Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Extensible Security Architectures for Java Authors: Dan S.Wallch, Dirk Balfanz Presented by Moonjoo Kim.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Extensible Security Architectures for Java Authors: Dan S.Wallch, Dirk Balfanz Presented by Moonjoo Kim."— Presentation transcript:

1 1 Extensible Security Architectures for Java Authors: Dan S.Wallch, Dirk Balfanz Presented by Moonjoo Kim

2 2 Outline of presentation n Introduction n Security in Java n 3 Approaches – Capabilities – Extended Stack Introspection – Type Hiding-Analysis n Evaluation of above 3 approaches – Criteria n Conclusion

3 3 Introduction n Mobile code systems must have stronger security n Web browsers rely on software mechanisms for protection n Advantage of software protection over hardware protection – Portability : Platform independent security mechanism – Performance : Cheap cross-domain call n Secure services with software protection – Not only memory protection, but more! VM Kernel Application Kernel Application

4 4 Security in Java n PL mechanisms to enforce memory safety n "Sandbox" model for sensitive system service in Sun's JVM – Local code is completely trusted. – Remote code is completely untrusted. n Sun's JVM implementation to make above checks – ClassLoader – Stack introspection n Reference to the class in every frame on the call stack. – All the potentially dangerous methods were designed to call a centralized SecurityManager – Too inflexible

5 5 3 Approaches n Providing fine-grain security policy – Distinguishing between "different" sources of programs – Provide appropriate policies for each of them. – All presume the presence of digital signatures n 3 Approaches – Capabilities – Extended Stack Introspection – Type Hiding

6 6 Capabilities n A capability is an unforgeable pointer to a controlled system resource. n In Java, a capability is simply a reference to an object n Java capabilities would implement interposition by providing the exclusive interface to system resources – Rather than using the File class, a program would be required to use a file system capability acquired on startup or through a broker n Java run-time library would require significant changes

7 // In this example, any code wishing to open a file must first // obtain an object which implements FileSystem interface FileSystem{public FileInputStream getInputStream(String path);} // This is the primitive class for accessing the filesystem. // Note that the constructor is not public -- this restricts creation of these // objects to other code in the same package public class FS implements FilsSystem{ FS(){} public FileInputStream getInputStream(String path){ return internalOpen(path);} private native FileInputStream internalOpen(path); } // This class allows anyone holding a FileSystem to export a subset of // that filesystem. Calls to getInputStream() are prepended with the // desired filesystem root, then passed on to the internal FileSystem capability public class SubFS implements FileSystem{ private FileSystem fs; private String rootPath; public SubFS(String rootPath, FileSystem fs){ this.rootpath = rootPath; this.fs = fs;} public FileInputStream getInputStream(String path){ return fs.getInputStream(rootPath + “/” + path);} }

8 8 Extended Stack Introspection n To support multiple principals with different privileges n Target is defined as (prin,string-name) – Ex> (System,"networking") n Policy engines – given a principal requesting access for a target, say yes,no, or blank enablePrivilege(target) – when code wishes to use the protected resource, call it. It will consult policy engine and privilege is written in caller's stack frame if permitted. checkPrivilege(target) – It searches the call stack for an enabled privilege to the given target. n JVM should be modified for extended stack introspection

9 9 Example: Network Policy PrincipalPrivilege operations User() user Safe_net_conn() System net_connect() System checkPrivilege() System +networking Call Stack Default Java policy is to allow network connections to be created only to the host from which the applet originated Implementation of default java network policy

10 10 Type Hiding n Java uses run-time dynamic linking mechanism. – We enforce a given security policy by controlling how names in a program are resolved into run-time entities. n Policy engine determines which configuration is used for the code's name space, as a function of its principal. – Configuration, which is a mapping from class names to implementations Java ClassLoader should be modified ClassLoader is used to provide mapping from class- name to class-implementation

11 11 Example n Configuration Class Loader Configuration Policy engine Java.io.SubFs Bob Java.io.FileSystem request Java.io.FileSystem

12 12 Criteria n Economy of mechanism n Complete mediation n Least privilege n Performance n Compatibility n Fail-safe defaults n Least common mechanism n Accountability n Psychological acceptability n Remote calls

13 13 Economy of mechanism n Type hiding is the simplest n Unmodified capability is simple, too. But fully capability-based Java requires redesign of library. n Stack introspection requires complex change

14 14 Complete mediation n Simple capability is problematic n Type hiding have good confinement property n Stack introspection have excellent confinement.

15 15 Least privilege n Type hiding is somewhat problematic n Stack introspection provides middle ground n Capabilities have very good properties.

16 16 Performance n Stack introspection has the highest runtime costs n Type hiding and capability system don't incur run-time overhead

17 17 Compatibility n Language based protection can be implemented without diverging much from original specification of the language. n Type hiding and extended stack introspection provide good compatibility n Capability requires changes of Java class API design

18 18 n Fail-Safe Defaults n Least common mechanism n Accountability n Psychological acceptability n Remote calls

19 19 Conclusion n Software-based protection systems n Three designs for security are suggested – Capability system n It can be implemented naturally in Java. But it requires drastic change of API design – Stack introspection n It introspection offers good compatibility. But its complexity is troubling and its implementation is very specific to JVM – Type hiding n It offers good compatibility. n To combine these techniques could be a solution

Download ppt "1 Extensible Security Architectures for Java Authors: Dan S.Wallch, Dirk Balfanz Presented by Moonjoo Kim."

Similar presentations

Towards Remote Policy Enforcement for Runtime Protection of Mobile Code Using Trusted Computing Xinwen Zhang Francesco Parisi-Presicce Ravi Sandhu www.list.gmu.edu.

Towards Remote Policy Enforcement for Runtime Protection of Mobile Code Using Trusted Computing Xinwen Zhang Francesco Parisi-Presicce Ravi Sandhu
1 The phone in the cloud Utilizing resources hosted anywhere Claes Nilsson.

1 The phone in the cloud Utilizing resources hosted anywhere Claes Nilsson.
Mobile Agents Mouse House Creative Technologies Mike OBrien.

Mobile Agents Mouse House Creative Technologies Mike OBrien.
Mobile Code Security Yurii Kuzmin. What is Mobile Code? Term used to describe general-purpose executables that run in remote locations. Web browsers come.

Mobile Code Security Yurii Kuzmin. What is Mobile Code? Term used to describe general-purpose executables that run in remote locations. Web browsers come.
PlanetLab Architecture Larry Peterson Princeton University.

PlanetLab Architecture Larry Peterson Princeton University.
Department of Computer Science and Engineering University of Washington Brian N. Bershad, Stefan Savage, Przemyslaw Pardyak, Emin Gun Sirer, Marc E. Fiuczynski,

Department of Computer Science and Engineering University of Washington Brian N. Bershad, Stefan Savage, Przemyslaw Pardyak, Emin Gun Sirer, Marc E. Fiuczynski,
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Java Applet Security Diana Dong CS 265 Spring 2004.

Java Applet Security Diana Dong CS 265 Spring 2004.
Java security (in a nutshell)

Java security (in a nutshell)
Java Security. Overview Hermetically Sealed vs. Networked Executable Content (Web Pages & email) Java Security on the Browser Java Security in the Enterprise.

Java Security. Overview Hermetically Sealed vs. Networked Executable Content (Web Pages & ) Java Security on the Browser Java Security in the Enterprise.
Mobile Code Security Aviel D. Rubin, Daniel E. Geer, Jr. MOBILE CODE SECURITY, IEEE Internet Computing, 1998 Minkyu Lee 2007. 04. 23.

Mobile Code Security Aviel D. Rubin, Daniel E. Geer, Jr. MOBILE CODE SECURITY, IEEE Internet Computing, 1998 Minkyu Lee
EXTENSIBILITY, SAFETY AND PERFORMANCE IN THE SPIN OPERATING SYSTEM B. Bershad, S. Savage, P. Pardyak, E. G. Sirer, D. Becker, M. Fiuczynski, C. Chambers,

EXTENSIBILITY, SAFETY AND PERFORMANCE IN THE SPIN OPERATING SYSTEM B. Bershad, S. Savage, P. Pardyak, E. G. Sirer, D. Becker, M. Fiuczynski, C. Chambers,
Extensibility, Safety and Performance in the SPIN Operating System Presented by Allen Kerr.

Extensibility, Safety and Performance in the SPIN Operating System Presented by Allen Kerr.
The road to reliable, autonomous distributed systems

The road to reliable, autonomous distributed systems
Java Security: From HotJava to Netscape & Beyond Drew Dean, Edward W. Felten, Dan S. Wallach Department of Computer Science, Princeton University May,

Java Security: From HotJava to Netscape & Beyond Drew Dean, Edward W. Felten, Dan S. Wallach Department of Computer Science, Princeton University May,
Extensibility, Safety and Performance in the SPIN Operating System Department of Computer Science and Engineering, University of Washington Brian N. Bershad,

Extensibility, Safety and Performance in the SPIN Operating System Department of Computer Science and Engineering, University of Washington Brian N. Bershad,
Notes to the presenter. I would like to thank Jim Waldo, Jon Bostrom, and Dennis Govoni. They helped me put this presentation together for the field.

Notes to the presenter. I would like to thank Jim Waldo, Jon Bostrom, and Dennis Govoni. They helped me put this presentation together for the field.
Object Orientated Programming

Object Orientated Programming
CSE331: Introduction to Networks and Security Lecture 28 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 28 Fall 2002.
Extensibility, Safety and Performance in the SPIN Operating System Brian Bershad, Stefan Savage, Przemyslaw Pardyak, Emin Gun Sirer, Marc E. Fiuczynski,

Extensibility, Safety and Performance in the SPIN Operating System Brian Bershad, Stefan Savage, Przemyslaw Pardyak, Emin Gun Sirer, Marc E. Fiuczynski,

Similar presentations

Ads by Google