© 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 16 Secure Coding in Java and.NET Part 1: Fundamentals.

Slides:



Advertisements
Similar presentations
Why Have The OSGi Specifications Been Based On Java Technology ? By Peter Kriens, CEO aQute OSGi Technology Officer
Advertisements

InterScan AppletTrap Zhang Hong Trend Micro, AppletTrap Team (Nanjing)
Operating Systems Components of OS
Programming with Android: SDK install and initial setup Luca Bedogni Marco Di Felice Dipartimento di Scienze dellInformazione Università di Bologna.
1 Applets Programming Enabling Application Delivery Via the Web.
Copyright © 2008 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Chapter 12 Introduction to ASP.NET.
Ahead of Time Dynamic Translation PreJit/NGEN by any other name George Bosworth Microsoft MRE04 March 21, 2004.
Program Verification Using the Spec# Programming System ETAPS Tutorial K. Rustan M. Leino, Microsoft Research, Redmond Rosemary Monahan, NUIM Maynooth.
©2003 aQute, All Rights Reserved Tokyo, August 2003 : 1 OSGi Service Platform Tokyo August 28, 2003 Peter Kriens CEO aQute, OSGi Fellow
1 Copyright © 2005, Oracle. All rights reserved. Introducing the Java and Oracle Platforms.
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
DIVIDING INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.
© 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 17 Secure Coding in Java and.NET Part 2: Code Access Control.
Security of JavaCard smart card applets Erik Poll University of Nijmegen
Configuration management
Software change management
Access Control 1. Given Credit Where It Is Due Most of the lecture notes are based on slides by Dr. Daniel M. Zimmerman at CALTECH Some slides are from.
Mobile Code Security Yurii Kuzmin. What is Mobile Code? Term used to describe general-purpose executables that run in remote locations. Web browsers come.
.NET Framework Overview
Lecture 8: Testing, Verification and Validation
25 seconds left…...
Copyright © 2003 by Prentice Hall Computers: Tools for an Information Age Chapter 15 Programming and Languages: Telling the Computer What to Do.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 14: Protection.
Java Network Programming Vishnuvardhan.M. Dept. of Computer Science - SSBN Java Overview Object-oriented Developed with the network in mind Built-in exception.
Java Applet Security Diana Dong CS 265 Spring 2004.
Java security (in a nutshell)
Applet Security Gunjan Vohra. What is Applet Security? One of the most important features of Java is its security model. It allows untrusted code, such.
COEN 351: E-Commerce Security
Java Security. Overview Hermetically Sealed vs. Networked Executable Content (Web Pages & ) Java Security on the Browser Java Security in the Enterprise.
Mobile Code Security Aviel D. Rubin, Daniel E. Geer, Jr. MOBILE CODE SECURITY, IEEE Internet Computing, 1998 Minkyu Lee
Lab Information Security Using Java (Review) Lab#0 Omaima Al-Matrafi.
Lab#1 (14/3/1431h) Introduction To java programming cs425
Java Security Model Lab#1 I. Omaima Al-Matrafi. Safety features built into the JVM Type-safe reference casting Structured memory access (no pointer arithmetic)
LAB#2 JAVA SECURITY OVERVIEW Prepared by: I.Raniah Alghamdi.
Session-02. Objective In this session you will learn : What is Class Loader ? What is Byte Code Verifier? JIT & JAVA API Features of Java Java Environment.
Page 1 Sandboxing & Signed Software Paul Krzyzanowski Distributed Systems Except as otherwise noted, the content of this presentation.
Java Security Updated May Topics Intro to the Java Sandbox Language Level Security Run Time Security Evolution of Security Sandbox Models The Security.
Java Security. Topics Intro to the Java Sandbox Language Level Security Run Time Security Evolution of Security Sandbox Models The Security Manager.
.NET Framework & C#.
Understanding Code Compilation and Deployment Lesson 4.
Security in Java Sunesh Kumra S
Java Virtual Machine Java Virtual Machine A Java Virtual Machine (JVM) is a set of computer software programs and data structures that use.
ASSEMBLIES AND THE GAC CHAPTER 1, LESSONS 4-7 & LAB.
Lecture 10 : Introduction to Java Virtual Machine
1 22 August 2001 The Security Architecture of the M&M Mobile Agent Framework P. Marques, N. Santos, L. Silva, J. Silva CISUC, University of Coimbra, Portugal.
Java Security Pingping Ma Nov 2 nd, Overview Platform Security Cryptography Authentication and Access Control Public Key Infrastructure (PKI)
.NET Framework Danish Sami UG Lead.NetFoundry
Basic Security: Java vs.NET Master Seminar Advanced Software Engineering Topics Prof. Jacques Pasquier-Rocha Software Engineering Group Department of Informatics.
Java Security Nathan Moore CS 665. Overview Survey of Java Inherent Security Properties Java Runtime Environment Java Virtual Machine Java Security Model.
Java 2 security model Valentina Casola. Components of Java the development environment –development lifecycle –Java language features –class files and.
CS 7: Introduction to Computer Programming Java and the Internet Sections ,2.1.
Copyright © cs-tutorial.com. Overview Introduction Architecture Implementation Evaluation.
Core Java Introduction Byju Veedu Ness Technologies httpdownload.oracle.com/javase/tutorial/getStarted/intro/definition.html.
Java Security Session 19. Java Security / 2 of 23 Objectives Discuss Java cryptography Explain the Java Security Model Discuss each of the components.
Java – in context Main Features From Sun Microsystems ‘White Paper’
The Execution System1. 2 Introduction Managed code and managed data qualify code or data that executes in cooperation with the execution engine The execution.
1 Introduction Read D&D Sec 1.8; Sec 1.13 THE Java tutorial -
UNDER THE HOOD: THE JAVA VIRTUAL MACHINE II CS2110 Fall 200 Lecture 25 1.
Active X and Signed Applets Chad Bollard. Overview ActiveX  Security Features  Hidden Problems Signed Applets  Security Features  Security Problems.
Introduction to Programming 1 1 2Introduction to Java.
Java & The Android Stack: A Security Analysis Pragati Ogal Rai Mobile Technology Evangelist PayPal, eBay Java.
Java security (in a nutshell)
Topic: Java Security Models
2.1. Compilers and Interpreters
.NET and .NET Core 2. .NET Runtimes Pan Wuming 2017.
.NET Framework: Backdoors
Introduction to C# AKEEL AHMED.
Security in Java Real or Decaf? cs205: engineering software
Presentation transcript:

© 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 16 Secure Coding in Java and.NET Part 1: Fundamentals

2 SY32 Secure Computing, Lecture 16 Outline Basic security features of Java and.NET Basic security features of Java and.NET Use of intermediate languages Use of intermediate languages Validation and verification of IL code Validation and verification of IL code Restricted execution environments Restricted execution environments Code signing Code signing

3 SY32 Secure Computing, Lecture 16 Basic Security Features Well-defined, standardized type system Well-defined, standardized type system Strict compile-time type checking Strict compile-time type checking Lack of pointer arithmetic Lack of pointer arithmetic Garbage collection Garbage collection Bounds checking of arrays, etc Bounds checking of arrays, etc No buffer overruns! No buffer overruns!

4 SY32 Secure Computing, Lecture 16 Use of Intermediate Languages Compilers target intermediate language rather than native machine code Compilers target intermediate language rather than native machine code Java bytecode Java bytecode C#, VB.NET, etc CIL (managed code) C#, VB.NET, etc CIL (managed code) Intermediate code is typically JIT-compiled to native code by a virtual machine (VM) Intermediate code is typically JIT-compiled to native code by a virtual machine (VM) VM can perform various security checks when loading, JIT-compiling or running code VM can perform various security checks when loading, JIT-compiling or running code

5 SY32 Secure Computing, Lecture 16 Java Bytecode Internet Bytecode JVM Verifier Class loader Class object Class loader Disk Original Java model (SDK 1.0 & 1.1) Bytecode

6 SY32 Secure Computing, Lecture 16 Java Bytecode Internet Bytecode JVM Verifier Class loader Class object Class loader Disk Java 2 model (SDK 1.2 & above) Core API bytecode Disk Bytecode

7 SY32 Secure Computing, Lecture 16 Class Loaders & Security Bytecode with different origins is loaded by different class loader objects Bytecode with different origins is loaded by different class loader objects JVM identifies a class by name and class loader JVM identifies a class by name and class loader Prevents, e.g., hostile applet from substituting its java.net.Socket class for real one Prevents, e.g., hostile applet from substituting its java.net.Socket class for real one Difficult to implement correctly; bugs found in Difficult to implement correctly; bugs found in March & May 1996 March & May 1996 July 1998 July 1998 November 2000 November 2000

8 SY32 Secure Computing, Lecture 16 Bytecode Verification Verifier looks for Verifier looks for.class file format violations.class file format violations Abuse of final modifier Abuse of final modifier Classes that don't have one superclass Classes that don't have one superclass Illegal data conversions Illegal data conversions Operand stack overflow or underflow Operand stack overflow or underflow Field and method access checking is delayed until runtime, then performed once only Field and method access checking is delayed until runtime, then performed once only

9 SY32 Secure Computing, Lecture 16 Code Validation in.NET Managed code is organized as logical units called assemblies, containing CIL instructions, metadata and resources Managed code is organized as logical units called assemblies, containing CIL instructions, metadata and resources Validation checks that Validation checks that Files have correct format (PE/COFF) Files have correct format (PE/COFF) Metadata are present and uncorrupted Metadata are present and uncorrupted CIL instructions are legal CIL instructions are legal

10 SY32 Secure Computing, Lecture 16 Example.method static void Main() cil managed {.entrypoint.maxstack 2 ldc.i4.1 add ldstr "1 + 2 = " call void [mscorlib]System.Console::Write(string) call void [mscorlib]System.Console::WriteLine(int32) ret } ldc.i4.2 What happens when ldc.i4.2 instruction is removed?

11 SY32 Secure Computing, Lecture 16 Code Verification in.NET Verification checks type safety of CIL code Verification checks type safety of CIL code Algorithm will reject some type-safe code Algorithm will reject some type-safe code Failure doesn't necessarily prevent execution Failure doesn't necessarily prevent execution Type-safe code Verifiable code All code

12 SY32 Secure Computing, Lecture 16 Example C# class Secret contains a private integer field C# class Secret contains a private integer field Attacker writes a class Hack with a public integer field, then attempts to make a Hack reference point to a Secret instance Attacker writes a class Hack with a public integer field, then attempts to make a Hack reference point to a Secret instance Bona fide compiler will refuse to compile this type confusion attack… Bona fide compiler will refuse to compile this type confusion attack… …but what if attacker writes in CIL? …but what if attacker writes in CIL?

13 SY32 Secure Computing, Lecture 16 class Secret { private int data;... } class Hack { public int data; static void Main() { Secret s = new Secret(); Hack h = new Hack(); h = s; System.Console.WriteLine(h.data); } } compiler error

14 SY32 Secure Computing, Lecture 16.field public int32 'data'.method static void Main() cil managed {.entrypoint.maxstack 2.locals init (class [Secret]Secret V_0, class Hack V_1) newobj instance void [Secret]Secret::.ctor() stloc.0 newobj instance void Hack::.ctor() stloc.1 ldloc.0 stloc.1 ldloc.1 ldfld int32 Hack::'data' call void [mscorlib]System.Console::WriteLine(int32) ret } type confusion… …but this code might execute, nevertheless!

15 SY32 Secure Computing, Lecture 16 Explanation Assembly that fails verification may run if loaded from local disk, because such code is trusted fully by default Assembly that fails verification may run if loaded from local disk, because such code is trusted fully by default Same assembly downloaded from a web server will normally not be executed Same assembly downloaded from a web server will normally not be executed Exact behaviour depends on how code access security policy has been configured Exact behaviour depends on how code access security policy has been configured

16 SY32 Secure Computing, Lecture 16 Problems IL verification is hard to implement correctly IL verification is hard to implement correctly Example: bugs in Java's bytecode verifier Example: bugs in Java's bytecode verifier March 1996 March 1996 March & May 1997 March & May 1997 April 1999 April 1999 March 2002 March 2002 January 2003 January 2003

17 SY32 Secure Computing, Lecture 16 Restricted Environments The Java sandbox The Java sandbox.NET application domains.NET application domains.NET isolated storage.NET isolated storage

18 SY32 Secure Computing, Lecture 16 The Classic Java Sandbox Applets from the Internet are not trusted and must execute in a sandbox Applets from the Internet are not trusted and must execute in a sandbox Cannot run programs on client machine Cannot run programs on client machine No access to local file system No access to local file system Network access restricted to originating site Network access restricted to originating site Applications from local disk are implicitly trusted and have full privileges of executing user Applications from local disk are implicitly trusted and have full privileges of executing user Restrictive, black and white security model, improved in later versions Restrictive, black and white security model, improved in later versions

19 SY32 Secure Computing, Lecture 16.NET Application Domains Assemblies of a.NET application can be loaded into different application domains Assemblies of a.NET application can be loaded into different application domains Application domains are isolated from each other, communicating only via remoting Application domains are isolated from each other, communicating only via remoting Each application domain can be programmed with its own code access security policy Each application domain can be programmed with its own code access security policy

20 SY32 Secure Computing, Lecture 16.NET Isolated Storage Applications may need to have some persistent state, but granting unrestricted access to hard disk is risky Applications may need to have some persistent state, but granting unrestricted access to hard disk is risky Isolated storage provides areas of disk that are private to a given user & assembly Isolated storage provides areas of disk that are private to a given user & assembly Virtual filesystem; no way of specifying a path to another store or rest of disk Virtual filesystem; no way of specifying a path to another store or rest of disk Quotas can be imposed to prevent DoS Quotas can be imposed to prevent DoS

21 SY32 Secure Computing, Lecture 16 Code Signing IL code can be signed digitally by someone prepared to vouch for that code IL code can be signed digitally by someone prepared to vouch for that code If signature can be verified, code may be regarded as trusted, and be granted greater privileges If signature can be verified, code may be regarded as trusted, and be granted greater privileges Java supports signing of JAR files Java supports signing of JAR files.NET supports signing of assemblies.NET supports signing of assemblies To guarantee integrity & uniqueness (strong naming) To guarantee integrity & uniqueness (strong naming) To identify publisher (Authenticode) To identify publisher (Authenticode)

22 SY32 Secure Computing, Lecture 16 JAR Signing Process Bytecode Signed hash Hash Bytecode Signed hash Signer's private key

23 SY32 Secure Computing, Lecture 16 Signature Verification Process JAR Bytecode Signed hash Original hash New hash Check signature Compare hashes Signer's public key

24 SY32 Secure Computing, Lecture 16 Summary Java and.NET promote greater security in development and in code execution Java and.NET promote greater security in development and in code execution Correctness of compiled code can be verified before it executes Correctness of compiled code can be verified before it executes Implementations are not perfect Implementations are not perfect Some system configuration may be required Some system configuration may be required Java and.NET restrict access that untrusted code has to other code, filesystem, network, etc Java and.NET restrict access that untrusted code has to other code, filesystem, network, etc Restrictions can be relaxed for signed code Restrictions can be relaxed for signed code