Formalising Java Security by msz78385

VIEWS: 4 PAGES: 35

									Software Security

      Pieter.Hartel@utwente.nl
    Overview

     Java
     Java Card
     Code Certification
     Attacks
     Conclusions




2
      Java & Java Card




[Che00] Z. Chen. Java Card Chapter 3 and 9 of Technology for Smart Cards: Architecture and
programmer's guide. Addison Wesley, Reading, Massachusetts, 2000.
http://developer.java.sun.com/developer/Books/consumerproducts/javacard/
    What is Java Safety?

     Definition: nothing bad will happen
     Type safety
     Memory safety
     Java safety is limited


                                      Balance:
                                      Feb 3: $8.00
                                      Feb 4: $2.00
                                      Feb 6: $7.00-

4
    What is Java Security?

     Access control to resources
     Java security policy (what)
       » Policy manager assigns permissions to code base
     Java security mechanisms (how)
       » Stack Inspection checks each frame




5
     How is Java implemented?



                                   Byte code
    Java program     compiler                       interpreter
                                    class file
      Parsing
      Type checking               Class loading
      Code generation             Byte code verification
                                   Execution



    Sandbox = Class loading+ Byte code Verification+
          Policy manager + Stack Inspection
6
     JavaJVM: Initialis. example


    Java:
          Point p = new Point (1,0);

                                  Nothing here
    JVM:
      0   new Point
      3   dup            Arbitrary instructions   here
      4   iconst_1
      5   iconst_0
      6   invokespecial Point(int,int)



7
    Java card

     Basics
      » Processing APDUs (more...)
     High level features
      » Persistent objects in EEPROM
      » Transient objects in RAM (Clear on Reset, Clear on
        Deselect)
      » Atomic operations and transactions
      » Applet firewall and controlled object sharing (more...)
     No need for expensive message passing




9
     Java  Java Card

      Java card is a subset of java
        » Subset of API, exceptions
        » No concurrency, no garbage collection
      Java card is an extension of java
        » Transactions, sharable objects, persistence
      However, a smart card is not a PC
       » Tamper resistant 
       » Small, slow 




10
     Java Card architecture
     Post-issuance                                         Pre-issuance
     No native code!

     Applets        Loyalty       Wallet                Auth.


      JCRE
           Framework           Industry




                                                                          Masked
                                               Installer
              APIs            Spec. APIs
                        System classes
         Applet        Transaction             I/O
                                                            ...
       management      management          management

         Virtual machine                   Native methods

11
     Applet Development




12
     Applet naming

      AID = RID5 || PIX0..11
      RID assigned by ISO to companies
      PIX assigned by individual company




13
     Applet life cycle

      JCRE “never” stops
      APDU controls applet, format:


      install and process applet methods
        CLA INS   P1   P2   LC   Data




14
              Processing an APDU


4 public void process(APDU apdu){
6         byte[] buffer = apdu.getBuffer();
                                                              apdu.cla();
7         byte cla = buffer[ISO7816.OFFSET_CLA];
8         byte ins = buffer[ISO7816.OFFSET_INS];
12        short bytesLeft = (short) (buffer[ISO7816.OFFSET_LC] & 0x00FF);
13        if(bytesLeft < (short)55) ISOException.throwIt( ISO7816.SW_WRONG_LENGTH );
15        short readCount = apdu.setIncomingAndReceive();
16        while(bytesLeft > 0){                                throw new WrongLength();
18            bytesLeft -= readCount;
19            readCount = apdu.receiveBytes ( ISO7816.OFFSET_CDATA );
20        }
29        short le = apdu.setOutgoing();
30        if(le < (short)2) ISOException.throwIt( ISO7816.SW_WRONG_LENGTH );
31        apdu.setOutgoingLength( (short)3 );
34        buffer[0] = (byte)1; buffer[1] = (byte)2; buffer[3] = (byte)3;
35        apdu.sendBytes ( (short)0 , (short)3 );
37 }                                                                       2
                            Do not alter the buffer!
     15
     Applet firewall

      Separates Applets
      Protects against mistakes
      Provides controlled sharing
      Firewall partitions object space in
       different “Contexts”




16
     Contexts

      JCRE defines privileged context
      Package defines regular context
      Context defines ownership, stacked
      Current context gets new object
      Invoke, return, exception may context switch

                    System
                                JCRE context

               Applet
                                    Context switch


                                               Package B
17
                        Package A
     Client & Sever Communication
                          Server may
                          grant/deny
                            access




18
     Sharable Interface Object (1)

                                                  Server
     package com.fasttravel.airmiles;
     import javacard.framework.*;

     public interface AirMilesInterface extends Shareable {
       public void grantMiles (short amount);
     }

      A sharable interface object is like a
       normal object to the owner
      Others can only access the methods
       defined in the shareable interface


19
     Sharable Interface Object (2)
                                                Server
public class AirMilesApp extends Applet
                            implements AirMilesInterface {
    private short miles;
    public void grantMiles(short amount){
       miles = (short)(miles + amount);
    }
}
                                                      Client
AirMilesInterface sio = (AirMilesInterface)
(JCSystem.getAppletShareableInterfaceObject(aid,SECRET));
if ( sio == null )
    ISOException.throwIt(SW_FAILED_TO_OBTAIN_SIO);

sio.grantMiles(amount);
20
      Java Card implementation



      Byte code                    ‘Byte codes’
                       converter                     interpreter
       class file                    Cap file


      Class loading                Class loading
      Byte code verification       Signature verification
      CAP file generation          Execution
      Digital signature

                                     Key management
                                         problem
21
     Signatures for code certificat.

 Producer of code c:          Consumer of code (c’, s’):
  Hash the code c:            Hash code c’:
       h=hash(c)                     h’=hash(c’)
  Sign with private key k:    Check s’ with public key K:
       s=decrypt(k,h)              h’’=encrypt(K,s’)
  Send (c, s) to the          Ok if h’=h’’
   consumer                    Is then also h=h’?
  Why not sign c?




         h: encrypt(K,decrypt(k,h)) = h
22
     Conclusions

      State of the art
        » Easier to program than assembly
      Open issues
       » Garbage collection
      Commercial success
       » Java (2 Billion phones, 1 Billion PCs)
       » Java card (4 Billion cards)




23
              Code certification without
              signatures




[Nec97] G. C. Necula. Proof-carrying code. In 24th Principles of programming languages
(POPL), pages 106-119, Paris, France, Jan 1997. ACM.
http://doi.acm.org/10.1145/263699.263712
    Self Certified Code

    Server (consumes code):        Client (produces code):


    1.   Publish safety policy =
         Given precondition +
         Weakest precondition                      No Crypto
         Rules
                                   2.   Certification =
                                        Generate proof and
    3.   Validation =
                                        Export Code + proof
         Import code + proof
         and Check proof
    4.   Run



  Attack
possible 
25
     SCC Architecture


                      Untrusted Source
                          Program


                 Compilation and Certification
                                                          Code
                                                          Producer
                       Native    Safety
                       Code      Certificate              Code
                                                          Consumer

                                                 Safety
                     Certificate Validation
                                                 Policy
      Enable
     execution


26
     Extended abstract machine

     op ::= n              where n  minint...maxint
            |r0 |r1 |r2
                                    Safety conditions:
     instr ::= LD   rd, n(rs)    May read at rs+n
            |ST     rs, n(rd)    May write at rd+n
            |ADD rs, op, rd
            |BEQ rs, n           May jump to n if rs=0
            |RET




27
     Code example: simple filter

                            % Address of tag in r0
     1.   ADD   r0, 8, r1   % Address of data in r1
     2.   LD    r0, 8(r0)   % Data in r0
     3.   LD    r2,−8(r1)   % Tag in r2
     4.   ADD   r0, 1, r0   % Increment r0
     5.   BEQ   r2,7        % Branch if tag = 0
     6.   ST    r0, 0(r1)
     7.   RET

                                             Before After
                                           tag=0    tag0
                            r0
                                           data     data+1
28
     Pre & post condition

      Precondition
                                                Please
        » r0 is word aligned
                                             Check at home
        » May read tag at r0
        » May read data at r0+8
        » May write data at r0+8 if tag0.
      Abstract Machine semantics
       » Generate safety conditions
      Postcondition
        » true                                 Before After
                                             tag=0    tag0
                                    r0
                                             data     data+1
29
     Advantages/Disadvantages

     + No cryptography, no key management
     + Any policy possible
     + Can be used for unsafe language.
     – Does it scale up?
     – Window of opportunity from validation to
       execution (more...)




32
Attacks
       Vulnerability

        Time-of-check ≠ time-of-use
        A single bit error gives 70% probability of
         taking over the JVM




[Gov03] S. Govindavajhala and A. W. Appel. Using memory errors to attack a virtual machine. In
24th Symp. on Security and Privacy (S&P), pages 154-165, Berkeley, California, May 2003.
IEEE Computer Society. http://doi.ieeecomputersociety.org/10.1109/SECPRI.2003.1199334
 34
      Memory error attack

                      Class A    Cosmic ray “Converts” A
                                  ref to B ref
                      A a;
                                 Subvert type system
                      B b;
                                 70% success with
         Class B      Int I;
                                  millions of references


     0101010100
     0101010100
                      Class B
                      A a1;
                      A a2;
                      A a3;

         Cosmic ray
         flips bit
35
     The experiment




              Picture from Sudhakar Govindavajhala



36
      And the rest of the world?

       The Operating System is the main culprit
       15,000 bugs in the Linux kernel, far more
        in Windows
       An estimated 24 in the Minix-3 micro-
        kernel, drivers isolated...
       Can the kernel be verified?




[Tan06a] A. S. Tanenbaum, J. N. Herder, and H. Bos. Can we make operating systems reliable
and secure? IEEE Computer, 39(5):44-51, 2006. http://dx.doi.org/10.1109/MC.2006.156
 37
     Conclusions

      Java is a good starting point
      Reduce the trusted computing base
       » Micro kernel
      Verification works in the small
      Security is not necessarily crypto
      Out of the box thinking...




38

								
To top