect against all bad things: Applets that perform annoying tasks e.g. using up CPU. Installing a local class file or local native library: An applet can call them if not prevented. Newer versions of browsers mitigates the adverse potential.