Presentation is loading. Please wait.

Presentation is loading. Please wait.

Basic Security: Java vs.NET Master Seminar Advanced Software Engineering Topics Prof. Jacques Pasquier-Rocha Software Engineering Group Department of Informatics.

Published byGyles Conley Modified over 9 years ago

Similar presentations

Presentation on theme: "Basic Security: Java vs.NET Master Seminar Advanced Software Engineering Topics Prof. Jacques Pasquier-Rocha Software Engineering Group Department of Informatics."— Presentation transcript:

1 Basic Security: Java vs.NET Master Seminar Advanced Software Engineering Topics Prof. Jacques Pasquier-Rocha Software Engineering Group Department of Informatics University of Fribourg, Switzerland Author: David Buchmann Supervisor: Ghita Kouadri Mostéfaoui 15. Mai 2003

2 Overview ● Part 1: Theory – Introduction – Principles of Java and.NET – What kind of security? – Language security – Permission Management ● Part 2: Example with Java

3 Introduction ● Use downloaded code (web browser, distributed application) ● Need for strict control ● Sandbox ● Permission Management ● Codebases resp. Trust zones

4 Overview ● Part 1: Theory – Introduction – Principles of Java and.NET – What kind of security? – Language security – Permission Management ● Part 2: Example with Java

5 Principles ● Compiler produces Byte Code ● Virtual Machine to interpret code ● Class Loader ● Code Verifier ● Access Control ● Interface for native code

6 Distribution ● Packages / Namespaces to avoid naming conflicts ● Reflection to analyse code ● Code and resource libraries (JAR resp. Assembly)

7 Remote Calls ● RMI resp..NET Remoting ● Use remote objects, marshalling of parameter objects ● Typical case of executing foreign code ● See presentation of Robert Feldmann

8 Overview ● Part 1: Theory – Introduction – Principles of Java and.NET – What kind of security? – Language security – Permission Management ● Part 2: Example with Java

9 What kind of security?

10 Overview ● Part 1: Theory – Introduction – Principles of Java and.NET – What kind of security? – Language security – Permission Management ● Part 2: Example with Java

11 Access to private data ● Public, protected, private, final ● Pointer, arrays ● Casts, stack corruption ● Uninitialized variables ● Byte code verifier

12 Sandbox and native code ●.NET application domain, fixed at startup ● Java protection domain, dynamic ● Old native code can be used, but not controlled by the VM ● Managed vs. unmanaged code

13 Overview ● Part 1: Theory – Introduction – Principles of Java and.NET – What kind of security? – Language security – Permission Management ● Part 2: Example with Java

14 Permissions ● Allow operations depending on protection domain ● Build groups of domains – Directory – URL – Signature – All Code

15 .NET Code Groups

16 Determining the group in Java ● Dynamically determine group ● Based on the protection domain of classes on the execution stack

17

18 Managing groups and permissions ● Java: Policy file – Java -Djava.security.policy= ●.NET caspol.exe front end – caspol.exe -addgroup 1.3 -site www.unifr.ch FullTrust – caspol.exe -security off – caspol.exe -addpset MyCustomSet permissions.xml <PermissionSet class=“System.Security.NamedPermissionSet“ version=“1“ Name=“MyCustomSet“ Description=“An example set“> <IPermission class=“System.Security.Permissions. EnvironmentPermission, mscorlib, Version=1.0.3300.0, Culture=neutral, PublicKeyToken=b77a5c51934e089“ version=“1“ Unrestricted=“true“ />

19 Policy levels & flexibility ●.NET: machine, user, enterprise level – intersection of permissions ● Java: default policy, user - union of permissions ● Java can replace security manager, permission manager and class loader

20 Overview ● Part 1: Theory – Introduction – Principles of Java and.NET – What kind of security? – Language security – Permission Management ● Part 2: Example with Java

21 Downloaded code ● Downloaded code is in separate protection domain

22 No access to file system ● Downloaded code should not have access to the file system

23 Network access ● Downloaded code should only connect to the server it comes from

24 The calling stack ● Local code called by remote code is not trusted, but treated as if it was remote.

25 Conclusion ● Private and final not only for clean programming, but important for security ● Virtual machines to enforce proper code and access control ● Java and.NET very similar – Java more flexible –.NET better default framework – but no replace

26 Java vs.NET ● Long used, security holes found ● Implement own security features ● Run on different platforms ● Integrate with different systems ● Many open source projects ● Integrated with windows infrastructure ● Good security implementation ● Use different languages ● Very professional Visual Studio.NET ● Will become important because of Microsofts marketing power

27 Thank You Questions ?

Download ppt "Basic Security: Java vs.NET Master Seminar Advanced Software Engineering Topics Prof. Jacques Pasquier-Rocha Software Engineering Group Department of Informatics."

Similar presentations

Towards Remote Policy Enforcement for Runtime Protection of Mobile Code Using Trusted Computing Xinwen Zhang Francesco Parisi-Presicce Ravi Sandhu www.list.gmu.edu.

Towards Remote Policy Enforcement for Runtime Protection of Mobile Code Using Trusted Computing Xinwen Zhang Francesco Parisi-Presicce Ravi Sandhu
© 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 16 Secure Coding in Java and.NET Part 1: Fundamentals.

© 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 16 Secure Coding in Java and.NET Part 1: Fundamentals.
© 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 17 Secure Coding in Java and.NET Part 2: Code Access Control.

© 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 17 Secure Coding in Java and.NET Part 2: Code Access Control.
Java Applet Security Diana Dong CS 265 Spring 2004.

Java Applet Security Diana Dong CS 265 Spring 2004.
Java security (in a nutshell)

Java security (in a nutshell)
Applet Security Gunjan Vohra. What is Applet Security? One of the most important features of Java is its security model. It allows untrusted code, such.

Applet Security Gunjan Vohra. What is Applet Security? One of the most important features of Java is its security model. It allows untrusted code, such.
Dan Sedlacek CTO, Systems Management Group Sterling Software Java Security and Encryption.

Dan Sedlacek CTO, Systems Management Group Sterling Software Java Security and Encryption.
Java Security. Overview Hermetically Sealed vs. Networked Executable Content (Web Pages & email) Java Security on the Browser Java Security in the Enterprise.

Java Security. Overview Hermetically Sealed vs. Networked Executable Content (Web Pages & ) Java Security on the Browser Java Security in the Enterprise.
Mobile Code Security Aviel D. Rubin, Daniel E. Geer, Jr. MOBILE CODE SECURITY, IEEE Internet Computing, 1998 Minkyu Lee 2007. 04. 23.

Mobile Code Security Aviel D. Rubin, Daniel E. Geer, Jr. MOBILE CODE SECURITY, IEEE Internet Computing, 1998 Minkyu Lee
Lab Information Security Using Java (Review) Lab#0 Omaima Al-Matrafi.

Lab Information Security Using Java (Review) Lab#0 Omaima Al-Matrafi.
LAB#2 JAVA SECURITY OVERVIEW Prepared by: I.Raniah Alghamdi.

LAB#2 JAVA SECURITY OVERVIEW Prepared by: I.Raniah Alghamdi.
Introduction to Java Kiyeol Ryu Java Programming Language.

Introduction to Java Kiyeol Ryu Java Programming Language.
Introduction to ASP.NET What is.NET What is ASP.NET and how is different from ASP –ASP: server side technology for creating dynamic web pages using scripting.

Introduction to ASP.NET What is.NET What is ASP.NET and how is different from ASP –ASP: server side technology for creating dynamic web pages using scripting.
Principles of Object-Oriented Software Development The language Java.

Principles of Object-Oriented Software Development The language Java.
1 Chapter 3 Programs and Packages. 2 Java Virtual Machine (JVM) Java programs execute on the JVM. The JVM is a virtual rather than a physical machine,

1 Chapter 3 Programs and Packages. 2 Java Virtual Machine (JVM) Java programs execute on the JVM. The JVM is a virtual rather than a physical machine,
Introducing the Common Language Runtime for.NET. The Common Language Runtime The Common Language Runtime (CLR) The Common Language Runtime (CLR) –Execution.

Introducing the Common Language Runtime for.NET. The Common Language Runtime The Common Language Runtime (CLR) The Common Language Runtime (CLR) –Execution.
Intro to C# Language Richard Della Tezra IS 373. What Is C#? C# is type-safe object-oriented language Enables developers to build a variety of secure.

Intro to C# Language Richard Della Tezra IS 373. What Is C#? C# is type-safe object-oriented language Enables developers to build a variety of secure.
Asst.Prof.Dr.Ahmet Ünveren 2014-2015 SPRING Computer Engineering Department Asst.Prof.Dr.Ahmet Ünveren 2014-2015 SPRING Computer Engineering Department.

Asst.Prof.Dr.Ahmet Ünveren SPRING Computer Engineering Department Asst.Prof.Dr.Ahmet Ünveren SPRING Computer Engineering Department.
Session-02. Objective In this session you will learn : What is Class Loader ? What is Byte Code Verifier? JIT & JAVA API Features of Java Java Environment.

Session-02. Objective In this session you will learn : What is Class Loader ? What is Byte Code Verifier? JIT & JAVA API Features of Java Java Environment.
01 Introduction to Java Technology. 2 Contents History of Java What is Java? Java Platforms Java Virtual Machine (JVM) Java Development Kit (JDK) Benefits.

01 Introduction to Java Technology. 2 Contents History of Java What is Java? Java Platforms Java Virtual Machine (JVM) Java Development Kit (JDK) Benefits.

Similar presentations

Ads by Google