CSE333

IFIP98-1.1

Security Capabilities and Potentials of JavaSecurity Capabilities and Potentials of Java

D. Smarkusky, S. Demurjian, M. Bastarrica, and T.C. TingComputer Science & Engineering Department

The University of ConnecticutStorrs, Connecticut 06269-3155

{debs,steve,cecilia,ting}@engr.uconn.eduhttp://www.engr.uconn.edu/~steve

(860) 486 - 4818

CSE333

IFIP98-1.2

Overview of PresentationOverview of Presentation

Background and MotivationBackground and Motivation Enterprise Computing and Security Emergence of Java An Overview of Java

Security Capabilities of JavaSecurity Capabilities of Java User-Role Based Security (URBS) and Java User-Role Based Security (URBS) and Java Advanced Security Features and URBSAdvanced Security Features and URBS Concluding Remarks and Future WorkConcluding Remarks and Future Work

CSE333

IFIP98-1.3

Enterprise Computing and SecurityEnterprise Computing and SecurityC/S and Distributed Object ComputingC/S and Distributed Object Computing

AuthenticationAuthentication

Is the Client who S/he Says they are?

AuthorizationAuthorization

Does the Client have Permission to do what S/he Wants?

PrivacyPrivacy

Is Anyone Intercepting Client/Server Communications?

Enforcement MechanismEnforcement Mechanism Centralized and Distributed “Code” Enforces Security Policy at Runtime

CSE333

IFIP98-1.4

Enterprise Computing and SecurityEnterprise Computing and SecurityC/S and Distributed Object ComputingC/S and Distributed Object Computing

AssuranceAssurance Are the Security Privileges for Each Client

Adequate to Support their Activities? Do the Security Privileges for Each Client

Meet but Not Exceed their Capabilities? ConsistencyConsistency

Are the Defined Security Privileges for Each Client Internally Consistent? Least-Privilege Principle: Just Enough Access

Are the Defined Security Privileges for Related Clients Globally Consistent? Mutual-Exclusion: Read for Some-Write for Others

CSE333

IFIP98-1.5

Emergence of JavaEmergence of Java

Java is Emerging as the OO Language of ChoiceJava is Emerging as the OO Language of Choice Java’s Pervasiveness in Educational Institutions Java’s Pervasiveness in Educational Institutions

from Freshman to Graduate Coursesfrom Freshman to Graduate Courses Java’s Utilization in … Java’s Utilization in …

Distributed Internet-Based Applications of All Types

Legacy/COTS Integration for Enterprise Computing

General-Purpose, Single-CPU Development Distributed Object Computing Must Consider Distributed Object Computing Must Consider

Security as First Class CitizenSecurity as First Class Citizen Exploit Java Security API and URBS?Exploit Java Security API and URBS?

CSE333

IFIP98-1.6

An Overview of JavaAn Overview of Java

Java is a Third Generation, General Purpose, Java is a Third Generation, General Purpose, Platform Independent, Concurrent, Class-Based, Platform Independent, Concurrent, Class-Based, Object-Oriented Language and EnvironmentObject-Oriented Language and Environment

Java Composed of JDK and JREJava Composed of JDK and JRE Java LanguageJava Language Java Packages (Libraries)Java Packages (Libraries) javac Compiler to Bytecode (p-code)javac Compiler to Bytecode (p-code) JDB Java Debugger JDB Java Debugger Java Interpreter - Platform SpecificJava Interpreter - Platform Specific

JDK: Java Development EnvironmentJDK: Java Development Environment http://www.javasoft.com/products/jdk/1.2/http://www.javasoft.com/products/jdk/1.2/

JRE: Java Runtime EnvironmentJRE: Java Runtime Environment http://www.javasoft.com/products/jdk/1.2/jre/index.htmlhttp://www.javasoft.com/products/jdk/1.2/jre/index.html

CSE333

IFIP98-1.7

Java Visualization Java Visualization

CSE333

IFIP98-1.8

The Java API PackagesThe Java API Packages

Application Programming Interface (API)Application Programming Interface (API) Java Defined - Building Blocks/LibrariesJava Defined - Building Blocks/Libraries Java Platform 1.2 Core APIJava Platform 1.2 Core API

java.applet java.rmijava.awt java.rmi.dgcjava.awt.datatransfer java.rmi.registryjava.awt.event java.rmi.serverjava.awt.image java.securityjava.beans java.security.acljava.io java.security.interfacesjava.lang java.sqljava.lang.reflect java.textjava.math java.utiljava.net java.util.zip

Focus on java.securityFocus on java.security

CSE333

IFIP98-1.9

Security Capabilities of JavaSecurity Capabilities of Java

Sandbox and Applet Level SecuritySandbox and Applet Level Security Downloaded Applets are Confined in a

Targeted Portion of System During Execution Execution of Untrusted Code in Trusted Way

What is Sandbox?What is Sandbox? Area of Web-Browser Dedicated to Applet Applet Limited to Sandbox to Prohibit Access

to Local Machine/Environment Utilizes Class Loader, Bytecode Verifier, and

Security Manager Three Components Maintain System Integrity How Does this Occur?

CSE333

IFIP98-1.10

Security Capabilities of JavaSecurity Capabilities of Java

Class Loader - Only Load Correct ClassesClass Loader - Only Load Correct Classes Bytecode Verifier - Classes in Correct FormatBytecode Verifier - Classes in Correct Format Security Manager - Untrusted Classes Can’t Security Manager - Untrusted Classes Can’t

Execute Dangerous Instructions nor Access Execute Dangerous Instructions nor Access Protected System ResourcesProtected System Resources

Role of Security ManagersRole of Security Managers Enforces Boundaries of Sandbox All Java Classes ask Manager for Permission to

Perform Certain Operations Implements/Imposes Appl. Security Policy Java Interface Class Implementable by Users Integrated with Exception Handling of Java

CSE333

IFIP98-1.11

Security Capabilities of JavaSecurity Capabilities of Java Digital Signatures and JAR Files Digital Signatures and JAR Files

When Can Applets Become Applications?When Can Applets Become Applications? Trusted Publisher (Originator of Applet) Signed Applet is Authenticated Java Security Manager May Allow Applet out

of Sandbox to be Application How is Information Transmitted and Exchanged?How is Information Transmitted and Exchanged?

JAR: Archived (Compressed) Files Bundling of Code/Data into Java Archive Associated Digital Signature for Verification Transmission via Object Serialization

CSE333

IFIP98-1.12

Security Capabilities of JavaSecurity Capabilities of Java Message Digest and Key Management Message Digest and Key Management

Message DigestMessage Digest “Speedy” Alternative to Public Key Encryption Generation of a Short, Unique Representation

of Message that is Encrypted and Used as Digital Signature

Message Digest Algorithms (MD5, SHA, …) Key ManagementKey Management

Integrated Key Management for Java Programs and Applets

Ability to Encode/Decode Java API for Generating, Certifying, and

Manipulating Keys

CSE333

IFIP98-1.13

Security Capabilities of JavaSecurity Capabilities of JavaAccess Control List (ACLs)Access Control List (ACLs)

Control Access to Resources by PermissionsControl Access to Resources by Permissions Classical Security Technique forClassical Security Technique for

Data Structure to Protect Resources SE to Define Read/Write Permissions Based on

Users and User Groups Manipulation of List of Access Privileges Support Negative and Positive Permissions Paradigm of Individual vs. Group Individual Permissions Override Group

See Paper for Detailed Discussion and ReferencesSee Paper for Detailed Discussion and References

CSE333

IFIP98-1.14

User-Role Based Security and JavaUser-Role Based Security and Java

Public Interface is Union of All Privileges for All Public Interface is Union of All Privileges for All Potential Users Potential Users No Explicit way to Prohibit AccessNo Explicit way to Prohibit Access

Customizable Public Interface of ClassCustomizable Public Interface of Class Access to Public Interface is Variable and Based Access to Public Interface is Variable and Based

on User Needs and Responsibilitieson User Needs and Responsibilities Only Give Exactly What’s Needed and No More Only Give Exactly What’s Needed and No More

public class PatientRecord { private: Data/Methods as Needed; public: write_medical_history(); write_prescription(); get_medical_history(); get_diagnosis(); set_payment_mode(); etc… }

For MDsand Nurses

For MDs Only

For Admitting

CSE333

IFIP98-1.15

User-Role Subclassing Approach in JavaUser-Role Subclassing Approach in Java

public class PatientRecord { private: Data/Methods; public: write_medical_history(); write_prescription(); get_medical_history(); get_diagnosis(); set_payment_mode(); }

public class Nurse_PatientRecord extends PatientRecord { public: write_medical_history() {return;} write_prescription() {return;} set_payment_mode() {return;} }

public class MD_PatientRecord extends PatientRecord { public: set_payment_mode() {return;} }

• Subclasses of PatientRecord Turn Off Methods Not Available• Software Creates Nurse_PatientRecord or MD_PatientRecord Instance• Method Calls Against Subclass Return Null for Turned Off Methods• GUI Tool Works Differently Based on User Role with Same Code

CSE333

IFIP98-1.16

A Basic Exception Approach in JavaA Basic Exception Approach in Java

public class PatientRecord { // private data has been omitted

public void set_payment_mode(int mode) { // Insurance_Mode is private data of PatientRecord return(set_int_check_valid_UR(Insurance_Mode, mode)); }

public void set_int_check_valid_UR(int i1, int i2) { try { // See if Current_User can execute method check_UR(); } // catch block to process raised exceptions catch (Unauthorized_UR UR_Exception) { system.out.println(“Attempt to access by unauthorized UR”); } i1 = i2; }

public void Check_UR()throws Unauthorized_UR { // Incomplete - only to illustrate the concepts!!! if (compareTo(Current_User.Get_User_Role(), “Admitting”)!=0) throw new Unauthorized_UR(); // raises exception }}

Once the Current_Useris Set, the Rest ofthe Tool CodeWorks withoutthat Knowledge

Thus, SoftwareEngineers Don’tNeed to Knowor See the DAC/URBS Details!!

Exploit ExceptionHandling for Dynamic Behaviorof Tool by Role

CSE333

IFIP98-1.17

Applicability of URBS ApproachesApplicability of URBS Approaches

All Supported by C++, Eiffel, and Ada95All Supported by C++, Eiffel, and Ada95 User-Role Subclassing ApproachUser-Role Subclassing Approach

Requires SW Engineer to Understand URBS Supported by JavaJava

Basic Exception ApproachBasic Exception Approach Minimizes SW Engineer Exposure to URBS Elegant in Java Java Due to ExceptionsDue to Exceptions

User-Role Class Library Approach (not shown)User-Role Class Library Approach (not shown) Requires Multiple Inheritance Unsupported in JavaJava - only Design-Level

Multiple Inheritance via Interfaces Generic Exception Approach (not shown)Generic Exception Approach (not shown)

Exceptions plus Generics Improves Reuse Unsupported in JavaJava - no Templates

CSE333

IFIP98-1.18

Advanced Security Features and URBSAdvanced Security Features and URBS

Focus on the Potentials of Java Focus on the Potentials of Java What Other Aspects of Java Can be Exploited?What Other Aspects of Java Can be Exploited?

Packages in Java Access Control Lists in java.security API The Class Class in java.lang API Aglets - Java Agents

Examine the Ability of Above to Support URBSExamine the Ability of Above to Support URBS Leverage Advanced Features to Enhance and Leverage Advanced Features to Enhance and

Strengthen URBS ApproachesStrengthen URBS Approaches Utilize Advanced Features as Starting Point to Utilize Advanced Features as Starting Point to

Explore New Security SolutionsExplore New Security Solutions

CSE333

IFIP98-1.19

Packages In JavaPackages In Java

Allows Related Classes to be Grouped into a Allows Related Classes to be Grouped into a Larger AbstractionLarger Abstraction Similar to Ada95 Packages E.g., Package PatientInfo Contains

Prescription, PatientGUI, PatientRecord, … Utilization of Packages for URBSUtilization of Packages for URBS

URSA - Form a Package of PatientRecord, MD_PatientRecord and Nurse_PatientRecord

Only MD_and Nurse Subclasses Visible Outside of Package

Overall, Packages Enhance the Control and Overall, Packages Enhance the Control and Visibility to Fine-Tune Who Can See What WhenVisibility to Fine-Tune Who Can See What When

CSE333

IFIP98-1.20

Access Control Lists in java.security APIAccess Control Lists in java.security API

ACLs Can be Utilized to Control Method AccessACLs Can be Utilized to Control Method Access ACL Composed of ACL Entries ACL Entry Set of Permissions (Allowable

Method Accesses) for Each UR Utilize ACLs as Implementation Vehicle for

URSA, BEA, and Other Approaches java.security.acl.ACL Provides Following:java.security.acl.ACL Provides Following:

addEntry() and removeEntry() CheckPermission(): Can UR Utilize Method? add-, check-, and remove- Permission() SetPrincipal: UR for which Permissions

(Methods) are Assigned/Prohibited Etc…

CSE333

IFIP98-1.21

The The ClassClass Class in java.lang API Class in java.lang API

ClassClass and and ObjectObject Classes Contains Meta-Data Classes Contains Meta-Data Methods Defined that Apply to All System and

User Defined Classes Class has Methods that Return List of Public

Methods, List of Member Variables, etc. Utilization of Utilization of ClassClass Class for URBS Class for URBS

For All Approaches, Dynamically Retrieve All Public Methods for Verifying UR Permissions

In Conjunction with ACL, Powerful Tool to Dynamically Enforce UR Permissions When Assigned/Prohibited Methods Change Application Classes Evolve or Added

Simplifies Maintenance of Security PolicySimplifies Maintenance of Security Policy

CSE333

IFIP98-1.22

Concluding RemarksConcluding Remarks

Explored the Security Capabilities and Potentials of Explored the Security Capabilities and Potentials of Java, including:Java, including: Brief Review of java.security API

Digital Signatures, Message Digests, Key Management, and ACLs

Realization and Limitations of URBS in Java Advanced Security Features and the Potential

for URBS and Security for DOC Future WorkFuture Work

Legacy/COTS and Interoperability Emerging Technologies

Middleware and OODBSs