java –noverify Simple result: 5"> java –noverify Simple result: 5">

Presentation is loading. Please wait.

Presentation is loading. Please wait.

CS216: Program and Data Representation

Published byOpal Simpson Modified over 5 years ago

Similar presentations

Presentation on theme: "CS216: Program and Data Representation"— Presentation transcript:

1 CS216: Program and Data Representation
University of Virginia Computer Science Spring David Evans Lecture 19: Java Security PS6 Submission: Only to be eligible for the “Byte Code Wizard” awards. If the web submission is down, you can submit (once) by .

2 Running Mistyped Code .method public static main([Ljava/lang/String;)V
iconst_2 istore_0 aload_0 iconst_3 iadd return .end method > java Simple Exception in thread "main" java.lang.VerifyError: (class: Simple, method: main signature: ([Ljava/lang/String;)V) Register 0 contains wrong type > java –noverify Simple result: 5

3 Running Mistyped Code ldc 216
.method public static main([Ljava/lang/String;)V ldc 216 istore_0 aload_0 iconst_2 iconst_3 iadd .end method > java –noverify Simple Unexpected Signal : EXCEPTION_ACCESS_VIOLATION (0xc ) occurred at PC=0x809DCEB Function=JVM_FindSignal+0x1105F Library=C:\j2sdk1.4.2\jre\bin\client\jvm.dll Current Java thread: at Simple.main(Simple.java:7) # # HotSpot Virtual Machine Error : EXCEPTION_ACCESS_VIOLATION # Error ID : 4F530E EF # Please report this error at # # Java VM: Java HotSpot(TM) Client VM (1.4.2-b28 mixed mode)

4 Java Security Architecture
Java VM Operating System Protected Resource ClassLoader Security exception Verify Exception JAR Class Verifier

5 JavaVM Interpreter for JVML programs
Has complete access to host machine: its just a C program running normally Bytecode verifier ensures some safety properties, JavaVM must ensure rest: Type safety of run-time casts, array assignments Memory safety: array bounds checking Resource use policy

6 Reference Monitors

7 Program Execution Monitor Program Speakers Network Disk Memory
SuperSoaker 2000 Monitor Program Disk Memory Network

8 Program Execution Reference Monitor Monitor Program Speakers Network
SuperSoaker 2000 Monitor Reference Monitor Program Disk Memory Network

9 Ideal Reference Monitor
Sees everything a program is about to do before it does it Can instantly and completely stop program execution (or prevent action) Has no other effect on the program or system Can we build this? Probably not unless we can build a time machine...

10 Ideal Reference Monitor
Real Ideal Reference Monitor most things Sees everything a program is about to do before it does it Can instantly and completely stop program execution (or prevent action) Has no other effect on the program or system limited

11 Operating Systems Provide reference monitors for most security-critical resources When a program opens a file in Unix or Windows, the OS checks that the principal running the program can open that file Doesn’t allow different policies for different programs No flexibility over what is monitored OS decides for everyone Hence, can’t monitor inexpensive operations

12 Java Security Manager (Non-Ideal) Reference monitor
Limits how Java executions can manipulate system resources User/host application creates a subclass of SecurityManager to define a policy

13 JavaVM Policy Enforcment
[JDK 1.0 – JDK 1.1] From java.io.File: public boolean delete() { SecurityManager security = System.getSecurityManager(); if (security != null) { security.checkDelete(path); } if (isDirectory()) return rmdir0(); else return delete0(); checkDelete throws a SecurityExecption if the delete would violate the policy (re-thrown by delete) What could go seriously wrong with this?!

14 HotJava’s Policy (JDK 1.1.7)
public class AppletSecurity extends SecurityManager { ... public synchronized void checkDelete(String file) throws Security Exception { checkWrite(file); }

15 AppletSecurity.checkWrite (some exception handling code removed)
public synchronized void checkWrite(String file) { if (inApplet()) { if (!initACL) initializeACLs(); String realPath = (new File(file)).getCanonicalPath(); for (int i = writeACL.length ; i-- > 0 ;) { if (realPath.startsWith(writeACL[i])) return; } throw new AppletSecurityException ("checkwrite", file, realPath); Note: no checking if not inApplet! Very important this does the right thing.

16 inApplet boolean inApplet() { return inClassLoader(); }
Inherited from java.lang.SecurityManager: protected boolean inClassLoader() { return currentClassLoader() != null;

17 currentClassLoader /**
Returns an object describing the most recent class loader executing on the stack. Returns the class loader of the most recent occurrence on the stack of a method from a class defined using a class loader; returns null if there is no occurrence on the stack of a method from a class defined using a class loader. */ protected native ClassLoader currentClassLoader();

18 Recap java.io.File.delete calls SecurityManager.checkDelete before deleting HotJava overrides SecurityManager with AppletSecurity to set policy AppletSecurity.checkDelete calls AppletSecurity.checkWrite AppletSecurity.checkWrite checks if any method on stack has a ClassLoader If not no checks; if it does, checks ACL list

19 JDK 1.0 Trust Model When JavaVM loads a class from the CLASSPATH, it has no associated ClassLoader (can do anything) When JavaVM loads a class from elsewhere (e.g., the web), it has an associated ClassLoader

20 JDK Evolution JDK 1.1: Signed classes from elsewhere and have no associated ClassLoader JDK 1.2: Different classes can have different policies based on ClassLoader Explict enable/disable/check privileges SecurityManager is now AccessController

21 What can go wrong? Java API doesn’t call right SecurityManager checks (63 calls in java.*) Font loading bug, synchronization ClassLoader is tricked into loading external class as internal Bug in Bytecode Verifier can be exploited to circumvent SecurityManager Policy is too weak (allows damaging behavior)

22 Example Vulnerability
Object Creation involves three steps: new – create new object reference dup – duplicate reference invokespecial <> – calls constructor new #14 <Class java.lang.StringBuffer> dup invokespecial #15 <Method java.lang.StringBuffer()>

23 Object Initialization Vulnerability [lsd-pl.net]
class LSDbug extends SecurityClassLoader { public LSDbug() { try { LSDbug(5); } catch (SecurityException e) { this.loadClass(…); } } public LSDbug (int x) { super(); // throws Security Exception } } this is used, but not property initialized! Bytecode verifier (old version) didn’t make correct checks [put in a diagram, or show the bytecodes, talk through better] Points to make: LSDbug is a child class of SecurityClassLoader Verifier didn’t make correct check on call of this initialization (constructor) method (that’s why 2nd constructor is necessary) Invokenonvirtual’s complicated use contributed to bug in addition to it being combined with object initialization. Make a better transition and wrap up low-level code safety Example above from LSD paper… With this vulnerability, invokenonvirtual was the instruction used (not invokespecial). invokespecial is a newer instruction that is backwards compatible with invokenonvirtual. Details: call default constructor (call it constructor 1). Constructor 1 calls constructor 2 which then calls the superclass’ constructor method. For this example, say the superclass’ constructor method is the privileged classloader class, but the code doesn’t have code to create a classloader. An exception is thrown, and the verifier thinks initialization completed successfully.

24 Verifier (should be) Conservative
JVML programs Safe programs Verifiable programs (Slide from Nate Paul’s ACSAC talk)

25 Complexity Increases Risk
JVML programs Safe programs Verifiable programs 7/8 titles confusing Bug (Slide from Nate Paul’s ACSAC talk)

26 Vulnerabilities in JavaVM
45 40 35 30 25 Vulnerabilities Reported 20 15 10 5 1 2 3 4 5 6 7 8 9 July 1996 Years Since First Release July 2005

27 Where are They? Verification 12 API bugs 10 Class loading 8
Other or unknown 2 Missing policy checks 3 Configuration 4 DoS attacks (crash, consumption) 5 several of these were because of jsr complexity

28 Summary: Low-level vs. Policy Security
Low-level Code Safety: Type safety, memory safety, control flow safety Needed to prevent malcode from circumventing any policy mechanism Policy Security: Control access and use of resources (files, network, display, etc.) Enforced by Java class Hard part is deciding on a good policy

29 Charge PS6 due Monday Next class: Questions 8-10 are open ended
Lots of improvements possible, but don’t need to find everything Token prize for best solutions to #8 and #10 (and title of Byte Code Wizard!) Next class: How a hair dryer can break all this Starting with x86 assembly

Download ppt "CS216: Program and Data Representation"

Similar presentations

Operating Systems Components of OS

Operating Systems Components of OS
© 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 16 Secure Coding in Java and.NET Part 1: Fundamentals.

© 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 16 Secure Coding in Java and.NET Part 1: Fundamentals.
Mobile Code Security Yurii Kuzmin. What is Mobile Code? Term used to describe general-purpose executables that run in remote locations. Web browsers come.

Mobile Code Security Yurii Kuzmin. What is Mobile Code? Term used to describe general-purpose executables that run in remote locations. Web browsers come.
Yoshi

Yoshi
Java Security John Mitchell CS 242 Reading: Chapter 13 (+Slides contain additional material) 2008.

Java Security John Mitchell CS 242 Reading: Chapter 13 (+Slides contain additional material) 2008.
Compilation 2007 Code Generation Michael I. Schwartzbach BRICS, University of Aarhus.

Compilation 2007 Code Generation Michael I. Schwartzbach BRICS, University of Aarhus.
Java Applet Security Diana Dong CS 265 Spring 2004.

Java Applet Security Diana Dong CS 265 Spring 2004.
Java security (in a nutshell)

Java security (in a nutshell)
Applet Security Gunjan Vohra. What is Applet Security? One of the most important features of Java is its security model. It allows untrusted code, such.

Applet Security Gunjan Vohra. What is Applet Security? One of the most important features of Java is its security model. It allows untrusted code, such.
1 1 Lecture 14 Java Virtual Machine Instructors: Fu-Chiung Cheng ( 鄭福炯 ) Associate Professor Computer Science & Engineering Tatung Institute of Technology.

1 1 Lecture 14 Java Virtual Machine Instructors: Fu-Chiung Cheng ( 鄭福炯 ) Associate Professor Computer Science & Engineering Tatung Institute of Technology.
Mobile Code Security Aviel D. Rubin, Daniel E. Geer, Jr. MOBILE CODE SECURITY, IEEE Internet Computing, 1998 Minkyu Lee 2007. 04. 23.

Mobile Code Security Aviel D. Rubin, Daniel E. Geer, Jr. MOBILE CODE SECURITY, IEEE Internet Computing, 1998 Minkyu Lee
Class 20: Verifying Bytecodes Fall 2010 UVa David Evans cs2220: Engineering Software Image: Joseph Featherston.

Class 20: Verifying Bytecodes Fall 2010 UVa David Evans cs2220: Engineering Software Image: Joseph Featherston.
Security CS-328. The need for security In most of the programming classes that we’ve taken the emphasis has always been on getting the “job” done and.

Security CS-328. The need for security In most of the programming classes that we’ve taken the emphasis has always been on getting the “job” done and.
Lab#1 (14/3/1431h) Introduction To java programming cs425

Lab#1 (14/3/1431h) Introduction To java programming cs425
Security: Lessons Learned and Missed from Java Nathanael Paul David Evans University of Virginia ACSAC 2004.

Security: Lessons Learned and Missed from Java Nathanael Paul David Evans University of Virginia ACSAC 2004.
1 Frameworks. 2 Framework Set of cooperating classes/interfaces –Structure essential mechanisms of a problem domain –Programmer can extend framework classes,

1 Frameworks. 2 Framework Set of cooperating classes/interfaces –Structure essential mechanisms of a problem domain –Programmer can extend framework classes,
Remote Method Invocation Chin-Chih Chang. Java Remote Object Invocation In Java, the object is serialized before being passed as a parameter to an RMI.

Remote Method Invocation Chin-Chih Chang. Java Remote Object Invocation In Java, the object is serialized before being passed as a parameter to an RMI.
COMP 14: Intro. to Intro. to Programming May 23, 2000 Nick Vallidis.

COMP 14: Intro. to Intro. to Programming May 23, 2000 Nick Vallidis.
Session-02. Objective In this session you will learn : What is Class Loader ? What is Byte Code Verifier? JIT & JAVA API Features of Java Java Environment.

Session-02. Objective In this session you will learn : What is Class Loader ? What is Byte Code Verifier? JIT & JAVA API Features of Java Java Environment.
Java Security Updated May 2007. Topics Intro to the Java Sandbox Language Level Security Run Time Security Evolution of Security Sandbox Models The Security.

Java Security Updated May Topics Intro to the Java Sandbox Language Level Security Run Time Security Evolution of Security Sandbox Models The Security.

Similar presentations

Ads by Google