dan sedlacek cto, systems management group sterling software java security and encryption
TRANSCRIPT
Java Security and Encryption
• What is the level of security provided by Java technology?
• What’s NOT provided for in Java
• How Java implements security
• How to extend Java security
Agenda
• Java Security Overview
• Applications and Applets
• Java Language Security
• Java Class Loaders
• Security Manager
• Access Controller
• Security Policies
• Authentication
• Encryption
Java Security OverviewWhat is Security?
• Virus Protection
• System Resource Access Control
• Authentication of Author and Data
• Data Privacy
• Encryption
• Auditing
• Orange Book (C2, B1)
Java Security OverviewWhat is Java Security?
• Virus Protection - Yes
• System Resource Access Control - Yes
• Authentication of Author and Data - Yes
• Data Privacy - Yes & No
• Encryption - Optional
• Auditing - Not Built-in
• Orange Book (C2, B1) - No
Applets and Applications
• Applets – Run Under Control of a Browser– Are Subject to the Browser Security Policy
• Applications– Establish their Own Security Policy– Default is No Security Manager
How Does Java Provide Security?
• Java Language Security
• Java Class Loaders
• Digital Signatures
• Java Security Manager
• Java Access Controller
• Encryption
Java Language Security
• Objects have access levels:– private: Accessible by defining class– package (default): Accessible by classes in the
same package– protected: Same as package, with addition of
access by any subclass– public: Accessible by any class
Java Language Security• Access methods are strictly adhered to
• No pointers (no access to arbitrary memory and automatic garbage collection)
• “final” methods or variables cannot be changed
• Variables MUST be initialized before use
• Array bounds are enforced
• Strict object casting rules
Java Language Security• Object serialization can be a problem
– Objects are externalized as series of bytes– Data may be tampered with before the object is
reconstructed
• Some solutions:– objects must be declared “serializable”– “private transient” disallows serialization– writeObject() and readObject() methods let you
implement your own encryption
Java Language Security Enforcement
• Enforcement happens at different times– Compile time enforcement– Class load time enforcement– Runtime enforcement
• It’s easy to get around compile-time enforcement - build your own classes for the JVM
• Class loader and runtime enforcement are more difficult to get around
Java Language SecurityEnforcement
Java Source
Java CompilerBytecode
Class Loader BytecodeVerifier
Java Virtual MachineRuntime
Java Language SecurityCompile Time Enforcement
Java Source
Java CompilerBytecode
Class Loader BytecodeVerifier
Java Virtual MachineRuntime
Java Language SecurityCompile Time Enforcement
• Validate language syntax
• Enforce method and variable access rules
• Enforce variable initialization
• Enforce some casting operations
Java Language SecurityClass Load Time Enforcement
Java Source
Java CompilerBytecode
Class Loader BytecodeVerifier
Java Virtual MachineRuntime
Java Language SecurityClass Load Time Enforcement
• Bytecode verifier is part of the VM
• Bytecode verification– Verifies class file format– Final classes are not subclassed– Final methods are not overridden– Every class has a single superclass (except
Object, of course)
Java Language SecurityClass Load Time Enforcement
• Bytecode verification (continued)– Verify that casting legality checks are in place– No operand stack overflows or underflows– All field and method accesses are legal
• Bytecode verification may be delayed in some implementations
Java Language SecurityRuntime Enforcement
Java Source
Java CompilerBytecode
Class Loader BytecodeVerifier
Java Virtual MachineRuntime
Java Language SecurityRuntime Enforcement
• Array bounds checking– Throws ArrayIndexOutOfBoundsException
• Object casting– Throws ClassCastException
• Security Manager– Throws SecurityException– Depends on the Access Controller
Java Class Loaders
• Read bytecode into the JVM
• Convert into class definitions
• Works in conjunction with Security Manager and Access Controller
• Knows where the class originated
• Understands signed Jar files
• Enforces namespace rules
Java Class Loaders
• Java applications can create and use different class loaders
• Java applets use the browser-provided class loader
Java Class LoadersNamespaces
• Used to eliminate ambiguity between classes with the same name
• Full name of a Java class is qualified by the name of the package:– java.lang.String– com.sun.java.swing.JTable
• Default package
Java Class LoadersNamespaces
• Classes with different CODEBASEs are loaded by different instances of the class loader
• Even if fully qualified class names are the same, namespaces make them unique
• Namespaces enforce package protection
Java Class LoadersHow they Work
• Previously loaded classes are cached
• Class loader optionally consults the Security Manager to see if the program is allowed to access the class
• Internal class loader attempts to load the class from CLASSPATH
• Class loader reads in an array of bytes
• Bytecode verification is performed
Java Class LoadersHow they Work
• A class object is constructed from the bytecodes
• Resulting class name is verified to be the requested class name
• Base classes and classes referenced by static initializers are also loaded
• Other referenced classes are loaded when the class references them
Java Class LoadersHow they Work
• An internal class loader (part of the JVM) loads the Java API classes when the VM starts up
• In 1.1 internal class loader also loads all CLASSPATH classes
• In 1.2 an instance of URLClassLoader loads classes from CLASSPATH
• Browsers load classes for the applets from the applet’s CODEBASE using URL class
Other Java Class Loaders• An RMI class loader (RMIClassLoader) is
similar to an applet class loader– Uses HTTP to load classes from a remote host
• Secure class loader associates protection domains with each class it loads– java.security.SecureClassLoader– Makes use of the access controller facilities
• URL class loader (URLClassLoader) - general purpose class loader
Java Class Loadersand JAR files
• Java Archive files, or JAR files are Zip files with some additional information
• JAR files contain many class files, and other files needed by an application
• All classes in a JAR files are loaded at once
• Signed classes must be in JAR files
Java Class LoadersSecurity Implications
• Class loaders are integral to Java’s security– Class loaders enforce namespace separation– Security Manager depends on the class loader to
keep track of the class origin– Custom class loaders may be developed to
handle load protocols other than HTTP, to implement class file encryption, and to implement special security policies.
Java Security Manager
• Security Manager is the sandbox guard
• Default security manager provided by browsers to protect local system resources
• Applications have a null security manager by default
• Use the -usepolicy option to utilize the default security manager (that in turn uses the Access Controller)
Java Security Manager
Class File
Bytecode VerificationClass LoaderSecurity Manager
InstantiatedObject
Core Java API
Access Controller
Java Security Manager
• java.lang.SecurityManager
• Programs perform operations through the core Java API
• Methods are invoked by the core Java API to check if an operation is allowable
• A SecurityException is thrown if the operation is not allowable
Java Security ManagerTrusted Classes
• In general:– Core API classes are trusted– Classes that are loaded via the CLASSPATH are
trusted
• Specific permissions may be granted based on signature and codebase
• Access Controller is called by the Security Manager to ascertain if a class is trust-worthy
Java Security ManagerMethods
• Protection for the Java Virtual Machine
• System resource protection– File system access– Network access– Printing– Accessing the clipboard– Event queue access
Java Security ManagerMethods
• Access to security related operations
• Protection against manipulating thread groups that were created by another entity
Access Controller• Added in release 1.2
• Used by the security manager to determine security policy
• Allows security policy to be configured without writing a custom security manager
• System security file:– $JAVAHOME/lib/security/java.security
• Security Manager still works with pre-version 1.2 classes
Access ControllerSystem Security File
• $JAVAHOME/lib/security/java.security policy.provider=java.security.PolicyFile
policy.expandProperties=true
policy.allowSystemProperty=true
policy.url.1=file:${java.home}/lib/security/java.policy
policy.url.2=file:${user.home}/.java.policy
• These policy files map code sources to sets of permissions
Access ControllerRoles
• Used by the security manager to determine access to resources
• May be used by a program to check application-specific permissions
• Used only if a security manager is being used
Access ControllerConcepts
• Code sources - Where the class comes from
• Permissions - Ability to perform an operation
• Policies - Set of permissions by code source
• Protection domains - Permissions granted to classes from a particular code source
Access ControllerCode Sources
• java.security.CodeSource
• CodeSource(URL url, PublicKey[] key[])
• public boolean equals(Object obj)
• public final URL getLocation()
• public final PublicKey[] getKeys()
Access ControllerPermissions
• java.security.Permissions
• Permission properties:– Type (e.g. FilePermission)– Name (e.g. name of the file - supports wildcards)– Actions (e.g. read)
Access ControllerPermissions
• Java API permissions– Access controller is automatically called if a
security manager is active
• Arbitrary user-defined permissions– Name (e.g. CorporatePayroll)– Actions (e.g. read)– Access controller must be explicitly called
Access ControllerJava API Permissions
• Java API permissions– FilePermission (e.g. /etc/passwd, read)– SocketPermission (IP:port, accept, connect, listen,
resolve)– PropertyPermission (e.g. java.version, read)– RuntimePermission (Runtime class operations,
e.g. exit)– AWTPermission - Access to windowing resources
Access ControllerJava API Permissions
• Java API permissions– NetPermission - Multicast and HTTP authentication– SecurityPermission - Permission to use the security
package– SerializablePermission - Object serialization– ReflectPermission - Reflection API– UnresolvedPermission - External permissions– AllPermission - Superuser
Security Policies
• java.security.Policy
• Ties code sources to permissions
• Default policy is provided in the system security file
• Methods: Permissions evaluate(CodeSource cs) void refresh()
Default Security Policy
• Policy files specified by the system security file
• Policy files specified by the: policy.url.n entries
• General format: grant [signedBy <signer>]
[,codeBase <code source>] {permission <class> [<name> [, <action list>]];… permission <class> [<name> [, <action list>]];};
Protection Domains
• Java.security.ProtectionDomain
• public ProtectionDomain(CodeSource cs, Permissions p)
• public CodeSource getCodeSource()
• public Permissions getPermissions()
• public boolean implies(Permission p)
• Represents one “grant” entry in the file
Authentication
• It’s a wide open Internet
• System resources need to be protected from viruses and other attacks
• Need for authentication– Author authentication
• Where did the class come from
– Data authentication• Was the class content modified?
Authentication
• The signed JAR file is the mechanism
• Enables the class loader to know definitively where the class came from, and if it has been tampered with.
• Does NOT imply that Java should trust all signed JAR files
• Does NOT protect the privacy of the information in the JAR file - for that you need encryption
Encryption
• javax.crypto.Cipher - the encryption engine
• Perform encryption and decryption of arbitrary data
• Implements named algorithms
• Supplied by security providers
• Sun supports DES, multiple DES, and PBEWithMD5andDES
Encryption
• Used internally by class loader– Public and private keys– Message digests– Signed JAR files
• General purpose encryption
EncryptionSigned JAR files
• Originator generates digital signature– Produce a message digest– Encrypt the digest with private key
• Recipient– Decrypt the signature using public key to
reproduce the message digest– Match the decrypted and calculated digests
Encryption ofSigned JAR files
JAR fileMessageDigestEngine
451350228534...
DigitalSignatureEngine
Private
9728016828...
Digital Signature
Message Digest
Decryption ofSigned JAR files
DigitalSignatureEngine
Public 9728016828...
Digital Signature
451350228534...Message Digest
JAR fileMessageDigestEngine
Java SecuritySummary
• Java Security Features– Java Language Security– Java Class Loaders– Security Manager and Access Controller– Security Policies– Authentication and Encryption
• Java Security is Both Configurable and Extendable
Java Security and Encryption
Questions and Answers
Dan SedlacekCTO, Systems Management GroupSterling Software