Applet Security

Team WebCharles Moen and XiaoJun

Zhang

CSCI 5931.01 Web SecurityMarch 26, 2003

2

Topics The Sandbox Stepping Outside the Sandbox

Applets & the Policy File RSA-Signed Applets

The Java Plug-in Signed Applets in Netscape Signed Applets in MS Internet

Explorer Secure JDBC Connection for Applets

3

Java 2 Security Model Policy-based

Security policy limits the resources a program can use

java.policy

Permissions Actions that are allowed

4

The Sandbox

Client

Operating System

Local Code

Java Virtual Machine

Sandbox

AppletApplet

Server

HTTP

Memory

5

Stepping Outside the Sandbox Many reasons for stepping outside

the sandbox Java 2 Security Model—two

methods The client can grant permissions by

editing the policy file, java.policy The developer can use an RSA-signed

applet that can be granted or denied permission by the client

6

Stepping Outside the Sandbox in Java 2—The Policy File

Client

Memory

Operating System

Local Code

Java Virtual Machine

Server

PolicyHTTP

Applet

FilePermissionSocketPermission

java.policy

grant …SocketPermission;

FilePermission;

Edit

7

Stepping Outside the Sandbox in Java 2—RSA-Signed Applets

Client

Memory

Operating System

Local Code

Java Virtual Machine

JAR

HTTPApplet

Server

Signs aJAR file with RSA

Certificate AuthorityVerifies the signer

8

The Java Plug-in Downloadable helper program that

works with a browser Consistent runtime environment for Java Supports all Java functions Can be called instead of the browser’s

VM

Introduced with Java 2 Part of JDK and JRE Downloaded the first time it is needed

by browser

9

The Java Plug-in Advantages

Consistency across browsers Java capabilities provided to old

browsers Same security model as Java 2

Major browsers had different security models

Differences require different development

Weakness Huge download—5 to 6 MB

10

Example 1: Applets & the Policy File Stepping out of the sandbox, method 1 Create an applet, Java Security, p. 205

public void init() {try {

mUsername = System.getProperty("user.name");} catch( SecurityException e ) {

mUsername = null;}

}

<APPLET CODE="UsernameApplet.class" WIDTH="300" HEIGHT="200"></APPLET>

11

Example 1: Applets & the Policy File

C:\> appletviewer UsernameApplet.html

12

Example 1: Applets & the Policy File Use a policy file: UsernameApplet.policy

appletviewer -J-Djava.security.policy=UsernameApplet.policy UsernameApplet.html

grant codeBase "file:${/}devJava${/}*" {permission java.util.PropertyPermission "user.name", "read";};

13

Running Example 1 in a Browser

1. Change APPLET to OBJECT APPLET is deprecated Specify codebase for downloading

plug-in Use HTMLConverter

2. Edit java.policy Grant permission, like in our

example

14

1. Change APPLET to OBJECT HTMLConverter

Bundled in J2SE SDK (error on p. 206) http://java.sun.com/j2se/1.4.1/docs/guide/

plugin/developer_guide/faq/developer.html Either command line or GUI

> java HTMLConverter <the html file>

Result on page 207 For IE, converts to OBJECT element For NS, converts to EMBED element

15

C:\jdk1.4.1\lib>..\bin\java -jar htmlconverter.jar -gui

16

2. Edit java.policy Must be done by the user Location is problematic

C:\Program Files\Java\j2re1.4.0_01\lib\security

C:\j2sdk1.4.0_01\jre\lib\security UHCL PC Lab: unable to edit

Add the following to run our example:grant codeBase "file:${/}devJava${/}*" {permission java.util.PropertyPermission "user.name", "read";};

17

Open UsernameApplet.HTML

18

Example 2: RSA Signed Applets Stepping out of the sandbox, method

2 Real deployment requires a certificate

from Verisign or Thawte Jarsigner can sign applets If the Java plug-in finds an RSA-signed

digital certificate in a downloaded JAR Checks security policy for “usePolicy” Checks the signature’s CA Then asks user if it’s okay

19

Example 2: RSA Signed Applets

Step 1: Generate a key and certificate

Step 2: Install the certificate

Step 3: Create the JAR and sign it

Step 4: Deploy the JAR in the HTML

Step 5: Open the HTML in a browser

20

1. Generate a key & certificate Use the keytool to generate a key

C:\>keytool -genkey -alias appletsigningkey -keyalg RSA

C:\>keytool -export -alias appletsigningkey -file appletsigningkey.cer

Export the certificate

For real deployment Page 212 Create a csr file with “-certreq” Order a signed certificate from a CA

21

2. Install the certificateWindows

Double-click on the filename Click on the “Install Certificate” button Follow the steps in the Wizard, pp. 210–

211

22

3. Create the JAR and sign it Create a JAR containing our applet

classC:\> jar cvf UsernameApplet.jar UsernameApplet.class

C:\> jarsigner UsernameApplet.jar appletsigningkey

Sign the JAR with jarsigner

23

4. Deploy the JAR in HTML Add the “ARCHIVE” attribute

(Not mentioned in the book, p. 212)<APPLET CODE=“UsernameApplet.class” WIDTH=“300” HEIGHT=“200”

ARCHIVE=“UsernameApplet.jar”></APPLET>

Can then use HTMLConverter

24

Clickto

Grant

5. Open the HTML in browser

25

Signed Applets in Netscape Netscape 6 and 7 use the Java

plug-in

Netscape 4 uses its own security model Applet asks for permission Called the Capabilities API Uses proprietary Netscape classes Incompatible with any other browser

26

Signed Applets in Netscape 4

Modifications that use the Capabilities API, page 215

public void init() { try { PrivilegeManager.enablePrivilege("UniversalPropertyRead"); mUsername = System.getProperty("user.name"); PrivilegeManager.revertPrivilege("UniversalPropertyRead"); } catch( SecurityException e ) { mUsername = null; }}

C:\> javac -classpath .;capsapi_classes.zipUsernameNetscapeApplet.java

27

Signed Applets in Netscape 4 Deploying the applet

Must be signed Use Netscape’s signtool

Initialize the certificate database Using Netscape, page 217

Click on the lock icon at the lower left Click on Certificate > Yours Click on “Import a Certificate” Set the password, then Cancel the import

28

Signed Applets in Netscape 4 Create a self-signed certificate and key

Create a directory and put in the class

C:\> signtool -G"testsigner" -d"C:\ProgramFiles\Netscape\Users\crmoen"

Add an ARCHIVE attribute to the HTML Open the HTML file in Netscape, p. 220

C:\> signtool -d"C:\Program Files\Netscape\Users\crmoen" -k"testsigner" -Z"netscapeApplet.jar" jar_directory

Create a signed JAR

29

Signed Applets in Microsoft IE Microsoft VM security model As of Jan. 21, 2003, by court order

Microsoft VM support discontinued Tools are no longer available Sun JRE is provided with IE

“…the U.S. District Court in Baltimore, Md. issued a preliminary injunction order requiring Microsoft to include the latest Java Runtime Environment (JRE) from Sun Microsystems in…versions of the Microsoft® Windows® XP operating system or Microsoft Internet Explorer…” [5]

MS recommends: convert applets to .NET

30

Signed Applets in Microsoft IE Security levels for applets

High—the sandbox Medium—some extras like disk scratch files

HOWTO: Using Scratch Space From Your Java Applet - http://support.microsoft.com/default.aspx?scid=kb;EN-US;172200

Low—same as AllPermission in Java 2 Custom—similar to policy file in Java 2

Cab files are used for signed applets Tools are in the Microsoft SDK for Java

(No longer available)

31

Secure JDBC Connectionfor Applets [6]

The problem Firewalls interfere with the connection

between a Java applet and an external db

The solution from IDS Software The applet uses an IDS JDBC driver to

connect to an IDS server using HTTPS

32

Secure JDBC Connectionfor Applets [6] The client is behind a firewall. The proxy server relays the client’s

HTTP and/or HTTPS requests. Proxy relays HTTP requests

To provide Internet access Parses the content Assumes the connection is non-persistent

and drops the connection Proxy also relays HTTPS requests

Assumes that it cannot parse content Cannot drop connection until client does

33

Secure JDBC Connectionfor Applets [6] Required conditions

Proxy allows outbound HTTPS connections

Applet must obtain the browser proxy server setting

Applet must be signed IDS server must use ports 443 or 563

ProxyProperties class from IDS Obtains the proxy settings Instance passed to the the IDS driver

when it creates a connection to the db

34

Secure JDBC Connectionfor Applets [6]Driver drv = new ids.sql.IDSDriver();

Properties info = new ProxyProperties();String host = info.getProperty("https.proxyHost");

if (host != null) { info.put("proxy_type", "4"); // SSL Tunneling info.put("proxy_host", host); info.put("proxy_port", info.getProperty("https.proxyPort")); try { //For Netscape

PrivilegeManager.enablePrivilege("UniversalConnect");} catch (Throwable e) { }

}

Connection conn = drv.connect(url, info);

35

Secure JDBC Connectionfor Applets [6]

IDSServer

IDSServer

DB

Port443HTTPS

Client

Applet IDSIDSdriverdriverJDBC

ProxyServer

client-side firewall

36

Bibliography[1] J. Garms and D. Somerfield. Professional Java Security.

Birmingham, UK: Wrox Press Ltd., 2001, pp. 202–228.

[2] M. Pistoia, et al. Java 2 Network Security, 2nd ed. New Jersey: Prentice Hall PTR, 1999.

[3] J. Conallen. Building Web Applications with UML. Addison-Wesley, 2000, pp. 70–72.

[4] Sun (n.d.). Developer Guide FAQs. [Online]. Available: http://java.sun.com/j2se/1.4.1/docs/guide/plugin/developer_guide/faq/developer.html

[5] Microsoft (2003, Jan.). Microsoft VM Developer FAQ. [Online]. Available: http://www.microsoft.com/java/developerFAQ.htm

[6] IDS Software (1999, Nov.). JDBC Connection via HTTPS Proxy. [Online]. Available: http://www.idssoftware.com/jdbchttps.html