Download Lecture 18: ™ Decaffeinated Java David Evans

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
page
37
page
38
page
39
page
40
page
41
page
42
page
43
page
44
page
45
Document related concepts

Go (programming language) wikipedia , lookup

Name mangling wikipedia , lookup

C Sharp syntax wikipedia , lookup

Java (programming language) wikipedia , lookup

Java ConcurrentMap wikipedia , lookup

Java performance wikipedia , lookup

C Sharp (programming language) wikipedia , lookup

Transcript 
Lecture 18:
Java™ Decaffeinated
CS551: Security and Privacy
University of Virginia
Computer Science
David Evans
http://www.cs.virginia.edu/~evans
Menu
• SSL Challenge Question
• Java
• Voting
25 May 2017
University of Virginia CS 551
2
SSL Challenge Question
Are there skeletons in VeriSign’s closet?
25 May 2017
University of Virginia CS 551
3
Secure Socket Layer (SSL)
141 Sextillion years;
Not going any where for awhile;
grab a snickers
SSL Background
• Two Kinds of SSL
– Low Encryption (40-bit; 1.1x1012 possible keys)
– High Encryption (128-bit; 3.8x1038 possible keys)
• SSL is a transport level technology for
authentication and data encryption between a
web server and a Web server (example).
• Applied at the socket interface from the
application to the network software.
Data Link
Header
Internet Transport Application
Header Header
Header
Plaintext
Data being sent
Cipher Text
SSL Handshake
Server
Client
• Tell me who you are;
• Here are the protocols I support.
• For your ID, I know who you are
and have your public key;
• Here is a secret key I created
with your protocols encrypted with
your key
• Here is my Digital ID to prove
who I am;
• Here is the protocols I have
decided we should use.
• Here is a copy of everything
we’ve said encrypted with our
secret key.
• Here is a copy of everything we’ve
said encrypted with our secret key.
SSL Data Exchange
Time to Break Specific Keys
Years
Key length
(bits)
40
1995
2000
2005
68 hours
8.6 minutes
56
7.4 weeks
6.5 days
1.07
minutes
19 hours
64
36.7 years
4.6 years
6.9 months
128
6.7x1017
millennia
8.4x1016
millennia
1.1x1016
millennia
[Erkomaa, 1998]
Brute Force Attacks
Remarks
DES
Challenge #1
DES
Challenge
Final
DES
Challenge on
128-bit
Single
Computer
Small
Network
VeriSigns
Assumption
Total Key
Space
Number of
Seconds
Number of
Years
Search Space
(keys/sec)
Key size
(bit)
7.50E+09
56
7.20576E+16 9607679.205
0.30
9.10E+11
56
7.20576E+16 79184.16927
**22 hours
2.45E+11
128
3.40282E+38 1.38891E+27
4.404E+19
650000
128
3.40282E+38 5.23511E+32
1.66E+25
1.00E+06
128
3.40282E+38 3.40282E+32
1.08E+25
76,400,000
128
3.40282E+38 4.45396E+30
1.412E+23
Target: 1.41E+23
25 May 2017
University of Virginia CS 551
8
VeriSign’s Claim
N u m b e r o f Ye a rs
1E +27
1E +24
1E +21
Ye ars
1E +18
1E +15
N um b e r o f Ye a rs
1E +12
1E +09
100000
0
1000
1
650000
1000000
76400000
Se arch Sp ace Sp e e d
2 .4 5 E + 1 1
Moore’s Law
18 months
C racking 128-bit K eys
1 .0 0 0 E + 2 0
N u m b er o f Years to C rack
1 .0 0 0 E + 1 8
1 .0 0 0 E + 1 6
1 .0 0 0 E + 1 4
1 .0 0 0 E + 1 2
1 .0 0 0 E + 1 0
1 .0 0 0 E + 0 8
1 .0 0 0 E + 0 6
1 .0 0 0 E + 0 4
1 .0 0 0 E + 0 2
1 .0 0 0 E + 0 0
1998
2000
2002
2004
2006
2008
2010
2012
2014
2016
Ye a r
C o ns e rva tive E s tim a te
B o ld E s tim a te
M o o re 's L a w
2018
General Timeline
Not to scale
CS-551 Class
(1.25 hours)
Total Human Lifetime
Universe Lifetime
0
1010
1019 1020 1023
Quintillion years
Sextillion years
VeriSign’s Assumptions
• Hackers or key breakers have computers that
are extremely slow.
• We are using the processing speed of
computers that were built in the 1980’s era.
• Distributed networks and special hardware
are not authorized for key breaking schemes.
• We are not increasing our processing power
every 18-24 months (based on Moore’s Law).
25 May 2017
University of Virginia CS 551
13
Java Security
Real or Decaf?
25 May 2017
University of Virginia CS 551
14
Java
A.
B.
C.
D.
E.
Island in Indonesia
A Programming Language (Java)
A Portable Low-Level Language (JVML)
A Platform (JavaVM)
A successful marketing strategy
– JavaScript is not related to Java or Java
F. So you can have more time to work on
your projects
G. All of the above
25 May 2017
University of Virginia CS 551
15
Java : Programming Language
“A simple, object-oriented,
distributed, interpreted, robust,
secure, architecture neutral,
portable, high-performance,
multithreaded, and dynamic
language.”
[Sun95]
25 May 2017
University of Virginia CS 551
16
What is a secure language?
1. Language is designed so it cannot
express certain computations
considered insecure.
A few attempts to do this: PLAN, packet filters
2. Language is designed so that
(accidental) program bugs are likely
to be caught by the compiler or runtime environment instead of leading
to security vulnerabilities.
25 May 2017
University of Virginia CS 551
17
Safe Programming Languages
• Type Safety
– Compiler and run-time environment ensure that
bits are treated as the type they represent
• Memory Safety
– Compiler and run-time environment ensure that
program cannot access memory outside defined
storage
• Control Flow Safety
– Can’t jump to arbitrary addresses
Which of these does C++ have?
Not a new idea: LISP had these in 1960!
25 May 2017
University of Virginia CS 551
18
Java Safety
• Type Safety
– Most types checked statically
– Coercions, array assignments type checked at run
time
• Memory Safety
– No direct memory access (e.g., pointers)
– Primitive array type with mandatory run-time
bounds checking
• Control Flow Safety
– Structured control flow, no arbitrary jumps
25 May 2017
University of Virginia CS 551
19
Malicious Code
Can a safe programming language
protect you from malcode?
1. Code your servers in it to protect from
buffer overflow bugs
2. Only allow programs from untrustworthy
origins to run if the are programmed in
the safe language
25 May 2017
University of Virginia CS 551
20
Safe Languages?
• But how can you tell program was
written in the safe language?
– Get the source code and compile it (most
vendors, and all malicious attackers refuse
to provide source code)
– Special compilation service signs object
files generated from the safe language
(SPIN, [Bershad96])
– Verify object files preserve safety
properties of source language (Java)
25 May 2017
University of Virginia CS 551
21
JVML
malcode.java

Java
Source
Code
javac
Compiler
malcode.class
JVML
Object
Code
JavaVM
Joe User
25 May 2017
Joe wants to know JVML code satisfies
Java’s safety properties.
University of Virginia CS 551
22
Does JVML satisfy Java’s
safety properties?
iconst_2
istore_0
aload_0
arraylength
push integer constant 2 on stack
store top of stack in variable 0 as int
load object reference from variable 0
replace array on top of stack with its
length
No! This code violates Java’s type rules.
25 May 2017
University of Virginia CS 551
23
malcode.class
JVML
Object
Code
Bytecode Verifier
Trusted Computing Base
Java Bytecode Verifier
Invalid
“Okay”
STOP
JavaVM
Joe User
25 May 2017
University of Virginia CS 551
24
Bytecode Verifier
• Checks JVML code satisfies Java’s
safety properties
• Type safe – stack and variable slots
must store and load as same type
• Memory safe (guaranteed by instruction
set)
• Control flow safe: jumps must be within
function, or call/return
25 May 2017
University of Virginia CS 551
25
Are Java Bytecode Verifiers
Complicated?
• ~700 rules to enforce, JVML specification is
(not all clearly specified)
• Emin Gün Sirer found > 100 bugs in
commercial bytecode verifiers (using
automatic test generation)
– At least 15 of them were security vulnerabilities
• JVML includes jsr instruction (jump to
subroutine), can be called with different types
in variables and on stack
25 May 2017
University of Virginia CS 551
26
Java
malcode.java
javac
Compiler
malcode.class
JVML
Trusted Computing Base
Java Bytecode Verifier
Invalid
“Okay”
STOP
JavaVM
Joe User
25 May 2017
University of Virginia CS 551
27
JavaVM
• Virtual machine – interpreter for JVML
programs
• Has complete access to host machine
• Bytecode verifier ensures some safety
properties, JavaVM must ensure rest:
– Type safety of run-time casts, array
assignments
– Memory safety: array bounds checking
– Resource use policy
25 May 2017
University of Virginia CS 551
28
JavaVM Policy Enforcment
[JDK 1.0 – JDK 1.1]
From java.io.File:
public boolean delete() {
SecurityManager security =
System.getSecurityManager();
if (security != null) {
security.checkDelete(path);
}
if (isDirectory()) return rmdir0();
else return delete0();
}
25 May 2017
University of Virginia CS 551
29
java.lang.SecurityManager
/**
Throws a SecurityException if the calling
thread is not allowed to delete the specified
file.
This method is invoked for the current security
manager by the delete method of class File.
*/
(Some other comments deleted.)
public void checkDelete(String file) {
throw new SecurityException();
}
25 May 2017
University of Virginia CS 551
30
Security Manager
• Reference monitor
– How well does it satisfy the requirements?
• Complete mediation
• Can stop execution/prevent action
• Limited effect on execution until policy violation
• User/host application creates a
subclass of SecurityManager to define a
policy
25 May 2017
University of Virginia CS 551
31
HotJava’s Policy (JDK 1.1.7)
public class AppletSecurity
extends SecurityManager {
...
public synchronized void
checkDelete(String file) {
checkWrite(file);
}
...
}
25 May 2017
University of Virginia CS 551
32
AppletSecurity.checkWrite
(some exception handling code removed)
public synchronized void checkWrite(String file) {
if (inApplet()) {
if (!initACL) initializeACLs();
String realPath =
(new File(file)).getCanonicalPath();
for (int i = writeACL.length ; i-- > 0 ;) {
if (realPath.startsWith(writeACL[i])) return;
}
throw new AppletSecurityException
("checkwrite", file, realPath);
}
}
Note: no checking if not inApplet!
Very important this does the right thing.
25 May 2017
University of Virginia CS 551
33
inApplet
boolean inApplet() {
return inClassLoader();
}
Inherited from java.lang.SecurityManager:
protected boolean inClassLoader() {
return
currentClassLoader() != null;
}
25 May 2017
University of Virginia CS 551
34
currentClassLoader
/**
Returns an object describing the most recent class
loader executing on the stack.
Returns the class loader of the most recent occurrence
on the stack of a method from a class defined using a
class loader; returns null if there is no occurrence on the
stack of a method from a class defined using a class
loader.
*/
protected native ClassLoader currentClassLoader();
25 May 2017
University of Virginia CS 551
35
Recap
• java.io.File.delete
calls
before deleting
• HotJava overrides SecurityManager with
AppletSecurity to set policy
• AppletSecurity.checkDelete calls
SecurityManager.checkDelete
AppletSecurity.checkWrite
• AppletSecurity.checkWrite checks if
any method on stack has a ClassLoader
• If not no checks; if it does, checks ACL list
25 May 2017
University of Virginia CS 551
36
JDK 1.0 Trust Model
• When JavaVM loads a class from the
CLASSPATH, it has no associated
ClassLoader (can do anything)
• When JavaVM loads a class from
elsewhere (e.g., the web), it has an
associated ClassLoader
25 May 2017
University of Virginia CS 551
37
JDK Evolution
• JDK 1.1: Signed classes from
elsewhere and have no associated
ClassLoader
• JDK 1.2:
– Different classes can have different policies
based on ClassLoader
– Explict enable/disable/check privileges
– SecurityManager is now AccessController
25 May 2017
University of Virginia CS 551
38
What can go wrong?
• Java API doesn’t call right SecurityManager
checks (63 calls in java.*)
– Font loading bug, synchronization
• ClassLoader is tricked into loading external
class as internal
• Bug in Bytecode Verifier can be exploited to
circumvent SecurityManager
• Policy is too weak and allows damaging
behavior
25 May 2017
University of Virginia CS 551
39
Hostile Applets
• See http://java.sun.com/sfaq/chronology.html
(about 1 new vulnerability/month)
• Easy to write “annoying” applets (policy
is too imprecise; no way to constrain
many resource operations)
• http://www.cigital.com/hostileapplets/index.html
25 May 2017
University of Virginia CS 551
40
Voting
25 May 2017
University of Virginia CS 551
41
VA Absentee Voting: Ballot
1. Print out form from state web site
2. Fill in name and address, sign by voter
and a witness
3. Mail to local election official
4. Local election official mails ballot to
voter’s address (presumably: checks
voter is registered, verifies address,
marks on election rolls)
25 May 2017
University of Virginia CS 551
42
VA Absentee Voting
1. Open Envelope A in presence of witness
(do not open without witness present)
2. Borrow No. 2 pencil and mark ballot.
3. Place ballot in Envelope B and seal. Do
not put anything else in that envelope.
4. Fill in identification and sign Envelope B.
Witness signs Envelope B.
5. Place Envelope B in return envelope preaddressed to Secretary of the Electoral
Board. Mail or hand deliver in person.
25 May 2017
University of Virginia CS 551
43
Voting Challenges
• (50 points) Explain why VA absentee ballot
protocol uses Envelope A and requires voter
to open it in presence of a witness
• (50 points) Devise a good absentee voting
protocol (better than my baseline)
• (200 points) Exploit vulnerabilities in
electoral protocols so Harry Browne or Ralph
Nader wins election
– Remember getting me arrested is -10000
points!
25 May 2017
University of Virginia CS 551
44
Charge
• Tomorrow: Vote
– Pay attention to security protocols: who are
you trusting?
– Don’t get arrested, but think about how a
malicious person might defeat the system
• Next time
– Guest Lecture: Chenxi Wang
25 May 2017
University of Virginia CS 551
45
Related documents
Instructor Rubric for Presentations
Instructor Rubric for Presentations
George Washington
George Washington
Introduction to Java - Brookwood High School
Introduction to Java - Brookwood High School
File chapter 4 review1
File chapter 4 review1
Who am I?
Who am I?
QUALITATIVE RESEARCH Not measurements, but WORDS!
QUALITATIVE RESEARCH Not measurements, but WORDS!
basic concepts of strategic management (sm)
basic concepts of strategic management (sm)
Electric mobility in future energy systems
Electric mobility in future energy systems
File west virginia road to statehood answers1
File west virginia road to statehood answers1
PowerPoint: Virginia`s Renewable and Nonrenewable Resources
PowerPoint: Virginia`s Renewable and Nonrenewable Resources
Technical Assignment 1
Technical Assignment 1
virginia geography project - Fredericksburg City Public Schools
virginia geography project - Fredericksburg City Public Schools
THE COLLAPSE OF THE EVOLUTION THEORY
THE COLLAPSE OF THE EVOLUTION THEORY
Boston University College of Arts and Sciences Computer Science Department
Boston University College of Arts and Sciences Computer Science Department
Springtails - Virginia Tech
Springtails - Virginia Tech
Communion with Christ and with One Another
Communion with Christ and with One Another
Pointers and References
Pointers and References
Chapter 3 Virginia`s Environmental Resources
Chapter 3 Virginia`s Environmental Resources