Download Java Security

Java Security
by
Drew Dean
Edward W. Felten
and
Dan S. Wallach
Version 02U-1
Computer Security: Art and Science
1
Topics
Introduction
Java Semantics
Taxonomy of Java Bugs
Security Analysis
Flexible Security for Applets
Conclusion
Version 02U-1
Computer Security: Art and Science
2
Introduction
Java and the HotJava browser it supports
are insecure due to
Implementation errors
Unintended interactions between browser
features
Differences between the Java language and
bytecode semantics
Weaknesses in the design of the language
and bytecode format
Weaknesses in the design methodology used
in creating Java and the browsers
Version 02U-1
Computer Security: Art and Science
3
Java Semantics
System Name Space
Shared by all name spaces
Always searched first
Prevents downloaded code from overriding a
system class.
Version 02U-1
Computer Security: Art and Science
4
Java Semantics
Mechanism of Java runtime system to fetch
bytecode
a Calls subclass of the abstract class
ClassLoader
ClassLoader defines an interface for the
runtime system to ask a Java program to
provide a class.
Classes are transported across network as
as byte streams, and reconstituted into class
objects by subclasses of ClassLoader
Version 02U-1
Computer Security: Art and Science
5
Java Semantics (Contnd)
Safety of Java bytecode
Array stores require run time type checks as
ordinary array bounds checks
Example: Suppose, A is a subtype of B. Java
rules say that A[] is a subtype of B[].
Void proc (B[] x, B y) {
X[0] = y;
}
well as
typing
Dynamic checks introduces performance penalty
Version 02U-1
Computer Security: Art and Science
6
Java Security Mechanisms
SecurityManager class
Defines and implements a security policy
Issues
No security manager runs when Java runtime
system starts
Web browser or other user agent has to install
a security maneger before executing untrusted
code.
The purpose of the SecurityManager class is to
define an interface for access control.
Default SecurityManager implementation
throws a SecurityException for all access
checks, forcing the user agent to define and
implement its own policy in a subclass of
SecurityManager
Version 02U-1
Computer Security: Art and Science
7
Taxonomy of Java Bugs
Denial of Service Attacks
Busy waiting to consume CPU cycles and
allocating memory until the system runs out,
starving other threads and processes.
Applets can acquire locks on critical pieces of
the browser to cripple it.
sysnchronized
(Class.forName(“net.www.html.MeteredStre
am”)) {
while (true) Thread.sleep(10000); }
Version 02U-1
Computer Security: Art and Science
8
Taxonomy of Java Bugs (Contd)
An attack can be programmed to occur after some
time delay, causing the failure to occur when the
user is viewing a different web page, thereby
masking the source of the attack
Degradation of Service: significantly reduces the
performance of the browser without stopping it.
The lock-based attack could be used to hold a
critical system lock most of the time, releasing it
only briefly and occasionally.
Version 02U-1
Computer Security: Art and Science
9
Taxonomy of Java Bugs (Contd)
Two versus Three Party Attacks
Two Party Attack : Requires that the web server
the applet resides on participate in the attack
Three Party Attack: Can originate from
anywhere on the internet, and might spread if it
is hidden in a useful applet that gets used by
many web pages.
Version 02U-1
Computer Security: Art and Science
10
Taxonomy of Java Bugs (Contd)
Version 02U-1
Figure 2. A Three Party Attack — Charlie
produces a Trojan horse applet. Bob likes it
and uses it in his Web page. Alice views
Bob’s Web page and Charlie’s applet
establishes a covert channel to Charlie. The
applet leaks Alice’s information to Charlie.
No collusion
with Art
Bob
is necessary.
Computer Security:
and Science
11
Taxonomy of Java Bugs (Contd)
Information Available to Applets
At a minimum , an applet can consume all the
free space in the file system
User’s login name, machine name, the contents
of all environment variables
System.getenv() in HotJava has no security
checks
Netscape and JDK do not allow access to
environment variables by applets
Version 02U-1
Computer Security: Art and Science
12
Taxonomy of Java Bugs (contd)
Figure 4. DNS subversion of Java: an applet travels from
attacker.com to victim.org through normal channels. The applet
then asks to connect to foo.attacker.com, which is resolved by
attacker.com’s DNS server to be victim.org’s internal mail server
which can then be attacked.
Version 02U-1
Computer Security: Art and Science
13
Taxonomy of Java Bugs (Contd)
Buffer Overflows
sprintf()-HotJava and the alpha release of JDK
used stack allocated buffers, yet did not check
for buffer overflows
Disclosing Storage Layout: The Java library
allows an applet to learn where in memory its
objects are stored
hashcode() casts the address of the object’s
internal storage to an integer and returns it,
thereby exposing more internal state than
necessary.
Version 02U-1
Computer Security: Art and Science
14
Taxonomy of Java Bugs (Contd)
Public Proxy Variables
We can change the browser’s HTTP and FTP
proxy servers. We can set up our own proxy
server as a man-in-the-middle.
We can both watch and edit all the traffic to and
from the HotJava browser.
Use the security manager’s put() method to
store our desired proxy in the property
manager’s database. If the user is then
tricked into printing a web page, these
settings will be saved to the disk, and will be
the default setting next time the user starts
HotJava. Computer Security: Art and Science
Version 02U-1
15
Java Language and Bytecode Differences
Superclass constructors Attack:
Class CL extends ClassLoader {
CL() {
try { super(); }
catch (Exception e) {
}
}
ClassLoader gives an attacker the ability to
defeat Java’s type system
David Hopwood Attack
Malicious code treated as trusted and can
bypass runtime and access op system with full
privilege of the user.
Version 02U-1
Computer Security: Art and Science
16
Java Language and Bytecode Weaknesses
Language Weaknesses
Has neither a formal semantics nor a formal
description of its type system.
Package system provides only basic modules
Java allows methods to be called from the
constructor
Bytecode Weaknesses
In Java bytecode, the verifier must show that all
possible execution paths have the same virtual
machine configuration-more complicated and
hence more prone to error.
The present verifier cannot be proven
correct because there is not a formal
description of the type system
Version 02U-1
Computer Security: Art and Science
17
Security Analysis
Policy
Lack of a formally defined security policy
SecurityManager pitfalls
Not always invoked
Not tamperproof
Not verifiable
Integrity
Browser’s internal state is stored in public variables and
classes which compromises Java runtime system’s
integrity.
Accountability
The Java runtime system does not have a configurable
audit system
Version 02U-1
Computer Security: Art and Science
18
Flexible Security for Applets
Networking
An applet should not be able to control the
PORT commands sent on its behalf.
Distributed Applications
Applications such as audio/video conferencing,
real-time multi-player games, factoring, can be
used as applets
User Interface
Security policy should be flexible enough so as
not to make the user disable security.
Applets should request capabilities when
they are first loaded. The user’s response
then should be logged, alleviating the need
for future re-authorization.
Use trusted dialog boxes
Version 02U-1
Computer Security: Art and Science
19
Summary
Java lacks a well-defined, formal security policy
that prevents the verification of an implementation
The Java language definition could be altered to
reduce accidental leaks of information from public
variables, and encourage better program structure
with a richer module system than Java’s package
construct.
Redesign of the Java language, the bytecode
format and the runtime system is paramount.
–Questions/Comments ???
Version 02U-1
Computer Security: Art and Science
20