Security: Lessons Learned and Missed from Java Nathanael Paul David Evans University of Virginia ACSAC 2004.

Slides:



Advertisements
Similar presentations
Towards Remote Policy Enforcement for Runtime Protection of Mobile Code Using Trusted Computing Xinwen Zhang Francesco Parisi-Presicce Ravi Sandhu
Advertisements

© 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 16 Secure Coding in Java and.NET Part 1: Fundamentals.
Mobile Code Security Yurii Kuzmin. What is Mobile Code? Term used to describe general-purpose executables that run in remote locations. Web browsers come.
Java security (in a nutshell)
Applet Security Gunjan Vohra. What is Applet Security? One of the most important features of Java is its security model. It allows untrusted code, such.
Java Security. Overview Hermetically Sealed vs. Networked Executable Content (Web Pages & ) Java Security on the Browser Java Security in the Enterprise.
Mobile Code Security Aviel D. Rubin, Daniel E. Geer, Jr. MOBILE CODE SECURITY, IEEE Internet Computing, 1998 Minkyu Lee
Lab Information Security Using Java (Review) Lab#0 Omaima Al-Matrafi.
Lecture 19 Page 1 CS 111 Online Protecting Operating Systems Resources How do we use these various tools to protect actual OS resources? Memory? Files?
VM: Chapter 5 Guiding Principles for Software Security.
Lab#1 (14/3/1431h) Introduction To java programming cs425
Java Security: From HotJava to Netscape & Beyond Drew Dean, Edward W. Felten, Dan S. Wallach Department of Computer Science, Princeton University May,
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
1 Extensible Security Architectures for Java Authors: Dan S.Wallch, Dirk Balfanz Presented by Moonjoo Kim.
Introduction to Java Kiyeol Ryu Java Programming Language.
(Breather)‏ Principles of Secure Design by Matt Bishop (augmented by Michael Rothstein)‏
A Type System for Expressive Security Policies David Walker Cornell University.
Computer Security and Penetration Testing
1 The Problem o Fluid software cannot be trusted to behave as advertised unknown origin (must be assumed to be malicious) known origin (can be erroneous.
C. Edward Chow Presented by Mousa Alhazzazi C. Edward Chow Presented by Mousa Alhazzazi Design Principles for Secure.
Session-02. Objective In this session you will learn : What is Class Loader ? What is Byte Code Verifier? JIT & JAVA API Features of Java Java Environment.
Page 1 Sandboxing & Signed Software Paul Krzyzanowski Distributed Systems Except as otherwise noted, the content of this presentation.
Java Security Updated May Topics Intro to the Java Sandbox Language Level Security Run Time Security Evolution of Security Sandbox Models The Security.
Java Security. Topics Intro to the Java Sandbox Language Level Security Run Time Security Evolution of Security Sandbox Models The Security Manager.
Programming Languages and Paradigms Object-Oriented Programming.
Bacon A Penetration and Auditing Framework Hernan Gips
David Evans CS201j: Engineering Software University of Virginia Computer Science Lecture 19: Security in Java Real or.
CMSC 414 Computer (and Network) Security Lecture 14 Jonathan Katz.
Java Introduction Lecture 1. Java Powerful, object-oriented language Free SDK and many resources at
Cosc 4010 Sandboxing. Last lecture Last time, we covered chroot, which is a method to "sandbox" a problem. –Not full proof by any means. Many simple mistakes.
The Protection of Information in Computer Systems Part I. Basic Principles of Information Protection Jerome Saltzer & Michael Schroeder Presented by Bert.
Announcements Assignment 3 due. Invite friends, co-workers to your presentations. Course evaluations on Friday.
Introduction 1-1 Introduction to Virtual Machines From “Virtual Machines” Smith and Nair Chapter 1.
Basic Security: Java vs.NET Master Seminar Advanced Software Engineering Topics Prof. Jacques Pasquier-Rocha Software Engineering Group Department of Informatics.
CSE 425: Object-Oriented Programming I Object-Oriented Programming A design method as well as a programming paradigm –For example, CRC cards, noun-verb.
Java Security Nathan Moore CS 665. Overview Survey of Java Inherent Security Properties Java Runtime Environment Java Virtual Machine Java Security Model.
Version 02U-1 Computer Security: Art and Science1 Java Security by Drew Dean Edward W. Felten and Dan S. Wallach.
Java 2 security model Valentina Casola. Components of Java the development environment –development lifecycle –Java language features –class files and.
Silberschatz, Galvin and Gagne  2002 Modified for CSCI 399, Royden, Operating System Concepts Operating Systems Lecture 7 OS System Structure.
.Net Security and performance
Introduction to Object Oriented Programming CMSC 331.
CSE 425: Data Types I Data and Data Types Data may be more abstract than their representation –E.g., integer (unbounded) vs. 64-bit int (bounded) A language.
System.Security.Policy namespace Chinmay Lokesh.NET Security CS 795 Summer 2010.
1 cs205: engineering software university of virginia fall 2006 Forgiveness and Permissions.
Writing Systems Software in a Functional Language An Experience Report Iavor Diatchki, Thomas Hallgren, Mark Jones, Rebekah Leslie, Andrew Tolmach.
Comparing Java and.Net Security: Lessons Learned and Missed - Nathanael Paul, David Evans Presented by Dan Frohlich.
Software Security II Karl Lieberherr. What is Security Enforcing a policy that describes rules for accessing resources. Policy may be explicit or implicit.
Garbage Collection and Classloading Java Garbage Collectors  Eden Space  Surviver Space  Tenured Gen  Perm Gen  Garbage Collection Notes Classloading.
Operating Systems Security
(Breather)‏ Principles of Secure Design by Matt Bishop (augmented by Michael Rothstein)‏
Java Security cont’d. Using SecurityManager  The basic SecurityManager architecture is simple. Throughout the JDK, the Java security team had to:  Identify.
The Prototype Pattern (Creational) ©SoftMoore ConsultingSlide 1.
1 cs205: engineering software university of virginia fall 2006 Image from GoldenBlue LLC. Hair-Dryer Attacks.
UNDER THE HOOD: THE JAVA VIRTUAL MACHINE II CS2110 Fall 200 Lecture 25 1.
Terms and Rules II Professor Evan Korth New York University (All rights reserved)
COMPOSITE PATTERN NOTES. The Composite pattern l Intent Compose objects into tree structures to represent whole-part hierarchies. Composite lets clients.
Software Security II Karl Lieberherr. What is Security Enforcing a policy that describes rules for accessing resources. Policy may be explicit or implicit.
1 cs205: engineering software university of virginia fall 2006 Running Untrustworthy Code Project team requests: extended until 11pm tonight.
SE-1021 Software Engineering II
Topic: Java Class Loader
Software Security II Karl Lieberherr.
Java security (in a nutshell)
Topic: Java Security Models
CS216: Program and Data Representation
Security in Java Real or Decaf? cs205: engineering software
Byte Code Verification
Introduction to Virtual Machines
COSC Assignment 3 - Part 1 Java Security Susan Kovacs 19 April 2019 COSC Assignment 3 - Part 1.
Chapter 8: Security Policy
Introduction to Virtual Machines
Presentation transcript:

Security: Lessons Learned and Missed from Java Nathanael Paul David Evans University of Virginia ACSAC 2004

Java VM.NET VM Major Security Vulnerabilities (Cumulative)

3 Why the disparity in vulnerabilities? Hypotheses: No one uses/attacks.NET –Windows Update installs.NET framework –Attractive target with over 90% market share Microsoft is smarter than everyone else –Check their profit and market share Learned from past –.NET learned from experience with Java

4 Universal Security Principles [Saltzer and Shroeder, 1974] [McGraw and Viega, 2001] Keep it simple Complete Mediation Least Privilege Secure Weakest Link Defense in Depth

5 Virtual Machines Platforms that allow untrusted code to execute with restrictions enforced by the virtual machine (VM)

6 Source bytecodes Verifier Low-level Code Safety Must ensure programs are type, memory, and control safe using data-flow analysis High-level policy enforcement depends on low-level code safety VM

7 Verifier is (should be) Conservative.NET/Java programs Safe programs Verifiable programs Bug

8 Object Creation and Initialization Virtual machine must ensure object is initialized before use –Security permissions restrict some objects from being created –Improper initialization can create a vulnerability Bug in MSIE 4.0, 5.0, 6.0 [lsd-pl.net] Similar bug in Sun and Netscape Lesson 1: Keep it simple

9 Java –new – create new object reference –dup – duplicate reference –invokespecial – calls constructor.NET –newobj is equivalent to Java’s new, dup, and invokespecial instructions Object Creation Instructions

10 Object Initialization Vulnerability [lsd-pl.net] class LSDbug extends SecurityClassLoader { public LSDbug() { try { LSDbug(5); } catch (SecurityException e) { this.loadClass(…); } } public LSDbug (int x) { super(); // throws Security Exception }

11 Bootstrapping the VM Need to bootstrap the virtual machine Certain classes providing policy enforcement need full trust –Infinite recursion if checks needed on all classes Lesson 2: Least Privileges

12 Bootstrapping the VM Java 1.0 –Fully trusted code on CLASSPATH –Current Java versions have bootclasspath for backwards compatibility.NET’s trusted path is a cache of signed files

13 Location-based Vulnerability [Hopwood, 1996] Netscape cached files on local filesystem Guessing cached file names could allow arbitrary code execution Applet could execute cached files located on CLASSPATH

14 Monitoring Execution Lesson 3: Fail-safe Defaults and Complete Mediation

15 Monitoring Execution Want policy extensible but complicates policy enforcement –Java 1.0 (HotJava) and 1.1 had all or nothing trust for applets Reference monitor should be tamper-proof and always be invoked

16 Reference Monitor’s Enforcement Java’s reference monitor, the SecurityManager may be bypassed SecurityManager sm = System.getSecurityManager(); if (sm != null) { sm.checkListen(21); // listen on port 21? }.NET’s SecurityManager cannot be inherited or instantiated

17 Failure to Monitor Vulnerability [Brumleve, 2000] SecurityManager.checkListen() allows creation of a ServerSocket object Flaw in ServerSocket.implAccept(Socket s) –Accepts connection to get remote address and port number –Calls socket’s close() and throws SecurityException if permissions violated –Subclass of Socket can override close() to keep socket open

18 Principles Review Keep it simple –Object initialization –.jsr/swap vulnerability (see paper) Least privileges –Bootstrapping the VM –Stack Inspection Fail-safe Defaults and Complete Mediation –Brown Orifice –DoS attacks –Union/Intersection in Policy Resolution

19 Conclusions Classic security principles still important today Hard to follow them in real systems –Easier to find complex solutions than simple ones –Tradeoffs between security and other goals Complete Mediation vs. Efficiency (policy expressiveness) Simplicity vs. Backwards compatibility ( bootclasspath ) Fail-safe defaults vs. Usability (Default Policies) Some reasons for optimism

20 Questions ?

21 Conclusions Why do we still have problems today? –Security vs. Efficiency –Defense in Depth vs. Simplicity [McGraw, Viega] –Flexibility vs. Simplicity Evaluate principles in context [McGraw, Viega]

22 Object Initialization Vulnerability [lsd-pl.net] ()LSDbug → (I)LSDbug → com/ms/security/SecurityClassLoader/ ()LSDbug Security exception occurs (caught by ()LSDbug) since code does not have permission to instantiate ClassLoader

23 Granted Permissions in Policies Permissions are granted, not excluded Java’s policy is the union of all granted permissions.Net policy is the intersection of a 4-level hierarchical policy –Enterprise –Machine –User –AppDomain Lesson 3: Fail-safe defaults in Permission Resolution

24 Static/Dynamic Permissions Policy enforcement can be optimized –Need flexibility Static permissions –Must be known before run-time –Faster checking possible Dynamic –Can change on-the-fly –Checks delayed until run-time Lesson 3: Fail-safe Defaults

25 Policy Implementation: Static/Dynamic Permissions Granted in class loaders (e.g., AppletClassLoader) Attached to assemblies and can be checked before run-time Union of all permissions in policy files Intersection of permissions in policy files Static Dynamic Java. Net

26 notes Emphasize overall point (talk of analysis of lessons learned… one sentence – slide 2) Pointer Don’t flip between overall pic Make sure point out vulnerability is on Java Wrap up each section (at end of vulnerability) better Have better transitions Mention a couple more of the s & s principles Look more at audience Point out no significant security vulnerabilities in.Net (double check)

27 notes More principles –Defense in depth –Chain is only strong as weakest link –Secure failure (not seen in Java’s exceptions!) –Compartmentalization –Choke points (narrow interface to system) –Usability –Trust community (open design crytpo) –No security through obscurity –Educate user

28 Object Initialization Vulnerability [lsd-pl.net] LSDbug child class of SecurityClassLoader Call constructor, call constructor, call superclass constructor (exception occurs) new dup invokespecial LSDbug() … invokespecial LSDbug(int) … invokespecial SecurityClassLoader()

29 Object Initialization Vulnerability [lsd-pl.net] MSIE 4.0, 5.0, 6.0 Create object of a security-critical class to escalate privileges Similar bug in Sun and Netscape implementations

30 Verifier is (should be) Conservative.NET/Java programs Safe programs Verifiable programs

31 Complexity Increases Risk.NET/Java programs Safe programs Verifiable programs Bug

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.