Java Security: From HotJava to Netscape & Beyond Drew Dean, Edward W. Felten, Dan S. Wallach Department of Computer Science, Princeton University May,

Slides:

Advertisements

Similar presentations

Introduction to Java 2 Programming Lecture 10 Applets.

Advertisements

MicroKernel Pattern Presented by Sahibzada Sami ud din Kashif Khurshid.

Enabling Secure Internet Access with ISA Server

Software Security & Privacy Risks in Mobile E-Commerce Kartikeya Kakarala CSCI 5939-Independent Study Wireless Application Protocols.

Mobile Code Security Yurii Kuzmin. What is Mobile Code? Term used to describe general-purpose executables that run in remote locations. Web browsers come.

Usage of the memoQ web service API by LSP – a case study

Java Applet Security Diana Dong CS 265 Spring 2004.

Applet Security Gunjan Vohra. What is Applet Security? One of the most important features of Java is its security model. It allows untrusted code, such.

Mobile Code Security Aviel D. Rubin, Daniel E. Geer, Jr. MOBILE CODE SECURITY, IEEE Internet Computing, 1998 Minkyu Lee

Java Security: From HotJava to Netscape and Beyond. Drew Dean Edward W. Felten Dan S. Wallach Department of Computer Science Princeton University Presented.

Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.

Copyright 2004 Monash University IMS5401 Web-based Systems Development Topic 2: Elements of the Web (g) Interactivity.

1 CS 502: Computing Methods for Digital Libraries Lecture 22 Web browsers.

Lecture 2: Do you speak Java?. From Problem to Program Last Lecture we looked at modeling with objects! Steps to solving a business problem –Investigate.

Introducing Computer and Network Security

Mi-Joung choi, Hong-Taek Ju, Hyun-Jun Cha, Sook-Hyang Kim and J

Introduction to Web Database Processing

1 Lecture 30 Introduction to Data Communications Overview  Lecture Objectives.  Data Communications: Basics.  Major Issues in Data Communications. 

Web Proxy Server Anagh Pathak Jesus Cervantes Henry Tjhen Luis Luna.

LESSON 1 INTRODUCTION Compiled By: Edwin O. Okech [Tutor, Amoud University] JAVA PROGRAMMING.

Android Security Enforcement and Refinement. Android Applications --- Example Example of location-sensitive social networking application for mobile phones.

Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

Page 1 Sandboxing & Signed Software Paul Krzyzanowski Distributed Systems Except as otherwise noted, the content of this presentation.

D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.

Understanding Android Security Yinshu Wu William Enck, Machigar Ongtang, and PatrickMcDaniel Pennsylvania State University.

INTRODUCTION TO WEB DATABASE PROGRAMMING

1 The SpaceWire Internet Tunnel and the Advantages It Provides For Spacecraft Integration Stuart Mills, Steve Parkes Space Technology Centre University.

FALL 2005CSI 4118 – UNIVERSITY OF OTTAWA1 Part 4 Web technologies: HTTP, CGI, PHP,Java applets)

Chapter 16 The World Wide Web Chapter Goals Compare and contrast the Internet and the World Wide Web Describe general Web processing Describe several.

16-1 The World Wide Web The Web An infrastructure of distributed information combined with software that uses networks as a vehicle to exchange that information.

CPS120: Introduction to Computer Science The World Wide Web Nell Dale John Lewis.

Software engineering. What is software engineering? Software engineering is an engineering discipline which is concerned with all aspects of software.

3-Protecting Systems Dr. John P. Abraham Professor UTPA.

SATAN Presented By Rick Rossano 4/10/00. OUTLINE What is SATAN? Why build it? How it works Capabilities Why use it? Dangers of SATAN Legalities Future.

FIREWALLS Vivek Srinivasan. Contents Introduction Need for firewalls Different types of firewalls Conclusion.

Distributed Systems: Concepts and Design Chapter 1 Pages

1.8History of Java Java –Based on C and C++ –Originally developed in early 1991 for intelligent consumer electronic devices Market did not develop, project.

Version 02U-1 Computer Security: Art and Science1 Java Security by Drew Dean Edward W. Felten and Dan S. Wallach.

Architectural Design lecture 10. Topics covered Architectural design decisions System organisation Control styles Reference architectures.

Network Security Lecture 20 Presented by: Dr. Munam Ali Shah.

Chapter 1 Overview The NIST Computer Security Handbook defines the term Computer Security as:

Fundamentals of Proxying. Proxy Server Fundamentals  Proxy simply means acting on someone other’s behalf  A Proxy acts on behalf of the client or user.

CE Operating Systems Lecture 3 Overview of OS functions and structure.

CS 7: Introduction to Computer Programming Java and the Internet Sections ,2.1.

SECURE WEB APPLICATIONS VIA AUTOMATIC PARTITIONING S. Chong, J. Liu, A. C. Myers, X. Qi, K. Vikram, L. Zheng, X. Zheng Cornell University.

What Is Java? According to Sun in a white paper: Java: A simple, object-oriented, network-savvy, interpreted, robust, secure, architecture-neutral, portable,

G53SEC 1 Reference Monitors Enforcement of Access Control.

Copyright © cs-tutorial.com. Overview Introduction Architecture Implementation Evaluation.

Lecture 16 Page 1 CS 236 Online Web Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.

Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 1 “Overview”. © 2016 Pearson.

Web Pages with Features. Features on Web Pages Interactive Pages –Shows current date, get server’s IP, interactive quizzes Processing Forms –Serach a.

M. Alexander Helen J. Wang Yunxin Liu Microsoft Research 1 Presented by Zhaoliang Duan.

Lecture 1 Page 1 CS 236 Online What Are Our Security Goals? CIA Confidentiality –If it’s supposed to be a secret, be careful who hears it Integrity –Don’t.

Communications & Networks National 4 & 5 Computing Science.

Trusted Operating Systems

File Transfer And Access (FTP, TFTP, NFS). Remote File Access, Transfer and Storage Networks For different goals variety of approaches to remote file.

Chapter 29: Program Security Dr. Wayne Summers Department of Computer Science Columbus State University

CS457 Introduction to Information Security Systems

Understanding Android Security

Chapter 1 Introduction to Computers, Programs, and Java

Publishing and Maintaining a Website

Topic: Java Security Models

File Transfer and access

Multithreaded Programming

Chapters 5 & 6 of Web security. pp

Chapter 29: Program Security

Understanding Android Security

COSC Assignment 3 - Part 1 Java Security Susan Kovacs 19 April 2019 COSC Assignment 3 - Part 1.

Computer Networks Protocols

Presentation transcript:

Java Security: From HotJava to Netscape & Beyond Drew Dean, Edward W. Felten, Dan S. Wallach Department of Computer Science, Princeton University May, 1998 This article examines the Java language and both the HotJava and Netscape browsers which support it, and find a significant number of flaws which compromise their security.. Presented by Jenny Liu 15 May 2001

Summary  Introduction  Java Security Mechanisms  Taxonomy of Java Bugs - Denial of service - Information Available to Applets  Security Analysis: how structure of some systems contribute to the existence of bugs - Policy enforcement failures  Representative Application and its security requirements - Networking  Conclusion

Introduction  Sun introduced the notion of downloading a program (called an applet) which runs inside the Web browser in mid  Applets cannot directly make system call - The securityManager class is meant to define an interface for access control, and it is used to approve dangerous operations.  In order to be secure, systems must limit applets’ - access to system resources - interference with other applets - communication with other systems - ability to learn about local environments

Java Security Mechanisms  All access controls in HotJava were done on an ad hoc basis – insufficient.  “SecurityManager” defines and implements a security policy, centralizing all access control decisions.  Java uses its “type system” to provide protection for the security manager. - embeddable in other software - protection boundaries can be crossed without a context switch

Examples of known security flows in HotJava and Netscape  Denial of Service Definition: A condition in which a system can no longer respond to normal requests Computer Desktop Encyclopedia, 1999  Some examples of attacks are: - busy-waiting to consume CPU cycles - allocating memory until the system runs out

Denial of Service (Continuous)  Two twists that can make denial of service attacks more difficult to cope with: - Masking the source of the attack: An attack can be programmed to occur after some time delay, causing the failure to occur when the user is viewing a different Web page. - Degradation of service: Definition: Significantly reducing the performance of the browser without stopping it. An attack can cause degradation of service rather than “outright” denial of service.

 Information Available to Applets  What the applet can learn about the user’s environment to send over the channel could be an issue in security.  System.getenv() in HotJava has no security checks. Therefore user’s login name, machine name, contents of all environment variables are easy to learn.  By probing environment variables, some valuable information can be discovered, which is then useful to attackers desiring to break into a user’s machine.  “In JDK and Netscape, System.getenv() was replaced with “system properties”, many of which are not supposed to be accessible by applets.”

Analysis of bugs’ possible cause – Policy enforcement failures  “There must be an explicit and well-defined security policy enforced by the system” – Orange Book’s Fundamental Computer Security Requirements.  But… “the present documents on Netscape & HotJava do not formally define a security policy”.  We trust the operating system’s security policy will be enforced well on Java as general programming language.  However, we can not trust Java as a system for running untrusted applets obtained from the Web. So we require that Java define and implement a protected subsystem with an appropriate security policy.

Major problem in defining a security policy :  For Java Applets: Policy needs to be “flexible” enough to not unduly limit applets, while still preserving the user’s integrity and privacy

Representative Application - Networking  “Untrusted applets should be able to use network services only under restricted circumstances.”  Java runtime library should support the protocols in current use today: HTTP(the Web), FTP(file transfer), Gopher, SMTP( ), NNTP(Usenet news), Finger(user information), etc.  FTP presents the most difficulties:  – it has the server open a connection back to the client for each data transfer, requiring the client to call listen() and accept().  All FTP servers are required to support passive mode, where the client actively opens all the connections.  FTP clients should be carefully designed to ensure that an applet does not use it to harm a third party.

Conclusion  This article demonstrated an array of attacks that allow the security of both HotJava and Netscape to be compromised.  “While many of the specific flaws have been patched, the overall structure of the systems leads us to believe that flaws will continue to be found”.  A well-defined, formal security policy would help to allow more functionality for untrusted applets without compromising the user’s integrity and privacy.  We conclude that the Java system in its current form can not easily be made secure. Therefore redesign of the language, the bytecode format, and runtime system appear to be the steps toward a higher-assurance system.

Questions & some thinking:  Why does the system have to carefully manage system calls?  Can you think of some examples of system resources which the systems should limit applets’ access to?