Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Security Capabilities and Potentials of Java
CSE300
D. Smarkusky, S. Demurjian, M. Bastarrica, and T.C. Ting
Computer Science & Engineering Department
The University of Connecticut
Storrs, Connecticut 06269-3155
{debs,steve,cecilia,ting}@engr.uconn.edu
http://www.engr.uconn.edu/~steve
(860) 486 - 4818
IFIP98-1.1
Overview of Presentation
CSE300
Background and Motivation
Enterprise Computing and Security
Emergence of Java
An Overview of Java
Security Capabilities of Java
User-Role Based Security (URBS) and Java
Advanced Security Features and URBS
Concluding Remarks and Future Work
IFIP98-1.2
Enterprise Computing and Security
C/S and Distributed Object Computing
CSE300
Authentication
Is the Client who S/he Says they are?
Authorization
Does the Client have Permission to do what
S/he Wants?
Privacy
Is Anyone Intercepting Client/Server
Communications?
Enforcement Mechanism
Centralized and Distributed “Code”
Enforces Security Policy at Runtime
IFIP98-1.3
Enterprise Computing and Security
C/S and Distributed Object Computing
CSE300
Assurance
Are the Security Privileges for Each Client
Adequate to Support their Activities?
Do the Security Privileges for Each Client
Meet but Not Exceed their Capabilities?
Consistency
Are the Defined Security Privileges for Each
Client Internally Consistent?
Least-Privilege Principle: Just Enough Access
Are the Defined Security Privileges for Related
Clients Globally Consistent?
Mutual-Exclusion: Read for Some-Write for Others
IFIP98-1.4
Emergence of Java
CSE300
Java is Emerging as the OO Language of Choice
Java’s Pervasiveness in Educational Institutions
from Freshman to Graduate Courses
Java’s Utilization in …
Distributed Internet-Based Applications of All
Types
Legacy/COTS Integration for Enterprise
Computing
General-Purpose, Single-CPU Development
Distributed Object Computing Must Consider
Security as First Class Citizen
Exploit Java Security API and URBS?
IFIP98-1.5
An Overview of Java
CSE300
Java is a Third Generation, General Purpose,
Platform Independent, Concurrent, Class-Based,
Object-Oriented Language and Environment
Java Composed of JDK and JRE
Java Language
Java Packages (Libraries)
javac Compiler to Bytecode (p-code)
JDB Java Debugger
Java Interpreter - Platform Specific
JDK: Java Development Environment
http://www.javasoft.com/products/jdk/1.2/
JRE: Java Runtime Environment
http://www.javasoft.com/products/jdk/1.2/jre/index.html
IFIP98-1.6
Java Visualization
CSE300
IFIP98-1.7
The Java API Packages
CSE300
Application Programming Interface (API)
Java Defined - Building Blocks/Libraries
Java Platform 1.2 Core API
java.applet
java.awt
java.awt.datatransfer
java.awt.event
java.awt.image
java.beans
java.io
java.lang
java.lang.reflect
java.math
java.net
java.rmi
java.rmi.dgc
java.rmi.registry
java.rmi.server
java.security
java.security.acl
java.security.interfaces
java.sql
java.text
java.util
java.util.zip
Focus on java.security
IFIP98-1.8
Security Capabilities of Java
CSE300
Sandbox and Applet Level Security
Downloaded Applets are Confined in a
Targeted Portion of System During Execution
Execution of Untrusted Code in Trusted Way
What is Sandbox?
Area of Web-Browser Dedicated to Applet
Applet Limited to Sandbox to Prohibit Access
to Local Machine/Environment
Utilizes Class Loader, Bytecode Verifier, and
Security Manager
Three Components Maintain System Integrity
How Does this Occur?
IFIP98-1.9
Security Capabilities of Java
CSE300
Class Loader - Only Load Correct Classes
Bytecode Verifier - Classes in Correct Format
Security Manager - Untrusted Classes Can’t
Execute Dangerous Instructions nor Access
Protected System Resources
Role of Security Managers
Enforces Boundaries of Sandbox
All Java Classes ask Manager for Permission to
Perform Certain Operations
Implements/Imposes Appl. Security Policy
Java Interface Class Implementable by Users
Integrated with Exception Handling of Java
IFIP98-1.10
Security Capabilities of Java
Digital Signatures and JAR Files
CSE300
When Can Applets Become Applications?
Trusted Publisher (Originator of Applet)
Signed Applet is Authenticated
Java Security Manager May Allow Applet out
of Sandbox to be Application
How is Information Transmitted and Exchanged?
JAR: Archived (Compressed) Files
Bundling of Code/Data into Java Archive
Associated Digital Signature for Verification
Transmission via Object Serialization
IFIP98-1.11
Security Capabilities of Java
Message Digest and Key Management
CSE300
Message Digest
“Speedy” Alternative to Public Key Encryption
Generation of a Short, Unique Representation
of Message that is Encrypted and Used as
Digital Signature
Message Digest Algorithms (MD5, SHA, …)
Key Management
Integrated Key Management for Java Programs
and Applets
Ability to Encode/Decode
Java API for Generating, Certifying, and
Manipulating Keys
IFIP98-1.12
Security Capabilities of Java
Access Control List (ACLs)
CSE300
Control Access to Resources by Permissions
Classical Security Technique for
Data Structure to Protect Resources
SE to Define Read/Write Permissions Based on
Users and User Groups
Manipulation of List of Access Privileges
Support Negative and Positive Permissions
Paradigm of Individual vs. Group
Individual Permissions Override Group
See Paper for Detailed Discussion and References
IFIP98-1.13
User-Role Based Security and Java
CSE300
Public Interface is Union of All Privileges for All
Potential Users No Explicit way to Prohibit Access
Customizable Public Interface of Class
Access to Public Interface is Variable and Based
on User Needs and Responsibilities
Only Give Exactly What’s Needed and No More
public class PatientRecord
{ private: Data/Methods as Needed;
public:
write_medical_history();
write_prescription();
For MDs
get_medical_history();
and Nurses
get_diagnosis();
set_payment_mode();
etc…
}
For MDs Only
For Admitting
IFIP98-1.14
User-Role Subclassing Approach in Java
CSE300
public class PatientRecord
{ private: Data/Methods;
public:
write_medical_history();
write_prescription();
get_medical_history();
get_diagnosis();
set_payment_mode();
}
public class MD_PatientRecord
extends PatientRecord
{ public:
set_payment_mode() {return;}
}
public class Nurse_PatientRecord
extends PatientRecord
{ public:
write_medical_history() {return;}
write_prescription() {return;}
set_payment_mode() {return;}
}
• Subclasses of PatientRecord Turn Off Methods Not Available
• Software Creates Nurse_PatientRecord or MD_PatientRecord Instance
• Method Calls Against Subclass Return Null for Turned Off Methods
• GUI Tool Works Differently Based on User Role with Same Code
IFIP98-1.15
A Basic Exception Approach in Java
CSE300
public class PatientRecord {
// private data has been omitted
public void set_payment_mode(int mode)
{ // Insurance_Mode is private data of PatientRecord
return(set_int_check_valid_UR(Insurance_Mode, mode));
}
public void set_int_check_valid_UR(int i1, int i2)
{
try { // See if Current_User can execute method
check_UR();
}
// catch block to process raised exceptions
catch (Unauthorized_UR UR_Exception) {
system.out.println(“Attempt to access by unauthorized UR”);
}
i1 = i2;
}
public void Check_UR()throws Unauthorized_UR
{ // Incomplete - only to illustrate the concepts!!!
if (compareTo(Current_User.Get_User_Role(), “Admitting”)!=0)
throw new Unauthorized_UR(); // raises exception
}
}
Exploit Exception
Handling for
Dynamic Behavior
of Tool by Role
Once the
Current_User
is Set, the Rest of
the Tool Code
Works without
that Knowledge
Thus, Software
Engineers Don’t
Need to Know
or See the DAC/
URBS Details!!
IFIP98-1.16
Applicability of URBS Approaches
CSE300
All Supported by C++, Eiffel, and Ada95
User-Role Subclassing Approach
Requires SW Engineer to Understand URBS
Supported by Java
Basic Exception Approach
Minimizes SW Engineer Exposure to URBS
Elegant in Java Due to Exceptions
User-Role Class Library Approach (not shown)
Requires Multiple Inheritance
Unsupported in Java - only Design-Level
Multiple Inheritance via Interfaces
Generic Exception Approach (not shown)
Exceptions plus Generics Improves Reuse
Unsupported in Java - no Templates
IFIP98-1.17
Advanced Security Features and URBS
CSE300
Focus on the Potentials of Java
What Other Aspects of Java Can be Exploited?
Packages in Java
Access Control Lists in java.security API
The Class Class in java.lang API
Aglets - Java Agents
Examine the Ability of Above to Support URBS
Leverage Advanced Features to Enhance and
Strengthen URBS Approaches
Utilize Advanced Features as Starting Point to
Explore New Security Solutions
IFIP98-1.18
Packages In Java
CSE300
Allows Related Classes to be Grouped into a
Larger Abstraction
Similar to Ada95 Packages
E.g., Package PatientInfo Contains
Prescription, PatientGUI, PatientRecord, …
Utilization of Packages for URBS
URSA - Form a Package of PatientRecord,
MD_PatientRecord and Nurse_PatientRecord
Only MD_and Nurse Subclasses Visible
Outside of Package
Overall, Packages Enhance the Control and
Visibility to Fine-Tune Who Can See What When
IFIP98-1.19
Access Control Lists in java.security API
CSE300
ACLs Can be Utilized to Control Method Access
ACL Composed of ACL Entries
ACL Entry Set of Permissions (Allowable
Method Accesses) for Each UR
Utilize ACLs as Implementation Vehicle for
URSA, BEA, and Other Approaches
java.security.acl.ACL Provides Following:
addEntry() and removeEntry()
CheckPermission(): Can UR Utilize Method?
add-, check-, and remove- Permission()
SetPrincipal: UR for which Permissions
(Methods) are Assigned/Prohibited
Etc…
IFIP98-1.20
The Class Class in java.lang API
CSE300
Class and Object Classes Contains Meta-Data
Methods Defined that Apply to All System and
User Defined Classes
Class has Methods that Return List of Public
Methods, List of Member Variables, etc.
Utilization of Class Class for URBS
For All Approaches, Dynamically Retrieve All
Public Methods for Verifying UR Permissions
In Conjunction with ACL, Powerful Tool to
Dynamically Enforce UR Permissions When
Assigned/Prohibited Methods Change
Application Classes Evolve or Added
Simplifies Maintenance of Security Policy
IFIP98-1.21
Aglets - Java Agents
CSE300
A Mobile Software Agent are Objects that
have Behavior State and Location, and
can Move from Place to Place in Order to
Perform its Function
Agents are Objects
Created and Destroyed
Migrate to New Location
Execute Required Responsibilities
Process Incoming Messages from Other Agents
Communicate by Message Passing
Aglets - Java Agents (http://aglets.trl.ibm.co.jp)
IFIP98-1.22
Aglets - Java Agents
CSE300
Status of Mobile Aglet Security
Progressing via Sandbox
Involves Cryptography and Authentication to
Insure Security of Aglet and Messages
Agents/Aglets and URBS
Distributed Object Computing Focuses on
Runtime Objects
Can Agents/Aglets Monitor/Enforce Security
from Perspective of User, UR, and/or Object?
Can Agents/Aglets Encapsulate Security Policy
that is Evolvable as Needed without Impact?
Status: Still Under Investigation
IFIP98-1.23
Concluding Remarks
CSE300
Explored the Security Capabilities and Potentials of
Java, including:
Brief Review of java.security API
Digital Signatures, Message Digests,
Key Management, and ACLs
Realization and Limitations of URBS in Java
Advanced Security Features and the Potential
for URBS and Security for DOC
Future Work
Legacy/COTS and Interoperability
Emerging Technologies
Middleware and OODBSs
IFIP98-1.24
Future Work
Security for Legacy/COTS?
COTS
Database
CSE300
How is Security Handled
for Individual Systems?
Legacy
Legacy
COTS
What if Security Never Available
for Legacy/COTS/Database?
NETWORK
Java
Client
Java
Client
Security Issues for New Clients?
New Servers? Across Network?
Legacy
Database
What about Distributed
Security?
COTS
IFIP98-1.25
Future Work
Middleware and Emerging OODBS
CSE300
Tracking Emerging Technologies
CORBA/ORBs
Level of Support for Security
Current and Planned Support
Jasmine - Computer Associates, Inc.
Advanced Data Storage (Multi-Media, Video,
Sound, etc.)
C++, Java, CORBA Interfaces
Your Questions? Input? Discussion?
IFIP98-1.26