Dan Sedlacek CTO, Systems Management Group Sterling Software Java Security and Encryption

What is the level of security provided by Java technology? What’s NOT provided for in Java How Java implements security How to extend Java security

Agenda Java Security Overview Applications and Applets Java Language Security Java Class Loaders Security Manager Access Controller Security Policies Authentication Encryption

Java Security Overview What is Security? Virus Protection System Resource Access Control Authentication of Author and Data Data Privacy Encryption Auditing Orange Book (C2, B1)

Java Security Overview What is Java Security? Virus Protection - Yes System Resource Access Control - Yes Authentication of Author and Data - Yes Data Privacy - Yes & No Encryption - Optional Auditing - Not Built-in Orange Book (C2, B1) - No

Applets and Applications Applets –Run Under Control of a Browser –Are Subject to the Browser Security Policy Applications –Establish their Own Security Policy –Default is No Security Manager

Applets Very Restricted Browser Security Manager

Applications Allowed to Play Optional Security Manager

How Does Java Provide Security? Java Language Security Java Class Loaders Digital Signatures Java Security Manager Java Access Controller Encryption

Java Language Security Objects have access levels: –private: Accessible by defining class –package (default): Accessible by classes in the same package –protected: Same as package, with addition of access by any subclass –public: Accessible by any class

Java Language Security Access methods are strictly adhered to No pointers (no access to arbitrary memory and automatic garbage collection) “final” methods or variables cannot be changed Variables MUST be initialized before use Array bounds are enforced Strict object casting rules

Java Language Security Object serialization can be a problem –Objects are externalized as series of bytes –Data may be tampered with before the object is reconstructed Some solutions: –objects must be declared “serializable” –“private transient” disallows serialization –writeObject() and readObject() methods let you implement your own encryption

Java Language Security Enforcement Enforcement happens at different times –Compile time enforcement –Class load time enforcement –Runtime enforcement It’s easy to get around compile-time enforcement - build your own classes for the JVM Class loader and runtime enforcement are more difficult to get around

Java Language Security Enforcement Java Source Java Compiler Bytecode Class Loader Bytecode Verifier Java Virtual Machine Runtime

Java Language Security Compile Time Enforcement Java Source Java Compiler Bytecode Class Loader Bytecode Verifier Java Virtual Machine Runtime

Java Language Security Compile Time Enforcement Validate language syntax Enforce method and variable access rules Enforce variable initialization Enforce some casting operations

Java Language Security Class Load Time Enforcement Java Source Java Compiler Bytecode Class Loader Bytecode Verifier Java Virtual Machine Runtime

Java Language Security Class Load Time Enforcement Bytecode verifier is part of the VM Bytecode verification –Verifies class file format –Final classes are not subclassed –Final methods are not overridden –Every class has a single superclass (except Object, of course)

Java Language Security Class Load Time Enforcement Bytecode verification (continued) –Verify that casting legality checks are in place –No operand stack overflows or underflows –All field and method accesses are legal Bytecode verification may be delayed in some implementations

Java Language Security Runtime Enforcement Java Source Java Compiler Bytecode Class Loader Bytecode Verifier Java Virtual Machine Runtime

Java Language Security Runtime Enforcement Array bounds checking –Throws ArrayIndexOutOfBoundsException Object casting –Throws ClassCastException Security Manager –Throws SecurityException –Depends on the Access Controller

Java Class Loaders Read bytecode into the JVM Convert into class definitions Works in conjunction with Security Manager and Access Controller Knows where the class originated Understands signed Jar files Enforces namespace rules

Java Class Loaders Java applications can create and use different class loaders Java applets use the browser- provided class loader

Java Class Loaders Namespaces Used to eliminate ambiguity between classes with the same name Full name of a Java class is qualified by the name of the package: –java.lang.String –com.sun.java.swing.JTable Default package

Java Class Loaders Namespaces Classes with different CODEBASEs are loaded by different instances of the class loader Even if fully qualified class names are the same, namespaces make them unique Namespaces enforce package protection

Java Class Loaders How they Work Previously loaded classes are cached Class loader optionally consults the Security Manager to see if the program is allowed to access the class Internal class loader attempts to load the class from CLASSPATH Class loader reads in an array of bytes Bytecode verification is performed

Java Class Loaders How they Work A class object is constructed from the bytecodes Resulting class name is verified to be the requested class name Base classes and classes referenced by static initializers are also loaded Other referenced classes are loaded when the class references them

Java Class Loaders How they Work An internal class loader (part of the JVM) loads the Java API classes when the VM starts up In 1.1 internal class loader also loads all CLASSPATH classes In 1.2 an instance of URLClassLoader loads classes from CLASSPATH Browsers load classes for the applets from the applet’s CODEBASE using URL class

Other Java Class Loaders An RMI class loader (RMIClassLoader) is similar to an applet class loader –Uses HTTP to load classes from a remote host Secure class loader associates protection domains with each class it loads –java.security.SecureClassLoader –Makes use of the access controller facilities URL class loader (URLClassLoader) - general purpose class loader

Java Class Loaders and JAR files Java Archive files, or JAR files are Zip files with some additional information JAR files contain many class files, and other files needed by an application All classes in a JAR files are loaded at once Signed classes must be in JAR files

Java Class Loaders Security Implications Class loaders are integral to Java’s security –Class loaders enforce namespace separation –Security Manager depends on the class loader to keep track of the class origin –Custom class loaders may be developed to handle load protocols other than HTTP, to implement class file encryption, and to implement special security policies.

Java Security Manager Security Manager is the sandbox guard Default security manager provided by browsers to protect local system resources Applications have a null security manager by default Use the -usepolicy option to utilize the default security manager (that in turn uses the Access Controller)

Java Security Manager Class File Bytecode VerificationClass LoaderSecurity Manager Instantiated Object Core Java API Access Controller

Java Security Manager java.lang.SecurityManager Programs perform operations through the core Java API Methods are invoked by the core Java API to check if an operation is allowable A SecurityException is thrown if the operation is not allowable

Java Security Manager Trusted Classes In general: –Core API classes are trusted –Classes that are loaded via the CLASSPATH are trusted Specific permissions may be granted based on signature and codebase Access Controller is called by the Security Manager to ascertain if a class is trust-worthy

Java Security Manager Methods Protection for the Java Virtual Machine System resource protection –File system access –Network access –Printing –Accessing the clipboard –Event queue access

Java Security Manager Methods Access to security related operations Protection against manipulating thread groups that were created by another entity

Access Controller Added in release 1.2 Used by the security manager to determine security policy Allows security policy to be configured without writing a custom security manager System security file: –$JAVAHOME/lib/security/java.security Security Manager still works with pre- version 1.2 classes

Access Controller System Security File $JAVAHOME/lib/security/java.security policy.provider=java.security.PolicyFile policy.expandProperties=true policy.allowSystemProperty=true policy.url.1=file:${java.home}/lib/security/java.policy policy.url.2=file:${user.home}/.java.policy These policy files map code sources to sets of permissions

Access Controller Roles Used by the security manager to determine access to resources May be used by a program to check application-specific permissions Used only if a security manager is being used

Access Controller Concepts Code sources - Where the class comes from Permissions - Ability to perform an operation Policies - Set of permissions by code source Protection domains - Permissions granted to classes from a particular code source

Access Controller Code Sources java.security.CodeSource CodeSource(URL url, PublicKey[] key[]) public boolean equals(Object obj) public final URL getLocation() public final PublicKey[] getKeys()

Access Controller Permissions java.security.Permissions Permission properties: –Type (e.g. FilePermission) –Name (e.g. name of the file - supports wildcards) –Actions (e.g. read)

Access Controller Permissions Java API permissions –Access controller is automatically called if a security manager is active Arbitrary user-defined permissions –Name (e.g. CorporatePayroll) –Actions (e.g. read) –Access controller must be explicitly called

Access Controller Java API Permissions Java API permissions –FilePermission (e.g. /etc/passwd, read) –SocketPermission (IP:port, accept, connect, listen, resolve) –PropertyPermission (e.g. java.version, read) –RuntimePermission (Runtime class operations, e.g. exit) –AWTPermission - Access to windowing resources

Access Controller Java API Permissions Java API permissions –NetPermission - Multicast and HTTP authentication –SecurityPermission - Permission to use the security package –SerializablePermission - Object serialization –ReflectPermission - Reflection API –UnresolvedPermission - External permissions –AllPermission - Superuser

Security Policies java.security.Policy Ties code sources to permissions Default policy is provided in the system security file Methods: Permissions evaluate(CodeSource cs) void refresh()

Default Security Policy Policy files specified by the system security file Policy files specified by the: policy.url.n entries General format: grant [signedBy ] [,codeBase ] { permission [ [, ]]; … permission [ [, ]]; };

Protection Domains Java.security.ProtectionDomain public ProtectionDomain(CodeSource cs, Permissions p) public CodeSource getCodeSource() public Permissions getPermissions() public boolean implies(Permission p) Represents one “grant” entry in the file

Authentication It’s a wide open Internet System resources need to be protected from viruses and other attacks Need for authentication –Author authentication Where did the class come from –Data authentication Was the class content modified?

Authentication The signed JAR file is the mechanism Enables the class loader to know definitively where the class came from, and if it has been tampered with. Does NOT imply that Java should trust all signed JAR files Does NOT protect the privacy of the information in the JAR file - for that you need encryption

Encryption javax.crypto.Cipher - the encryption engine Perform encryption and decryption of arbitrary data Implements named algorithms Supplied by security providers Sun supports DES, multiple DES, and PBEWithMD5andDES

Encryption Used internally by class loader –Public and private keys –Message digests –Signed JAR files General purpose encryption

Encryption Signed JAR files Originator generates digital signature –Produce a message digest –Encrypt the digest with private key Recipient –Decrypt the signature using public key to reproduce the message digest –Match the decrypted and calculated digests

Encryption of Signed JAR files JAR file Message Digest Engine Digital Signature Engine Private Digital Signature Message Digest

Decryption of Signed JAR files Digital Signature Engine Public Digital Signature Message Digest JAR file Message Digest Engine

Java Security Summary Java Security Features –Java Language Security –Java Class Loaders –Security Manager and Access Controller –Security Policies –Authentication and Encryption Java Security is Both Configurable and Extendable

Java Security and Encryption Questions and Answers Dan Sedlacek CTO, Systems Management Group Sterling Software