Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Security Capabilities and Potentials of Java CSE300 D. Smarkusky, S. Demurjian, M. Bastarrica, and T.C. Ting Computer Science & Engineering Department The University of Connecticut Storrs, Connecticut 06269-3155 {debs,steve,cecilia,ting}@engr.uconn.edu http://www.engr.uconn.edu/~steve (860) 486 - 4818 IFIP98-1.1 Overview of Presentation CSE300 Background and Motivation Enterprise Computing and Security Emergence of Java An Overview of Java Security Capabilities of Java User-Role Based Security (URBS) and Java Advanced Security Features and URBS Concluding Remarks and Future Work IFIP98-1.2 Enterprise Computing and Security C/S and Distributed Object Computing CSE300 Authentication Is the Client who S/he Says they are? Authorization Does the Client have Permission to do what S/he Wants? Privacy Is Anyone Intercepting Client/Server Communications? Enforcement Mechanism Centralized and Distributed “Code” Enforces Security Policy at Runtime IFIP98-1.3 Enterprise Computing and Security C/S and Distributed Object Computing CSE300 Assurance Are the Security Privileges for Each Client Adequate to Support their Activities? Do the Security Privileges for Each Client Meet but Not Exceed their Capabilities? Consistency Are the Defined Security Privileges for Each Client Internally Consistent? Least-Privilege Principle: Just Enough Access Are the Defined Security Privileges for Related Clients Globally Consistent? Mutual-Exclusion: Read for Some-Write for Others IFIP98-1.4 Emergence of Java CSE300 Java is Emerging as the OO Language of Choice Java’s Pervasiveness in Educational Institutions from Freshman to Graduate Courses Java’s Utilization in … Distributed Internet-Based Applications of All Types Legacy/COTS Integration for Enterprise Computing General-Purpose, Single-CPU Development Distributed Object Computing Must Consider Security as First Class Citizen Exploit Java Security API and URBS? IFIP98-1.5 An Overview of Java CSE300 Java is a Third Generation, General Purpose, Platform Independent, Concurrent, Class-Based, Object-Oriented Language and Environment Java Composed of JDK and JRE Java Language Java Packages (Libraries) javac Compiler to Bytecode (p-code) JDB Java Debugger Java Interpreter - Platform Specific JDK: Java Development Environment http://www.javasoft.com/products/jdk/1.2/ JRE: Java Runtime Environment http://www.javasoft.com/products/jdk/1.2/jre/index.html IFIP98-1.6 Java Visualization CSE300 IFIP98-1.7 The Java API Packages CSE300 Application Programming Interface (API) Java Defined - Building Blocks/Libraries Java Platform 1.2 Core API java.applet java.awt java.awt.datatransfer java.awt.event java.awt.image java.beans java.io java.lang java.lang.reflect java.math java.net java.rmi java.rmi.dgc java.rmi.registry java.rmi.server java.security java.security.acl java.security.interfaces java.sql java.text java.util java.util.zip Focus on java.security IFIP98-1.8 Security Capabilities of Java CSE300 Sandbox and Applet Level Security Downloaded Applets are Confined in a Targeted Portion of System During Execution Execution of Untrusted Code in Trusted Way What is Sandbox? Area of Web-Browser Dedicated to Applet Applet Limited to Sandbox to Prohibit Access to Local Machine/Environment Utilizes Class Loader, Bytecode Verifier, and Security Manager Three Components Maintain System Integrity How Does this Occur? IFIP98-1.9 Security Capabilities of Java CSE300 Class Loader - Only Load Correct Classes Bytecode Verifier - Classes in Correct Format Security Manager - Untrusted Classes Can’t Execute Dangerous Instructions nor Access Protected System Resources Role of Security Managers Enforces Boundaries of Sandbox All Java Classes ask Manager for Permission to Perform Certain Operations Implements/Imposes Appl. Security Policy Java Interface Class Implementable by Users Integrated with Exception Handling of Java IFIP98-1.10 Security Capabilities of Java Digital Signatures and JAR Files CSE300 When Can Applets Become Applications? Trusted Publisher (Originator of Applet) Signed Applet is Authenticated Java Security Manager May Allow Applet out of Sandbox to be Application How is Information Transmitted and Exchanged? JAR: Archived (Compressed) Files Bundling of Code/Data into Java Archive Associated Digital Signature for Verification Transmission via Object Serialization IFIP98-1.11 Security Capabilities of Java Message Digest and Key Management CSE300 Message Digest “Speedy” Alternative to Public Key Encryption Generation of a Short, Unique Representation of Message that is Encrypted and Used as Digital Signature Message Digest Algorithms (MD5, SHA, …) Key Management Integrated Key Management for Java Programs and Applets Ability to Encode/Decode Java API for Generating, Certifying, and Manipulating Keys IFIP98-1.12 Security Capabilities of Java Access Control List (ACLs) CSE300 Control Access to Resources by Permissions Classical Security Technique for Data Structure to Protect Resources SE to Define Read/Write Permissions Based on Users and User Groups Manipulation of List of Access Privileges Support Negative and Positive Permissions Paradigm of Individual vs. Group Individual Permissions Override Group See Paper for Detailed Discussion and References IFIP98-1.13 User-Role Based Security and Java CSE300 Public Interface is Union of All Privileges for All Potential Users No Explicit way to Prohibit Access Customizable Public Interface of Class Access to Public Interface is Variable and Based on User Needs and Responsibilities Only Give Exactly What’s Needed and No More public class PatientRecord { private: Data/Methods as Needed; public: write_medical_history(); write_prescription(); For MDs get_medical_history(); and Nurses get_diagnosis(); set_payment_mode(); etc… } For MDs Only For Admitting IFIP98-1.14 User-Role Subclassing Approach in Java CSE300 public class PatientRecord { private: Data/Methods; public: write_medical_history(); write_prescription(); get_medical_history(); get_diagnosis(); set_payment_mode(); } public class MD_PatientRecord extends PatientRecord { public: set_payment_mode() {return;} } public class Nurse_PatientRecord extends PatientRecord { public: write_medical_history() {return;} write_prescription() {return;} set_payment_mode() {return;} } • Subclasses of PatientRecord Turn Off Methods Not Available • Software Creates Nurse_PatientRecord or MD_PatientRecord Instance • Method Calls Against Subclass Return Null for Turned Off Methods • GUI Tool Works Differently Based on User Role with Same Code IFIP98-1.15 A Basic Exception Approach in Java CSE300 public class PatientRecord { // private data has been omitted public void set_payment_mode(int mode) { // Insurance_Mode is private data of PatientRecord return(set_int_check_valid_UR(Insurance_Mode, mode)); } public void set_int_check_valid_UR(int i1, int i2) { try { // See if Current_User can execute method check_UR(); } // catch block to process raised exceptions catch (Unauthorized_UR UR_Exception) { system.out.println(“Attempt to access by unauthorized UR”); } i1 = i2; } public void Check_UR()throws Unauthorized_UR { // Incomplete - only to illustrate the concepts!!! if (compareTo(Current_User.Get_User_Role(), “Admitting”)!=0) throw new Unauthorized_UR(); // raises exception } } Exploit Exception Handling for Dynamic Behavior of Tool by Role Once the Current_User is Set, the Rest of the Tool Code Works without that Knowledge Thus, Software Engineers Don’t Need to Know or See the DAC/ URBS Details!! IFIP98-1.16 Applicability of URBS Approaches CSE300 All Supported by C++, Eiffel, and Ada95 User-Role Subclassing Approach Requires SW Engineer to Understand URBS Supported by Java Basic Exception Approach Minimizes SW Engineer Exposure to URBS Elegant in Java Due to Exceptions User-Role Class Library Approach (not shown) Requires Multiple Inheritance Unsupported in Java - only Design-Level Multiple Inheritance via Interfaces Generic Exception Approach (not shown) Exceptions plus Generics Improves Reuse Unsupported in Java - no Templates IFIP98-1.17 Advanced Security Features and URBS CSE300 Focus on the Potentials of Java What Other Aspects of Java Can be Exploited? Packages in Java Access Control Lists in java.security API The Class Class in java.lang API Aglets - Java Agents Examine the Ability of Above to Support URBS Leverage Advanced Features to Enhance and Strengthen URBS Approaches Utilize Advanced Features as Starting Point to Explore New Security Solutions IFIP98-1.18 Packages In Java CSE300 Allows Related Classes to be Grouped into a Larger Abstraction Similar to Ada95 Packages E.g., Package PatientInfo Contains Prescription, PatientGUI, PatientRecord, … Utilization of Packages for URBS URSA - Form a Package of PatientRecord, MD_PatientRecord and Nurse_PatientRecord Only MD_and Nurse Subclasses Visible Outside of Package Overall, Packages Enhance the Control and Visibility to Fine-Tune Who Can See What When IFIP98-1.19 Access Control Lists in java.security API CSE300 ACLs Can be Utilized to Control Method Access ACL Composed of ACL Entries ACL Entry Set of Permissions (Allowable Method Accesses) for Each UR Utilize ACLs as Implementation Vehicle for URSA, BEA, and Other Approaches java.security.acl.ACL Provides Following: addEntry() and removeEntry() CheckPermission(): Can UR Utilize Method? add-, check-, and remove- Permission() SetPrincipal: UR for which Permissions (Methods) are Assigned/Prohibited Etc… IFIP98-1.20 The Class Class in java.lang API CSE300 Class and Object Classes Contains Meta-Data Methods Defined that Apply to All System and User Defined Classes Class has Methods that Return List of Public Methods, List of Member Variables, etc. Utilization of Class Class for URBS For All Approaches, Dynamically Retrieve All Public Methods for Verifying UR Permissions In Conjunction with ACL, Powerful Tool to Dynamically Enforce UR Permissions When Assigned/Prohibited Methods Change Application Classes Evolve or Added Simplifies Maintenance of Security Policy IFIP98-1.21 Aglets - Java Agents CSE300 A Mobile Software Agent are Objects that have Behavior State and Location, and can Move from Place to Place in Order to Perform its Function Agents are Objects Created and Destroyed Migrate to New Location Execute Required Responsibilities Process Incoming Messages from Other Agents Communicate by Message Passing Aglets - Java Agents (http://aglets.trl.ibm.co.jp) IFIP98-1.22 Aglets - Java Agents CSE300 Status of Mobile Aglet Security Progressing via Sandbox Involves Cryptography and Authentication to Insure Security of Aglet and Messages Agents/Aglets and URBS Distributed Object Computing Focuses on Runtime Objects Can Agents/Aglets Monitor/Enforce Security from Perspective of User, UR, and/or Object? Can Agents/Aglets Encapsulate Security Policy that is Evolvable as Needed without Impact? Status: Still Under Investigation IFIP98-1.23 Concluding Remarks CSE300 Explored the Security Capabilities and Potentials of Java, including: Brief Review of java.security API Digital Signatures, Message Digests, Key Management, and ACLs Realization and Limitations of URBS in Java Advanced Security Features and the Potential for URBS and Security for DOC Future Work Legacy/COTS and Interoperability Emerging Technologies Middleware and OODBSs IFIP98-1.24 Future Work Security for Legacy/COTS? COTS Database CSE300 How is Security Handled for Individual Systems? Legacy Legacy COTS What if Security Never Available for Legacy/COTS/Database? NETWORK Java Client Java Client Security Issues for New Clients? New Servers? Across Network? Legacy Database What about Distributed Security? COTS IFIP98-1.25 Future Work Middleware and Emerging OODBS CSE300 Tracking Emerging Technologies CORBA/ORBs Level of Support for Security Current and Planned Support Jasmine - Computer Associates, Inc. Advanced Data Storage (Multi-Media, Video, Sound, etc.) C++, Java, CORBA Interfaces Your Questions? Input? Discussion? IFIP98-1.26