Presentation is loading. Please wait.

Presentation is loading. Please wait.

Java Security. Overview Hermetically Sealed vs. Networked Executable Content (Web Pages & email) Java Security on the Browser Java Security in the Enterprise.

Published byIreland Knowles Modified over 9 years ago

Similar presentations

Presentation on theme: "Java Security. Overview Hermetically Sealed vs. Networked Executable Content (Web Pages & email) Java Security on the Browser Java Security in the Enterprise."— Presentation transcript:

1 Java Security

2 Overview Hermetically Sealed vs. Networked Executable Content (Web Pages & email) Java Security on the Browser Java Security in the Enterprise Java Security on the Network

3 JVM as Gatekeeper Indirect Execution Language Features (no pointers, type-safe) Class Loaders Bytecode Verifiers

4 Security Solutions Java Security on the Browser –Browser Security Managers –Sandbox –Digital Signatures Java Security in the Enterprise –Access Control –Authentication –Authorization –Confidentiality and Integrity Protection Java Security on the Network –Encryption

5 Java Application Server Presentation & Business Logic Servlet/JSP EJBs, RMI Objects JDBC Internet Browser Web Server

6 One Observation In all likelihood, security flaws will continue to be discovered (and patched) in Java VM implementations. Despite this, Java remains perhaps the most secure platform currently available. There have been few, if any, reported instances of malicious Java code exploiting security holes "in the wild". For practical purposes, the Java platform appears to be adequately secure, especially when contrasted with some of the insecure and virus-ridden alternatives. - David Flanagan, Java in a Nutshell

7 Types of Attack System Attack Data theft Masquerade Denial of Service Annoyance

8 Defending against Attack Class Computer Resources Bytecode Verifier Class Loader Security Manager

9 Class Loaders VM only loads class files that are needed for the execution of a program Every Java program has at least three class loaders: –Bootstrap class loader –Extension class loader –System class loader

10 Bootstrap class loader Loads system classes (rt.jar) Usually implemented in C Integral part of the JVM No ClassLoader object available

11 Other class loaders Extension class loader –Loads standard extensions (jre/lib/ext) System class loader –Loads application classes from CLASSPATH Both of the above are implemented in Java Both of the above are instances of the URLClassLoader class.

12 Namespaces Beyond just the fully resolved class and package name A class is determined by its full name and the class loader Useful for loading code from multiple sources Two classes in the same VM may have the same class and package name

13 Namespaces Internet Sun AppletKaos Applet Browser JVM com.sun.Car (Sun) com.sun.Car (Kaos) Class loader r1 Class loader r2 www.sun.com www.kaos.com r1 r2 r1 r2

14 Bytecode Verification Inspects bytecodes from newly loaded class Checks instructions to make sure they are safe All classes except system classes are verified

15 Verification Checks Variables initialized before use Method calls match types of object references Rules for accessing private data and methods upheld Local variable accesses fall within the runtime stack The runtime stack does not overflow

16 Security Manager Determines if a specific operation is permitted –Accessing fields of another class using reflection –Accessing a file –Starting a print job –Accessing the AWT event queue –Exiting the virtual machine

17 Consulting the Security Manager public void exit(int status) { SecurityManager sec = System.getSecurityManager(); if( sec != null ) sec.checkExit(status); exitInternal(status); }

18 Permission Sets A security policy maps code sources to permission sets Code Source 1 Code base (location) certificates Code Source 2 Code base (location) certificates Permission Set 1 permission #1a permission #1b Permission Set 2 permission #2a permission #2b permission #2c

19 Policy Files Instructions that map code sources to permissions grant codebase “http://www.cs.weber.edu/classes” { permission java.io.FilePermission “/tmp/*”, “read,write”; };

20 Where are policy files? The file java.policy in the Java platform home directory The file. java.policy in the user home directory

21 Specifying policy files Assume a customized policy file called MyApp.policy Inside an application main method: System.setProperty(“java.security.policy”, “MyApp.policy”); On the command line: java –Djava.security.policy=MyApp.policy MyApp For applets: appletviewer -J–Djava.security.policy=MyApp.policy MyApp.html

22 Installing a Security Manager Inside an application main method: System.setSecurityManager(new SecurityManager()); On the command line: java –Djava.security.manager -Djava.security.policy=MyApp.policy MyApp

23 JAAS – Java Authentication and Authorization Service Authentication – ascertaining identity Authorization – map users to permissions Isolates Java applications from underlying technology used to implement authentication –UNIX logins –NT logins –Kerberos authentication –Certificate-based authentication

24 Digital Signatures Allows different levels of security Has the transmitted message been tampered with? Message Digest (SHA1, MD5) Public/Private Key (DSA) Certificate Signing

25 Encryption Obscures transmission of plain text Hides confidential information Java Cryptographic Extension (JCE) –Cipher class Data Encryption Standard (DES)

Download ppt "Java Security. Overview Hermetically Sealed vs. Networked Executable Content (Web Pages & email) Java Security on the Browser Java Security in the Enterprise."

Similar presentations

Towards Remote Policy Enforcement for Runtime Protection of Mobile Code Using Trusted Computing Xinwen Zhang Francesco Parisi-Presicce Ravi Sandhu www.list.gmu.edu.

Towards Remote Policy Enforcement for Runtime Protection of Mobile Code Using Trusted Computing Xinwen Zhang Francesco Parisi-Presicce Ravi Sandhu
© 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 16 Secure Coding in Java and.NET Part 1: Fundamentals.

© 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 16 Secure Coding in Java and.NET Part 1: Fundamentals.
Access Control 1. Given Credit Where It Is Due Most of the lecture notes are based on slides by Dr. Daniel M. Zimmerman at CALTECH Some slides are from.

Access Control 1. Given Credit Where It Is Due Most of the lecture notes are based on slides by Dr. Daniel M. Zimmerman at CALTECH Some slides are from.
Mobile Code Security Yurii Kuzmin. What is Mobile Code? Term used to describe general-purpose executables that run in remote locations. Web browsers come.

Mobile Code Security Yurii Kuzmin. What is Mobile Code? Term used to describe general-purpose executables that run in remote locations. Web browsers come.
Chapter 17: WEB COMPONENTS

Chapter 17: WEB COMPONENTS
Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
George Blank University Lecturer. Java Security Overview of Java Security features Java Technology uses three mechanisms to ensure safety. Language design.

George Blank University Lecturer. Java Security Overview of Java Security features Java Technology uses three mechanisms to ensure safety. Language design.
Java Applet Security Diana Dong CS 265 Spring 2004.

Java Applet Security Diana Dong CS 265 Spring 2004.
Java security (in a nutshell)

Java security (in a nutshell)
Applet Security Gunjan Vohra. What is Applet Security? One of the most important features of Java is its security model. It allows untrusted code, such.

Applet Security Gunjan Vohra. What is Applet Security? One of the most important features of Java is its security model. It allows untrusted code, such.
COEN 351: E-Commerce Security

COEN 351: E-Commerce Security
Java Security CS-328. JDK 1.0 Security Model Sandbox Java Virtual Machine Local Code Remote Code Local Host System Resources (File System, Sockets, Printers…)

Java Security CS-328. JDK 1.0 Security Model Sandbox Java Virtual Machine Local Code Remote Code Local Host System Resources (File System, Sockets, Printers…)
Dan Sedlacek CTO, Systems Management Group Sterling Software Java Security and Encryption.

Dan Sedlacek CTO, Systems Management Group Sterling Software Java Security and Encryption.
Mobile Code Security Aviel D. Rubin, Daniel E. Geer, Jr. MOBILE CODE SECURITY, IEEE Internet Computing, 1998 Minkyu Lee 2007. 04. 23.

Mobile Code Security Aviel D. Rubin, Daniel E. Geer, Jr. MOBILE CODE SECURITY, IEEE Internet Computing, 1998 Minkyu Lee
1 Computer Security Instructor: Dr. Bo Sun. 2 Course Objectives Understand basic issues, concepts, principles, and mechanisms in computer network security.

1 Computer Security Instructor: Dr. Bo Sun. 2 Course Objectives Understand basic issues, concepts, principles, and mechanisms in computer network security.
Security CS-328. The need for security In most of the programming classes that we’ve taken the emphasis has always been on getting the “job” done and.

Security CS-328. The need for security In most of the programming classes that we’ve taken the emphasis has always been on getting the “job” done and.
DICOM INTERNATIONAL DICOM INTERNATIONAL CONFERENCE & SEMINAR April 8-10, 2008 Chengdu, China DICOM Security Eric Pan Agfa HealthCare.

DICOM INTERNATIONAL DICOM INTERNATIONAL CONFERENCE & SEMINAR April 8-10, 2008 Chengdu, China DICOM Security Eric Pan Agfa HealthCare.
Security Overview Hofstra University University College for Continuing Education - Advanced Java Programming Lecturer: Engin Yalt May 24, 2006.

Security Overview Hofstra University University College for Continuing Education - Advanced Java Programming Lecturer: Engin Yalt May 24, 2006.
Java Security Model Lab#1 I. Omaima Al-Matrafi. Safety features built into the JVM Type-safe reference casting Structured memory access (no pointer arithmetic)

Java Security Model Lab#1 I. Omaima Al-Matrafi. Safety features built into the JVM Type-safe reference casting Structured memory access (no pointer arithmetic)
LAB#2 JAVA SECURITY OVERVIEW Prepared by: I.Raniah Alghamdi.

LAB#2 JAVA SECURITY OVERVIEW Prepared by: I.Raniah Alghamdi.

Similar presentations

Ads by Google