Download Overheads (Microsoft PPT 97)

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

Document related concepts
no text concepts found
Transcript
Security Capabilities and Potentials of Java
CSE300
D. Smarkusky, S. Demurjian, M. Bastarrica, and T.C. Ting
Computer Science & Engineering Department
The University of Connecticut
Storrs, Connecticut 06269-3155
{debs,steve,cecilia,ting}@engr.uconn.edu
http://www.engr.uconn.edu/~steve
(860) 486 - 4818
IFIP98-1.1
Overview of Presentation

CSE300




Background and Motivation
 Enterprise Computing and Security
 Emergence of Java
 An Overview of Java
Security Capabilities of Java
User-Role Based Security (URBS) and Java
Advanced Security Features and URBS
Concluding Remarks and Future Work
IFIP98-1.2
Enterprise Computing and Security
C/S and Distributed Object Computing

CSE300
Authentication




Is the Client who S/he Says they are?
Authorization
 Does the Client have Permission to do what
S/he Wants?
Privacy
 Is Anyone Intercepting Client/Server
Communications?
Enforcement Mechanism
 Centralized and Distributed “Code”
 Enforces Security Policy at Runtime
IFIP98-1.3
Enterprise Computing and Security
C/S and Distributed Object Computing

CSE300

Assurance
 Are the Security Privileges for Each Client
Adequate to Support their Activities?
 Do the Security Privileges for Each Client
Meet but Not Exceed their Capabilities?
Consistency
 Are the Defined Security Privileges for Each
Client Internally Consistent?
 Least-Privilege Principle: Just Enough Access

Are the Defined Security Privileges for Related
Clients Globally Consistent?
 Mutual-Exclusion: Read for Some-Write for Others
IFIP98-1.4
Emergence of Java

CSE300




Java is Emerging as the OO Language of Choice
Java’s Pervasiveness in Educational Institutions
from Freshman to Graduate Courses
Java’s Utilization in …
 Distributed Internet-Based Applications of All
Types
 Legacy/COTS Integration for Enterprise
Computing
 General-Purpose, Single-CPU Development
Distributed Object Computing Must Consider
Security as First Class Citizen
Exploit Java Security API and URBS?
IFIP98-1.5
An Overview of Java

CSE300

Java is a Third Generation, General Purpose,
Platform Independent, Concurrent, Class-Based,
Object-Oriented Language and Environment
Java Composed of JDK and JRE






Java Language
Java Packages (Libraries)
javac Compiler to Bytecode (p-code)
JDB Java Debugger
Java Interpreter - Platform Specific
JDK: Java Development Environment
http://www.javasoft.com/products/jdk/1.2/

JRE: Java Runtime Environment
http://www.javasoft.com/products/jdk/1.2/jre/index.html
IFIP98-1.6
Java Visualization
CSE300
IFIP98-1.7
The Java API Packages

CSE300 

Application Programming Interface (API)
Java Defined - Building Blocks/Libraries
Java Platform 1.2 Core API
java.applet
java.awt
java.awt.datatransfer
java.awt.event
java.awt.image
java.beans
java.io
java.lang
java.lang.reflect
java.math
java.net

java.rmi
java.rmi.dgc
java.rmi.registry
java.rmi.server
java.security
java.security.acl
java.security.interfaces
java.sql
java.text
java.util
java.util.zip
Focus on java.security
IFIP98-1.8
Security Capabilities of Java

CSE300

Sandbox and Applet Level Security
 Downloaded Applets are Confined in a
Targeted Portion of System During Execution
 Execution of Untrusted Code in Trusted Way
What is Sandbox?
 Area of Web-Browser Dedicated to Applet
 Applet Limited to Sandbox to Prohibit Access
to Local Machine/Environment
 Utilizes Class Loader, Bytecode Verifier, and
Security Manager
 Three Components Maintain System Integrity
 How Does this Occur?
IFIP98-1.9
Security Capabilities of Java

CSE300



Class Loader - Only Load Correct Classes
Bytecode Verifier - Classes in Correct Format
Security Manager - Untrusted Classes Can’t
Execute Dangerous Instructions nor Access
Protected System Resources
Role of Security Managers
 Enforces Boundaries of Sandbox
 All Java Classes ask Manager for Permission to
Perform Certain Operations
 Implements/Imposes Appl. Security Policy
 Java Interface Class Implementable by Users
 Integrated with Exception Handling of Java
IFIP98-1.10
Security Capabilities of Java
Digital Signatures and JAR Files

CSE300

When Can Applets Become Applications?
 Trusted Publisher (Originator of Applet)
 Signed Applet is Authenticated
 Java Security Manager May Allow Applet out
of Sandbox to be Application
How is Information Transmitted and Exchanged?
 JAR: Archived (Compressed) Files
 Bundling of Code/Data into Java Archive
 Associated Digital Signature for Verification
 Transmission via Object Serialization
IFIP98-1.11
Security Capabilities of Java
Message Digest and Key Management

CSE300

Message Digest
 “Speedy” Alternative to Public Key Encryption
 Generation of a Short, Unique Representation
of Message that is Encrypted and Used as
Digital Signature
 Message Digest Algorithms (MD5, SHA, …)
Key Management
 Integrated Key Management for Java Programs
and Applets
 Ability to Encode/Decode
 Java API for Generating, Certifying, and
Manipulating Keys
IFIP98-1.12
Security Capabilities of Java
Access Control List (ACLs)

CSE300


Control Access to Resources by Permissions
Classical Security Technique for
 Data Structure to Protect Resources
 SE to Define Read/Write Permissions Based on
Users and User Groups
 Manipulation of List of Access Privileges
 Support Negative and Positive Permissions
 Paradigm of Individual vs. Group
 Individual Permissions Override Group
See Paper for Detailed Discussion and References
IFIP98-1.13
User-Role Based Security and Java

CSE300



Public Interface is Union of All Privileges for All
Potential Users No Explicit way to Prohibit Access
Customizable Public Interface of Class
Access to Public Interface is Variable and Based
on User Needs and Responsibilities
Only Give Exactly What’s Needed and No More
public class PatientRecord
{ private: Data/Methods as Needed;
public:
write_medical_history();
write_prescription();
For MDs
get_medical_history();
and Nurses
get_diagnosis();
set_payment_mode();
etc…
}
For MDs Only
For Admitting
IFIP98-1.14
User-Role Subclassing Approach in Java
CSE300
public class PatientRecord
{ private: Data/Methods;
public:
write_medical_history();
write_prescription();
get_medical_history();
get_diagnosis();
set_payment_mode();
}
public class MD_PatientRecord
extends PatientRecord
{ public:
set_payment_mode() {return;}
}
public class Nurse_PatientRecord
extends PatientRecord
{ public:
write_medical_history() {return;}
write_prescription() {return;}
set_payment_mode() {return;}
}
• Subclasses of PatientRecord Turn Off Methods Not Available
• Software Creates Nurse_PatientRecord or MD_PatientRecord Instance
• Method Calls Against Subclass Return Null for Turned Off Methods
• GUI Tool Works Differently Based on User Role with Same Code
IFIP98-1.15
A Basic Exception Approach in Java
CSE300
public class PatientRecord {
// private data has been omitted
public void set_payment_mode(int mode)
{ // Insurance_Mode is private data of PatientRecord
return(set_int_check_valid_UR(Insurance_Mode, mode));
}
public void set_int_check_valid_UR(int i1, int i2)
{
try { // See if Current_User can execute method
check_UR();
}
// catch block to process raised exceptions
catch (Unauthorized_UR UR_Exception) {
system.out.println(“Attempt to access by unauthorized UR”);
}
i1 = i2;
}
public void Check_UR()throws Unauthorized_UR
{ // Incomplete - only to illustrate the concepts!!!
if (compareTo(Current_User.Get_User_Role(), “Admitting”)!=0)
throw new Unauthorized_UR(); // raises exception
}
}
Exploit Exception
Handling for
Dynamic Behavior
of Tool by Role
Once the
Current_User
is Set, the Rest of
the Tool Code
Works without
that Knowledge
Thus, Software
Engineers Don’t
Need to Know
or See the DAC/
URBS Details!!
IFIP98-1.16
Applicability of URBS Approaches

CSE300




All Supported by C++, Eiffel, and Ada95
User-Role Subclassing Approach
 Requires SW Engineer to Understand URBS
 Supported by Java
Basic Exception Approach
 Minimizes SW Engineer Exposure to URBS
 Elegant in Java Due to Exceptions
User-Role Class Library Approach (not shown)
 Requires Multiple Inheritance
 Unsupported in Java - only Design-Level
Multiple Inheritance via Interfaces
Generic Exception Approach (not shown)
 Exceptions plus Generics Improves Reuse
 Unsupported in Java - no Templates
IFIP98-1.17
Advanced Security Features and URBS

CSE300




Focus on the Potentials of Java
What Other Aspects of Java Can be Exploited?
 Packages in Java
 Access Control Lists in java.security API
 The Class Class in java.lang API
 Aglets - Java Agents
Examine the Ability of Above to Support URBS
Leverage Advanced Features to Enhance and
Strengthen URBS Approaches
Utilize Advanced Features as Starting Point to
Explore New Security Solutions
IFIP98-1.18
Packages In Java

CSE300


Allows Related Classes to be Grouped into a
Larger Abstraction
 Similar to Ada95 Packages
 E.g., Package PatientInfo Contains
Prescription, PatientGUI, PatientRecord, …
Utilization of Packages for URBS
 URSA - Form a Package of PatientRecord,
MD_PatientRecord and Nurse_PatientRecord
 Only MD_and Nurse Subclasses Visible
Outside of Package
Overall, Packages Enhance the Control and
Visibility to Fine-Tune Who Can See What When
IFIP98-1.19
Access Control Lists in java.security API

CSE300

ACLs Can be Utilized to Control Method Access
 ACL Composed of ACL Entries
 ACL Entry Set of Permissions (Allowable
Method Accesses) for Each UR
 Utilize ACLs as Implementation Vehicle for
URSA, BEA, and Other Approaches
java.security.acl.ACL Provides Following:
 addEntry() and removeEntry()
 CheckPermission(): Can UR Utilize Method?
 add-, check-, and remove- Permission()
 SetPrincipal: UR for which Permissions
(Methods) are Assigned/Prohibited
 Etc…
IFIP98-1.20
The Class Class in java.lang API

CSE300

Class and Object Classes Contains Meta-Data
 Methods Defined that Apply to All System and
User Defined Classes
 Class has Methods that Return List of Public
Methods, List of Member Variables, etc.
Utilization of Class Class for URBS
 For All Approaches, Dynamically Retrieve All
Public Methods for Verifying UR Permissions
 In Conjunction with ACL, Powerful Tool to
Dynamically Enforce UR Permissions When
 Assigned/Prohibited Methods Change
 Application Classes Evolve or Added

Simplifies Maintenance of Security Policy
IFIP98-1.21
Aglets - Java Agents

CSE300


A Mobile Software Agent are Objects that
 have Behavior State and Location, and
 can Move from Place to Place in Order to
Perform its Function
Agents are Objects
 Created and Destroyed
 Migrate to New Location
 Execute Required Responsibilities
 Process Incoming Messages from Other Agents
 Communicate by Message Passing
Aglets - Java Agents (http://aglets.trl.ibm.co.jp)
IFIP98-1.22
Aglets - Java Agents

CSE300


Status of Mobile Aglet Security
 Progressing via Sandbox
 Involves Cryptography and Authentication to
Insure Security of Aglet and Messages
Agents/Aglets and URBS
 Distributed Object Computing Focuses on
Runtime Objects
 Can Agents/Aglets Monitor/Enforce Security
from Perspective of User, UR, and/or Object?
 Can Agents/Aglets Encapsulate Security Policy
that is Evolvable as Needed without Impact?
Status: Still Under Investigation
IFIP98-1.23
Concluding Remarks

CSE300

Explored the Security Capabilities and Potentials of
Java, including:
 Brief Review of java.security API
Digital Signatures, Message Digests,
Key Management, and ACLs
 Realization and Limitations of URBS in Java
 Advanced Security Features and the Potential
for URBS and Security for DOC
Future Work
 Legacy/COTS and Interoperability
 Emerging Technologies
Middleware and OODBSs
IFIP98-1.24
Future Work
Security for Legacy/COTS?
COTS
Database
CSE300
How is Security Handled
for Individual Systems?
Legacy
Legacy
COTS
What if Security Never Available
for Legacy/COTS/Database?
NETWORK
Java
Client
Java
Client
Security Issues for New Clients?
New Servers? Across Network?
Legacy
Database
What about Distributed
Security?
COTS
IFIP98-1.25
Future Work
Middleware and Emerging OODBS

CSE300
Tracking Emerging Technologies
 CORBA/ORBs
 Level of Support for Security
 Current and Planned Support

Jasmine - Computer Associates, Inc.
 Advanced Data Storage (Multi-Media, Video,
Sound, etc.)
 C++, Java, CORBA Interfaces

Your Questions? Input? Discussion?
IFIP98-1.26