Download Applet Security and the Core Java Security Model

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

Document related concepts
no text concepts found
Transcript
Applet Security
Team Web
Charles Moen and XiaoJun Zhang
CSCI 5931.01 Web Security
March 26, 2003
Topics


The Sandbox
Stepping Outside the Sandbox






Applets & the Policy File
RSA-Signed Applets
The Java Plug-in
Signed Applets in Netscape
Signed Applets in MS Internet Explorer
Secure JDBC Connection for Applets
2
Java 2 Security Model

Policy-based



Security policy limits the resources a
program can use
java.policy
Permissions

Actions that are allowed
3
The Sandbox
Memory
Operating System
Local Code
Java Virtual Machine
Sandbox
HTTP
Applet
Server
Client
4
Stepping Outside the Sandbox


Many reasons for stepping outside the
sandbox
Java 2 Security Model—two methods


The client can grant permissions by editing
the policy file, java.policy
The developer can use an RSA-signed
applet that can be granted or denied
permission by the client
5
Stepping Outside the Sandbox
in Java 2—The Policy File
Memory
java.policy
grant …
SocketPermission;
FilePermission;
Operating System
Local Code
Java Virtual Machine
SocketPermission FilePermission
Policy
Edit
HTTP
Applet
Server
Client
6
Stepping Outside the Sandbox
in Java 2—RSA-Signed Applets
Memory
Operating System
Local Code
Java Virtual Machine
JAR
Signs a
JAR file with RSA
Applet
HTTP
Server
Client
Verifies the signer
Certificate Authority
7
The Java Plug-in

Downloadable helper program that
works with a browser




Consistent runtime environment for Java
Supports all Java functions
Can be called instead of the browser’s VM
Introduced with Java 2


Part of JDK and JRE
Downloaded the first time it is needed by
browser
8
The Java Plug-in

Advantages



Consistency across browsers
Java capabilities provided to old browsers
Same security model as Java 2



Major browsers had different security models
Differences require different development
Weakness

Huge download—5 to 6 MB
9
Example 1:
Applets & the Policy File


Stepping out of the sandbox, method 1
Create an applet, Java Security, p. 205
public void init() {
try {
mUsername = System.getProperty("user.name");
} catch( SecurityException e ) {
mUsername = null;
}
}
<APPLET CODE="UsernameApplet.class" WIDTH="300"
HEIGHT="200"></APPLET>
10
Example 1:
Applets & the Policy File
C:\> appletviewer UsernameApplet.html
11
Example 1:
Applets & the Policy File

Use a policy file:
UsernameApplet.policy
grant codeBase "file:${/}devJava${/}*" {
permission java.util.PropertyPermission "user.name", "read";
};
appletviewer -J-Djava.security.policy=UsernameApplet.policy
UsernameApplet.html
12
Running Example 1
in a Browser
1. Change APPLET to OBJECT

APPLET is deprecated

Specify codebase for downloading plug-in

Use HTMLConverter
2. Edit java.policy

Grant permission, like in our example
13
1. Change APPLET to OBJECT

HTMLConverter



Bundled in J2SE SDK (error on p. 206)
http://java.sun.com/j2se/1.4.1/docs/guide/plugin/
developer_guide/faq/developer.html
Either command line or GUI


> java HTMLConverter <the html file>
Result on page 207


For IE, converts to OBJECT element
For NS, converts to EMBED element
14
C:\jdk1.4.1\lib>..\bin\java -jar htmlconverter.jar -gui
15
2. Edit java.policy

Must be done by the user

Location is problematic




C:\Program Files\Java\j2re1.4.0_01\lib\security
C:\j2sdk1.4.0_01\jre\lib\security
UHCL PC Lab: unable to edit
Add the following to run our example:
grant codeBase "file:${/}devJava${/}*" {
permission java.util.PropertyPermission "user.name", "read";
};
16
Open UsernameApplet.HTML
17
Example 2:
RSA Signed Applets




Stepping out of the sandbox, method 2
Real deployment requires a certificate
from Verisign or Thawte
Jarsigner can sign applets
If the Java plug-in finds an RSA-signed
digital certificate in a downloaded JAR



Checks security policy for “usePolicy”
Checks the signature’s CA
Then asks user if it’s okay
18
Example 2:
RSA Signed Applets
Step 1: Generate a key and certificate
Step 2: Install the certificate
Step 3: Create the JAR and sign it
Step 4: Deploy the JAR in the HTML
Step 5: Open the HTML in a browser
19
1. Generate a key & certificate

Use the keytool to generate a key
C:\>keytool -genkey -alias appletsigningkey -keyalg RSA

For real deployment




Page 212
Create a csr file with “-certreq”
Order a signed certificate from a CA
Export the certificate
C:\>keytool -export -alias appletsigningkey -file
appletsigningkey.cer
20
2. Install the certificate
Windows



Double-click on the filename
Click on the “Install Certificate” button
Follow the steps in the Wizard, pp. 210–211
21
3. Create the JAR and sign it

Create a JAR containing our applet class
C:\> jar cvf UsernameApplet.jar UsernameApplet.class

Sign the JAR with jarsigner
C:\> jarsigner UsernameApplet.jar appletsigningkey
22
4. Deploy the JAR in HTML

Add the “ARCHIVE” attribute
(Not mentioned in the book, p. 212)
<APPLET CODE=“UsernameApplet.class” WIDTH=“300” HEIGHT=“200”
ARCHIVE=“UsernameApplet.jar”></APPLET>

Can then use HTMLConverter
23
5. Open the HTML in browser
Click
to
Grant
24
Signed Applets in Netscape

Netscape 6 and 7 use the Java plug-in

Netscape 4 uses its own security model




Applet asks for permission
Called the Capabilities API
Uses proprietary Netscape classes
Incompatible with any other browser
25
Signed Applets in Netscape 4

Modifications that use the Capabilities API,
page 215
public void init() {
try {
PrivilegeManager.enablePrivilege("UniversalPropertyRead");
mUsername = System.getProperty("user.name");
PrivilegeManager.revertPrivilege("UniversalPropertyRead");
} catch( SecurityException e ) {
mUsername = null;
}
}
C:\> javac -classpath .;capsapi_classes.zip
UsernameNetscapeApplet.java
26
Signed Applets in Netscape 4

Deploying the applet



Must be signed
Use Netscape’s signtool
Initialize the certificate database

Using Netscape, page 217




Click on the lock icon at the lower left
Click on Certificate > Yours
Click on “Import a Certificate”
Set the password, then Cancel the import
27
Signed Applets in Netscape 4

Create a self-signed certificate and key
C:\> signtool -G"testsigner"
-d"C:\ProgramFiles\Netscape\Users\crmoen"


Create a directory and put in the class
Create a signed JAR
C:\> signtool -d"C:\Program Files\Netscape\Users\crmoen"
-k"testsigner" -Z"netscapeApplet.jar" jar_directory


Add an ARCHIVE attribute to the HTML
Open the HTML file in Netscape, p. 220
28
Signed Applets in Microsoft IE


Microsoft VM security model
As of Jan. 21, 2003, by court order



Microsoft VM support discontinued
Tools are no longer available
Sun JRE is provided with IE
“…the U.S. District Court in Baltimore, Md. issued a preliminary
injunction order requiring Microsoft to include the latest Java
Runtime Environment (JRE) from Sun Microsystems in…versions of
the Microsoft® Windows® XP operating system or Microsoft Internet
Explorer…” [5]

MS recommends: convert applets to .NET
29
Signed Applets in Microsoft IE

Security levels for applets


High—the sandbox
Medium—some extras like disk scratch files

HOWTO: Using Scratch Space From Your
Java Applet -
http://support.microsoft.com/default.aspx?scid=kb;EN-US;172200




Low—same as AllPermission in Java 2
Custom—similar to policy file in Java 2
Cab files are used for signed applets
Tools are in the Microsoft SDK for Java
(No longer available)
30
Secure JDBC Connection
for Applets [6]

The problem


Firewalls interfere with the connection
between a Java applet and an external db
The solution from IDS Software

The applet uses an IDS JDBC driver to
connect to an IDS server using HTTPS
31
Secure JDBC Connection
for Applets [6]



The client is behind a firewall.
The proxy server relays the client’s HTTP
and/or HTTPS requests.
Proxy relays HTTP requests




To provide Internet access
Parses the content
Assumes the connection is non-persistent and
drops the connection
Proxy also relays HTTPS requests


Assumes that it cannot parse content
Cannot drop connection until client does
32
Secure JDBC Connection
for Applets [6]

Required conditions





Proxy allows outbound HTTPS connections
Applet must obtain the browser proxy
server setting
Applet must be signed
IDS server must use ports 443 or 563
ProxyProperties class from IDS


Obtains the proxy settings
Instance passed to the the IDS driver
when it creates a connection to the db
33
Secure JDBC Connection
for Applets [6]
Driver drv = new ids.sql.IDSDriver();
Properties info = new ProxyProperties();
String host = info.getProperty("https.proxyHost");
if (host != null) {
info.put("proxy_type", "4"); // SSL Tunneling
info.put("proxy_host", host);
info.put("proxy_port", info.getProperty("https.proxyPort"));
try { //For Netscape
PrivilegeManager.enablePrivilege("UniversalConnect");
} catch (Throwable e) { }
}
Connection conn = drv.connect(url, info);
34
Secure JDBC Connection
for Applets [6]
Applet
JDBC
IDS
driver
HTTPS
Proxy
Server
Port
443
DB
IDS
Server
Client
client-side firewall
35
Bibliography
[1] J. Garms and D. Somerfield. Professional Java Security.
Birmingham, UK: Wrox Press Ltd., 2001, pp. 202–228.
[2] M. Pistoia, et al. Java 2 Network Security, 2nd ed. New Jersey:
Prentice Hall PTR, 1999.
[3] J. Conallen. Building Web Applications with UML. AddisonWesley, 2000, pp. 70–72.
[4] Sun (n.d.). Developer Guide FAQs. [Online]. Available:
http://java.sun.com/j2se/1.4.1/docs/guide/plugin/developer_gu
ide/faq/developer.html
[5] Microsoft (2003, Jan.). Microsoft VM Developer FAQ. [Online].
Available: http://www.microsoft.com/java/developerFAQ.htm
[6] IDS Software (1999, Nov.). JDBC Connection via HTTPS Proxy.
[Online]. Available: http://www.idssoftware.com/jdbchttps.html
36