CMPSC 497: Java Security

Similar documents
Java Security. Compiler. Compiler. Hardware. Interpreter. The virtual machine principle: Abstract Machine Code. Source Code

JVML Instruction Set. How to get more than 256 local variables! Method Calls. Example. Method Calls

JVM. What This Topic is About. Course Overview. Recap: Interpretive Compilers. Abstract Machines. Abstract Machines. Class Files and Class File Format

Java Class Loading and Bytecode Verification

CS2110 Fall 2011 Lecture 25. Under the Hood: The Java Virtual Machine, Part II

Course Overview. PART I: overview material. PART II: inside a compiler. PART III: conclusion

Static Program Analysis

CSE P 501 Compilers. Java Implementation JVMs, JITs &c Hal Perkins Winter /11/ Hal Perkins & UW CSE V-1

Java byte code verification

CSCE 314 Programming Languages

Agenda. CSE P 501 Compilers. Java Implementation Overview. JVM Architecture. JVM Runtime Data Areas (1) JVM Data Types. CSE P 501 Su04 T-1

The Java Language Implementation

Java: framework overview and in-the-small features

Compiling Techniques

Exercise 7 Bytecode Verification self-study exercise sheet

Plan for Today. Safe Programming Languages. What is a secure programming language?

The Java Virtual Machine

Identity-based Access Control

Running Mistyped Code. Lecture 19: Java Security. Running Mistyped Code. Java Security Architecture. JavaVM. Reference Monitors

Today. Instance Method Dispatch. Instance Method Dispatch. Instance Method Dispatch 11/29/11. today. last time

Portable Resource Control in Java: Application to Mobile Agent Security

JAM 16: The Instruction Set & Sample Programs

CSc 453 Interpreters & Interpretation

Run-time Program Management. Hwansoo Han

SOFTWARE ARCHITECTURE 7. JAVA VIRTUAL MACHINE

Java Security HotJava to Netscape and Beyond

Java Security. A Brief Introduction. Fred Long. The University of Wales, Aberystwyth UK. U.W. Aberystwyth CS25610/CHM5610. Java Security p.

COMP 520 Fall 2009 Virtual machines (1) Virtual machines

02 B The Java Virtual Machine

The security mechanisms of Java

The Java Virtual Machine. CSc 553. Principles of Compilation. 3 : The Java VM. Department of Computer Science University of Arizona

Portable Resource Control in Java The J-SEAL2 Approach

Over-view. CSc Java programs. Java programs. Logging on, and logging o. Slides by Michael Weeks Copyright Unix basics. javac.

Compiler construction 2009

Programming Language Systems

High-Level Language VMs

CIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 4

Java Instrumentation for Dynamic Analysis

Outline. V Computer Systems Organization II (Honors) (Introductory Operating Systems) Language-based Protection: Solution

Project. there are a couple of 3 person teams. a new drop with new type checking is coming. regroup or see me or forever hold your peace

Oak Intermediate Bytecodes

Problem: Too Many Platforms!

Java 2 Security. Dean Wette Senior Software Engineer Object Computing, Inc.

Software Security. Case Study: Java 2 Security. Copyright of HeathWallace 2008

Problems of Bytecode Verification

Java and C II. CSE 351 Spring Instructor: Ruth Anderson

Under the Hood: The Java Virtual Machine. Lecture 23 CS2110 Fall 2008

Java Security. Lecture 10 March 5, 2013

Let s make some Marc R. Hoffmann Eclipse Summit Europe

Compiler construction 2009

Code Generation Introduction

April 3 April 3. Has been established as important for enterprise applications

Java Language Basics: Introduction To Java, Basic Features, Java Virtual Machine Concepts, Primitive Data Type And Variables, Java Operators,

Improving Java Code Performance. Make your Java/Dalvik VM happier

Part VII : Code Generation

Topics. Structured Computer Organization. Assembly language. IJVM instruction set. Mic-1 simulator programming

Labels and Information Flow

Genetic Programming in the Wild:

CSE331: Introduction to Networks and Security. Lecture 26 Fall 2004

Roadmap. Java: Assembly language: OS: Machine code: Computer system:

CS577 Modern Language Processors. Spring 2018 Lecture Interpreters

Security SYSTEM SOFTWARE 1

Tutorial 3: Code Generation

Advanced Systems Security: Ordinary Operating Systems

Java Internals. Frank Yellin Tim Lindholm JavaSoft

Code Generation. Frédéric Haziza Spring Department of Computer Systems Uppsala University

Chapter 5. A Closer Look at Instruction Set Architectures. Chapter 5 Objectives. 5.1 Introduction. 5.2 Instruction Formats

Final Exam. 12 December 2018, 120 minutes, 26 questions, 100 points

Advanced Systems Security: Principles

Chapter 5. A Closer Look at Instruction Set Architectures

The. WebAssembly. Revolution. has begun

Compiling for Different Platforms. Problem: Too Many Platforms! Dream: Platform Independence. Java Platform 5/3/2011

Sandboxing Untrusted Code: Software-Based Fault Isolation (SFI)

C and C++ Secure Coding 4-day course. Syllabus

Plan for Today. Class 21: Hair-Dryer Attacks. Recap: Java Platform. Project Design Documents. Running Mistyped Code. Running Mistyped Code

Android Internals and the Dalvik VM!

Under the Hood: The Java Virtual Machine. Problem: Too Many Platforms! Compiling for Different Platforms. Compiling for Different Platforms

Trusting Virtual Trust

EXAMINATIONS 2014 TRIMESTER 1 SWEN 430. Compiler Engineering. This examination will be marked out of 180 marks.

WebAssembly. neither Web nor Assembly, but Revolutionary

Improving Java Performance

0x1A Great Papers in Computer Security

Confinement (Running Untrusted Programs)

Inline Reference Monitoring Techniques

CS263: Runtime Systems Lecture: High-level language virtual machines. Part 1 of 2. Chandra Krintz UCSB Computer Science Department

Java An example of a secured architecture

Security Architecture

AP COMPUTER SCIENCE JAVA CONCEPTS IV: RESERVED WORDS

CSE 227 Computer Security Spring 2010 S f o t ftware D f e enses I Ste St f e an f Sa v Sa a v g a e g

Joeq Analysis Framework. CS 243, Winter

CSC 4181 Handout : JVM

Delft-Java Dynamic Translation

Weiss Chapter 1 terminology (parenthesized numbers are page numbers)

Advanced Systems Security: Ordinary Operating Systems

Security Philosophy. Humans have difficulty understanding risk

Alexander V. Konstantinou. Java Security. Columbia University. Fall 2002

COMP3131/9102: Programming Languages and Compilers

Outline. Java Models for variables Types and type checking, type safety Interpretation vs. compilation. Reasoning about code. CSCI 2600 Spring

Program Dynamic Analysis. Overview

3/15/18. Overview. Program Dynamic Analysis. What is dynamic analysis? [3] Why dynamic analysis? Why dynamic analysis? [3]

Transcription:

CMPSC 497: Java Security Trent Jaeger Systems and Internet Infrastructure Security (SIIS) Lab Computer Science and Engineering Department Pennsylvania State University 1

Enforcement Mechanisms Static mechanisms Analyze programs before they are run; reject them if statically deemed harmful Static analysis; program verification Dynamic mechanisms AKA, reference monitors Analyze programs as they run; reject harmful runtime behavior Hardware-based fault isolation Software based SFI A hybrid approach Java security

Java is Type Safe Array bounds checking Non-null checking Automatic memory management: GC Access control modifiers: public, private, protected,... No bad cast: upcast and downcast String: always have a length stored Compare this to null-terminated strings in C Initialization A variable is always initialized before used

Java Security is Beyond Type Safety A design goal of Java is to support mobile code Make interactive web pages Java s term for mobile code: applets HTML has the <APPLET> tag Applet code is downloaded and run automatically A new JVM is started Concerns of mobile code Platform independence Write once, run anywhere Security

Security Threats of Applets Threats Examples Java s defense System modification delete files; kill processes; make network connections Strong Invasion of privacy Steal passwords, data strong Denial of service Using up memory, CPU cycles; Completely filling up a file system; weak Antagonism Playing annoying sound weak 5

Java s Rationale for Applet Security Stopping the worst kinds of attacks that hostile applets might carry out Software-based protection; use language mechanisms Kind of successful Ever heard of Java viruses?

Java s Mobile Code Java Source Class Loader JVM Java Compiler Front End Bytecode (class files) Bytecode Verifier JIT Compilation Security manager GC constant pool untrusted zone trusted zone Portable & Secure No need to trust the front end

Three Pillars of Java Security Class loaders Loading classes into the JVM Bytecode verifier Perform dataflow analysis to verify type safety of bytecode Security manager Monitors dangerous operations such as file accesses

Not Three Layers of Defense *From Securing Java by McGraw and Felten

Bytecode Verification Ensure basic safety properties of the bytecode The file is not damaged The code is type safe Which implies memory safety Does not prohibit the bytecode from reading your secret files The job of the security manager Bytecode verifier a static verifier bytecode checked only once before running does not assume the bytecode is produced by a Java compiler; the bytecode could be written by an attacker

Bytecode Verifier: Multiple Passes Pass 1: file integrity check Check the first four bytes is the magic hex number 0xCAFEBABE Check version numbers of the class file Check each structure in the file is of appropriate length Pass 2: structural checks Final classes are not subclassed Every class has a superclass (except for java.lang.object) Final methods are not overridden... Pass 3: type checking the code The most important and complicated pass Performs data-flow analysis to verify type safety

The Bytecode Language A typed, stack-based intermediate language Types are encoded in the opcodes of instructions For example iadd: integer add ladd: long add fadd: float add dadd: double float add So that type safety can be verified

The JVM Types JVM Types and their prefixes Byte b Short s Integer i (java booleans are mapped to jvm ints!) Long l Character c Single float f double float d References a to Classes, Interfaces, Arrays These Prefixes used in opcodes (iadd, astore,...)

State State: operand stack, local variables (registers), heap (storing Java objects) Most instructions expect arguments on the operand stack A stack-based abstract machine Operand stack: a stack of operands pop Various push operations: iconst_3, aconst_null, iadd: pop two operands from the stack, add them, and push the result to the stack E.g., iconst_3; iconst_4; iadd iload d: the value of the local variable d is pushed onto the stack istore d: the top of the stack is popped to variable d

The JVM Instruction Mnemonics Shuffling (pop, swap, dup,...) Calculating (iadd, isub, imul, idiv, ineg,...) Conversion (d2i, i2b, d2f, i2z,...) Local storage operation (iload, istore,...) Array Operation (arraylength, newarray,...) Object management (get/putfield, invokevirtual, new) Push operation (aconst_null, iconst_m1,...) Control flow (nop, goto, jsr, ret, tableswitch,...) Threading (monitorenter, monitorexit,...)

Compilation Examples public static int add (int x, int y) { return x + y; } Get compiled to (dumped by javap) 0: iload_0 1: iload_1 2: iadd 3: ireturn

Compilation Example Two static int factorial (int n) { int res; for (res=1; n>0; n--) res = res * n; return res; }

Result of Compilation 0: iconst_1 //push the integer 1 1: istore_1 //store it in register 1 (the res variable) 2: iload_0 //push register 0 (the n parameter) 3: ifle 16 //if negative or 0, goto PC 16 6: iload_1 //push register 1 (the res variable) 7: iload_0 //push register 0 (the n parameter) 8: imul //perform multiplication 9: istore_1 //store it in register 1 10: iinc 0, -1 //decrement register 0 by 1 13: goto 2 //go to PC 2 16: iload_1 //load register 1 (res) 17: ireturn //return the value to caller

Verifying Type Safety Phase 1: disassembling; locate the start of each instruction Check all control transfers target valid start addresses Check all opcodes have the correct number of arguments...

Verifying Type Safety Phase 2: Use static analysis to calculate types of local variables and stacks before each instruction Stack: number and types of items Local variables: types of local variables Their values are not tracked Perform type checking along the way If adding two integers, check there are enough arguments on the stack and the operands are of type int When a function is invoked, check if enough arguments with correct types are on the stack...

Some Examples of Verification At each program point, track types of local variables; sizes and types of the operand stack {0:int, 1:int}, stack:[] 0: iload_0 {0:int, 1:int}, stack: [int] 1: iload_1 {0:int, 1:int}, stack: [int, int] 2: iadd {0:int, 1:int}, stack: [int] 3: ireturn What happens if iload_1 is omitted? iadd changed to fadd?

Example Verification: Loops 0: iconst_1 //push the integer 1 1: istore_1 //store it in register 1 (the res variable) 2: iload_0 //push register 0 (the n parameter) 3: ifle 16 //if negative or 0, goto PC 16 6: iload_1 //push register 1 (the res variable) 7: iload_0 //push register 0 (the n parameter) 8: imul //perform multiplication 9: istore_1 //store it in register 1 10: iinc 0, -1 //decrement register 0 by 1 13: goto 2 //go to PC 2 16: iload_1 //load register 1 (res) 17: ireturn //return the value to caller What happens if goto 2 is changed to goto 5? if istore_1 is omi9ed?

Threats Eliminated Contain illegal bytecode instructions Contain illegal parameters to bytecode instructions Too many; too few; of wrong types Overflow or underflow the operand stack Illegal type cast Cast an integer to a reference (type confusion attack) Illegal access to classes, fields, or methods Nonexistent class, field, method; wrong types; with no access rights

Complications Verifying OO types A hierarchy of OO types Merge the OO types of two paths Need to find the first common supertype Dynamic loading Classes are loaded before used for the first time When doing verification, doesn t have all code References Enterprise Java Security by Pistoia et al. Java bytecode verification, an overview by Leroy

Next, the Security Manager Bytecode verifier checks type safety But what about other dangerous operations such as accessing files, or sending network packets? Java s solution Let administrators specify a security policy Security manager enforces the policy during runtime This design went through several iterations

The Applet Sandbox In Java 1.0 Idea: limit the resources that can be accessed by applets Local code: no restriction local code remote code (applets) JVM sandbox resources Untrusted code cannot read/write files; make arbitrary network connections; It can: access to the CPU, access to memory to create objects; connect to the site where the applet is downloaded

Java 1.1: Signed Applets Idea: applets from a trusted source can be trusted local code applets signed by trusted principals unsigned applets resources JVM sandbox

Java 2: User-Defined Policy Idea: Every code (remote or local) has access to the system resources based on what is defined in a policy file JVM local or remote code (signed or unsigned) class loaders policy file resources Example grant CodeBase http://java.sun.com, SignedBy Sun { permission java.io.filepermission ${user.home}${/}*, read, write ; permission java.net.socketpermission localhost:1024-, listen ;};

Security Manager: Enforcer A reference monitor The security manager are consulted before dangerous operations are performed

Consulting the Security Manager From java.io.file: public boolean delete() { SecurityManager security = System.getSecurityManager(); if (security!= null) { } security.checkdelete(path); checkdelete throws a SecurityExecption if the delete would violate the policy if (isdirectory()) return rmdir0(); else return delete0(); }

Stack Inspection Dynamic authorization mechanism close (in spirit) to Unix effective UID attenuation and amplification of capabilities Richer notion of context An operation can be good in one context and bad in another E.g., all local file access goes through java.io.file Applet 1: no file-access permissions; call java.io.file Applet 2: with file-access permissions; call java.io.file

Call Stack is the Context Each method on the stack has an associated protection domain A method belongs to a class Each class is assigned a protection domain depending on its origin Protection domain: code with permissions System domain: system classes (e.g., java.io.file) + AllPermissions Multiple application domains E.g., grant CodeBase http://java.sun.com, SignedBy Sun { permission java.io.filepermission ${user.home}${/}*, read, write ; permission java.net.socketpermission localhost:1024-, listen ;}; This domain specifies all code from java.sun.com has certain file permissions and socket permissions

System Domain vs. App Domains System domain can access protected resources App domains calls into the system domain for access to resources Fig 8.9 Enterprise Java Security

checkpermission security.checkdelete(path) Turn into security.checkpermission(p) P stands for the permission to remove file with path checkpermission (P) is implemented as for (f := pop(s);!empty(stack) ; f := pop(s)) { if domain(f) does not have perm. P then error; } Ignoring privileged code (see later slides)

Examples Applet 1: no file-access permissions; call java.io.file access denied access allowed java.io.file Applet 1 ok not ok Applet 2: with file-access permissions; call java.io.file java.io.file ok Applet 2 ok

Motivation for Privileged Code Suppose A class in the system domain needs to connect to the internet and write to a log file An untrusted app invokes the class to make a network connection With stack inspection The untrusted app needs both SocketPermission and FilePermission But is requiring FilePermission reasonable? Fig 8.2 Enterprise Java Security

Trusted Code Uses Privileged Code doprivileged(p){s}: fails if method's domain does not have perm. P. exempt the caller from having perm. P checkpermission (P) is implemented as for (f := pop(s);!empty(stack) ; f := pop(s)) { if domain(f) does not have perm. P then error; } if f is a doprivileged frame then break; Q: Why can t any code use doprivileged(p){ } to grab the perm P?

Back to the Example If the log() operation is wrapped in doprivileged(filepermission){log();} Then the untrusted code needs the SocketPermission to call the trusted library code

Class Loader Loading Java classes into the JVM Dynamic loading loading classes in a lazy way when a class is referenced, it is the class loader s job to find that class reference a field/method, create a new object

Class Loader Responsibilities Maintaining separation of namespaces Maintain separation between classes of different trust levels (loaded from different sources) Permission assignment Associating permissions to protection domains Search-order enforcement Prevent user classes from spoofing security-critical classes, such as the security manager

Caveats of Java Security Its TCB is quite big Many security holes were identified and fixed in the past Native code Serialization...

Further Readings Secure Coding Guidelines for the Java Programming Language http://www.oracle.com/technetwork/java/seccodeguide-139067.html

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback