Enabling Java 2Runtime Security

with Eclipse Plug-ins___

Analyzing Security Requirementsfor OSGi-Enabled Platforms

Marco Pistoia, Ted Habeck, Larry KovedMarco Pistoia, Ted Habeck, Larry KovedIBM T.J. Watson Research CenterIBM T.J. Watson Research Center

New York, USANew York, USA

AgendaAgenda

1.1. Motivation for This WorkMotivation for This Work

2.2. Review of Java Security ConceptsReview of Java Security Concepts

3.3. IBM Security Workbench Development IBM Security Workbench Development Environment for Java (SWORD4J)Environment for Java (SWORD4J)

4.4. SWORD4J DemoSWORD4J Demo

1. Motivation for This Work1. Motivation for This Work

Developing Secure OSGi ApplicationsDeveloping Secure OSGi Applications

• The OSGi framework is a robust The OSGi framework is a robust platform for deploying and platform for deploying and managing applications from managing applications from handheld devices to servershandheld devices to servers

• It supports It supports security sandboxingsecurity sandboxing by limiting access to resources by limiting access to resources applications can access at run applications can access at run timetime

• OSGi security is based on the OSGi security is based on the Java 2, Standard Edition (J2SE) Java 2, Standard Edition (J2SE) security architecturesecurity architecture

• Eclipse is built on top of the Eclipse is built on top of the OSGi frameworkOSGi framework

Authorization – A Layered PerspectiveAuthorization – A Layered Perspective

J2SE Security

OSGi Security

Applications

2. Review of Java Security Concepts2. Review of Java Security Concepts

Java 2 Stack Inspection BasedJava 2 Stack Inspection BasedAccess Control ModelAccess Control Model

Main.main()Main.main()

Socket.<init>("www.ibm.com", 80)Socket.<init>("www.ibm.com", 80)

sm.checkConnect("www.ibm.com", 80)sm.checkConnect("www.ibm.com", 80)

sm.checkPermission(p)sm.checkPermission(p)

AccessController.checkPermission(p)AccessController.checkPermission(p) pp

pp

pp

pp

pp

?

?

?

?

?If all the code source wasgranted Permission p…

SecurityExceptionSecurityExceptionOtherwise…

Problem:What Permissions are required?•Not too many permissions•Not too few permissions

Same Code, Multiple Call PathsSame Code, Multiple Call Paths

import java.io.*;import java.net.*;public class LibraryCode { private static String logFileName = "audit.txt"; public static Socket createSocket(String host, int port) throws UnknownHostException, IOException { Socket socket = new Socket(host, port); FileOutputStream fos = new FileOutputStream(logFileName); BufferedOutputStream bos = new BufferedOutputStream(fos); PrintStream ps = new PrintStream(bos, true); ps.print("Socket " + host + ":" + port); return socket; }}

ClientClient

LibraryLibrary

createSocket

SocketPermission

FilePermission

Client.main()Client.main()

LibraryCode.createSocket()LibraryCode.createSocket()

qq

qq

pp

pp

Multiple Permission RequirementsMultiple Permission Requirements

Socket.<init>(host,port)Socket.<init>(host,port)

sm.checkConnect(host,port)sm.checkConnect(host,port)

sm.checkPermission(q)sm.checkPermission(q)

AccessController.checkPermission(q)AccessController.checkPermission(q)

qq

qq

qq

qq

FileOutputStream.<init>(logFileName)FileOutputStream.<init>(logFileName)

sm.checkWrite(logFileName)sm.checkWrite(logFileName)

sm.checkPermission(p)sm.checkPermission(p)

AccessController.checkPermission(p)AccessController.checkPermission(p)

pp

pp

pp

pp

p = new FilePermission("audit.txt","write");q = new SocketPermission("ibm.com","80");

import java.io.*;import java.net.*;import java.security.*;public class LibraryCode2 { private static final String logFileName = "audit.txt"; public static Socket createSocket(String host, int port) throws UnknownHostException, IOException, PrivilegedActionException { Socket socket = new Socket(host, port); File f = new File(logFileName); PrivWriteOp op = new PrivWriteOp(host, port, f); FileOutputStream fos = (FileOutputStream) AccessController.doPrivileged(op); BufferedOutputStream bos = new BufferedOutputStream(fos); PrintStream ps = new PrintStream(bos, true); ps.print("Socket " + host + ":" + port); return socket; }}class PrivWriteOp implements PrivilegedExceptionAction { private File f; PrivWriteOp (File f) { this.f = f; } public Object run() throws IOException { return new FileOutputStream(f); }}

ClientClient

LibraryLibrary

createSocket

SocketPermission

FilePermission

Need for Privileged CodeNeed for Privileged Code

Access Control with Privileged CodeAccess Control with Privileged Code

Client.main()Client.main()

Library.createSocket()Library.createSocket()

qq

qq pp

AccessController.doPrivileged(op)AccessController.doPrivileged(op)

op.run()op.run()

pp

pp

FileOutputStream.<init>(logFileName)FileOutputStream.<init>(logFileName)

sm.checkWrite(logFileName)sm.checkWrite(logFileName)

sm.checkPermission(p)sm.checkPermission(p)

AccessController.checkPermission(p)AccessController.checkPermission(p)

pp

pp

pp

pp

p = new FilePermission("audit.txt","write");

Socket.<init>(host,port)Socket.<init>(host,port)

sm.checkConnect(host,port)sm.checkConnect(host,port)

sm.checkPermission(q)sm.checkPermission(q)

AccessController.checkPermission(q)AccessController.checkPermission(q)

qq

qq

qq

qq

q = new SocketPermission("ibm.com","80");

Problems:Problems:1.1. What portions of library code What portions of library code

should be made privileged?should be made privileged?2.2. What permissions are implicitly What permissions are implicitly

extended to client code?extended to client code?3.3. How can unnecessary privileged How can unnecessary privileged

code be detected?code be detected?4.4. How can “tainted variables” be How can “tainted variables” be

detected?detected?

OSGi Security IssuesOSGi Security Issues

• Bundle DevelopersBundle Developers– What Java 2 permissions are required?What Java 2 permissions are required?– Are there inter-plug-in permission dependencies?Are there inter-plug-in permission dependencies?– Where should privileged code be inserted?Where should privileged code be inserted?– Are there any tainted variables?Are there any tainted variables?

• AdministratorsAdministrators– What Java 2 permissions are required?What Java 2 permissions are required?– Should all permissions assigned by a bundle provider Should all permissions assigned by a bundle provider

be trusted?be trusted?– Are plug-ins signed and are digital certificates valid?Are plug-ins signed and are digital certificates valid?– Are there inter-plug-in permission dependencies?Are there inter-plug-in permission dependencies?

What Are Your Choices?What Are Your Choices?

1.1. Leave code unmodifiedLeave code unmodified2.2. Refactor code so permissions not required by Refactor code so permissions not required by

clients. This entails:clients. This entails:– Moving code into initialization routines, etc.Moving code into initialization routines, etc.– Adding the required permissions to the associated Adding the required permissions to the associated

bundle (policy file)bundle (policy file)

3.3. Treat the privileged operation as a trusted library Treat the privileged operation as a trusted library function. This entails: function. This entails:

– Wrapping the privileged operation in a java.security. Wrapping the privileged operation in a java.security. PrivilegedAction or PrivilegedExceptionActionPrivilegedAction or PrivilegedExceptionAction

– Adding the required permissions to the associated Adding the required permissions to the associated bundle (policy file)bundle (policy file)

Traditional ApproachTraditional Approach

SecurityExceptionSecurityExceptions due to:s due to:• Client code being insufficiently Client code being insufficiently

authorizedauthorized• Library code making restricted Library code making restricted

calls on its owncalls on its ownLimitations:Limitations:• Tedious, time consuming, and Tedious, time consuming, and

error proneerror prone• Some permission and Some permission and

privileged-code requirements privileged-code requirements may never be discovered until may never be discovered until run time due to insufficient run time due to insufficient number of test casesnumber of test cases

• Applications may be unstableApplications may be unstable

Client

Library

Core

AllPermission

AllPermission

SecurityExceptionSecurityException

pp rr

qq

pqpq

pqpq qq qq rr rr

{p}

A Better Way with SWORD4JA Better Way with SWORD4J

SecurityManager.checkPermission(p)

pp

pp

pp

ppAccessController.checkPermission(p)

FileOutputStream.<init>()

ppClient

Library pp

Core

pp AccessController.doPrivileged(pa)

pp PrivilegedAction.run()

• Interprocedural analysis for Interprocedural analysis for automatic detection of:automatic detection of:– Library code instructions that are Library code instructions that are

good candidates for becoming good candidates for becoming privilegedprivileged

• The candidate instructions are the The candidate instructions are the closest to the library/core closest to the library/core boundaryboundary

• The permissions implicitly granted The permissions implicitly granted to client code are reportedto client code are reported

• Explanation for privileged Explanation for privileged instructioninstruction

– ““Unnecessary” or “redundant” Unnecessary” or “redundant” privileged codeprivileged code

– Permissions required by codePermissions required by code

3. IBM Security Workbench Development 3. IBM Security Workbench Development Environment for Java (SWORD4J)Environment for Java (SWORD4J)

Securing OSGi, Eclipse, and Java CodeSecuring OSGi, Eclipse, and Java Codewith SWORD4Jwith SWORD4J

1.1. Determining Java 2 security permission requirementsDetermining Java 2 security permission requirements– OSGi bundlesOSGi bundles– Eclipse plug-insEclipse plug-ins– Java ApplicationsJava Applications

2.2. AuthorizationAuthorization– Adding privileged code where appropriateAdding privileged code where appropriate– Granting permissions by bundleGranting permissions by bundle

3.3. Digital key managementDigital key management– Code signingCode signing– Certificate managementCertificate management

4.4. DeploymentDeployment– Verify signed bundle signaturesVerify signed bundle signatures– Verify granted bundle permissionsVerify granted bundle permissions

4. SWORD4J Demo4. SWORD4J Demo

Static Analysis Engine (Eclipse and OSGi Aware)

JAR Inspection

Java Bytecode Analysis (JaBA)Java Bytecode Analysis (JaBA)

Call GraphCall Graph

Access-RightsAnalysis

Access-RightsAnalysis

Privileged-CodePlacement Analysis

Privileged-CodePlacement Analysis

Tainted-VariableAnalysis

Tainted-VariableAnalysis

Object CodeSecurity Policy

Code ArchitectureInspection

Code ArchitectureInspection

CertificateInspectionCertificateInspection

PermissionInspectionPermissionInspection

KeyStore Editor JAR Signer

Call PathAnalysisCall PathAnalysis

SWORD4J ArchitectureSWORD4J Architecture

SWORD4J SummarySWORD4J Summary

• New Eclipse-based analysis tool for inspecting and New Eclipse-based analysis tool for inspecting and analyzing OSGi bundles, Eclipse plug-ins, and analyzing OSGi bundles, Eclipse plug-ins, and Java programsJava programs

• Includes the following plug-ins:Includes the following plug-ins:– Java 2 Security AnalysisJava 2 Security Analysis– Jar InspectionJar Inspection– Jar SigningJar Signing– KeyStore editorKeyStore editor

SWORD4J FeaturesSWORD4J Features

• Security AnalysesSecurity Analyses– Permission analysisPermission analysis– Privileged code analysisPrivileged code analysis

• Code SigningCode Signing– SWORD4J provides a JAR signing GUISWORD4J provides a JAR signing GUI

• KeyStore ManagementKeyStore Management– SWORD4J provides a KeyStore editor for managing Java SWORD4J provides a KeyStore editor for managing Java

KeyStoresKeyStores• Change password, edit certificate aliases, export certificates, import Change password, edit certificate aliases, export certificates, import

certificates, generate self-signed certificates, change key entry certificates, generate self-signed certificates, change key entry passwords, copy key entries between KeyStorespasswords, copy key entries between KeyStores

• Jar InspectorJar Inspector– Displays JAR architectureDisplays JAR architecture– Displays Signing informationDisplays Signing information– Displays OSGi bundle permission requirements.Displays OSGi bundle permission requirements.

Additional Information – Thank You!Additional Information – Thank You!

• E-mail:E-mail:– pistoia@us.ibm.compistoia@us.ibm.com– habeck@us.ibm.comhabeck@us.ibm.com– koved@us.ibm.comkoved@us.ibm.com

• WebWeb– SWORD4J Download:SWORD4J Download:

• http://www.alphaworks.ibm.com/tech/sword4jhttp://www.alphaworks.ibm.com/tech/sword4j

– Personal:Personal:• http://www.research.ibm.com/people/p/pistoiahttp://www.research.ibm.com/people/p/pistoia• http://http://www.research.ibm.com/people/k/kovedwww.research.ibm.com/people/k/koved

– Java Security Project:Java Security Project:• http://http://www.research.ibm.com/javasecwww.research.ibm.com/javasec

– Eclipse security: Eclipse security: http://http://www.eclipse.orgwww.eclipse.org/equinox//equinox/

• BooksBooks