Lecture 19 Java Security

Document Sample
Lecture 19 Java Security Powered By Docstoc
					                CS216: Program and Data Representation
                  University of Virginia Computer Science
 Spring 2006                                                                 David Evans
                                                                                                          Running Mistyped Code
                                                                                                .method public static main([Ljava/lang/String;)V
     Lecture 19:                                                                                   …
                                                                                                   iconst_2
     Java Security                                                                                 istore_0
                                                                                                             > java Simple
                                                                                                   aload_0
                                                                                                             Exception in thread "main" java.lang.VerifyError:
  PS6 Submission:                                                                                  iconst_2
                                                                                                             (class: Simple, method: main signature:
  Only to be eligible                                                                              iconst_3
                                                                                                             ([Ljava/lang/String;)V)
  for the “Byte Code                                                                               iadd
                                                                                                             Register 0 contains wrong type
  Wizard” awards. If                                                                               …
  the web submission is                                                                            return     > java –noverify Simple
  down, you can submit                                                                          .end method result: 5
  (once) by email.


                                         http://www.cs.virginia.edu/cs216                     UVa CS216 Spring 2006 - Lecture 19: Java Security                   2




            Running Mistyped Code                                                                     Java Security Architecture
   .method public static main([Ljava/lang/String;)V                                                                            JAR
      …
                > java –noverify Simple
     ldc 216    Unexpected Signal : EXCEPTION_ACCESS_VIOLATION                                                                                    ClassLoader
                (0xc0000005) occurred at PC=0x809DCEB
     istore_0 Function=JVM_FindSignal+0x1105F
                                                                                                                                            Class
     aload_0    Library=C:\j2sdk1.4.2\jre\bin\client\jvm.dll
     iconst_2 Current Java thread:
                                                                                                                             Verify                 Verifier
     iconst_3 at Simple.main(Simple.java:7)
                …                                                                                                          Exception
     iadd
     …          #
                                                                                                                       Security
                   HotSpot
   .end method # Error ID Virtual Machine Error : EXCEPTION_ACCESS_VIOLATION
                #          : 4F530E43505002EF                                                                         exception
                                                                                                                                                  Java VM
                           # Please report this error at                                                                                    Operating System
                           # http://java.sun.com/cgi-bin/bugreport.cgi
                           #                                                                                                                 Protected Resource
                           # Java VM: Java HotSpot(TM) Client VM (1.4.2-b28 mixed mode)


UVa CS216 Spring 2006 - Lecture 19: Java Security                                         3   UVa CS216 Spring 2006 - Lecture 19: Java Security                   4




                                     JavaVM
   • Interpreter for JVML programs
   • Has complete access to host machine:
     its just a C program running normally
   • Bytecode verifier ensures some safety                                                                        Reference Monitors
     properties, JavaVM must ensure rest:
        – Type safety of run-time casts, array
          assignments
        – Memory safety: array bounds checking
        – Resource use policy


UVa CS216 Spring 2006 - Lecture 19: Java Security                                         5   UVa CS216 Spring 2006 - Lecture 19: Java Security                   6




                                                                                                                                                                      1
                   Program Execution                                                        Program Execution
                                                                                                              Reference Monitor


      Monitor                                                                  Monitor
                                          Program                                                                  Program
                                                             Speakers                                                                    Speakers


       Network                                                                  Network



                   Disk                     Memory                                          Disk                     Memory
                                                      SuperSoaker 2000                                                            SuperSoaker 2000
UVa CS216 Spring 2006 - Lecture 19: Java Security                   7    UVa CS216 Spring 2006 - Lecture 19: Java Security                      8




                                                                                       Real
            Ideal Reference Monitor                                                  Ideal Reference Monitor
                                                                                       most things
     1. Sees everything a program is about                                    1. Sees everything a program is about
        to do before it does it                                                  to do before it does it
     2. Can instantly and completely stop                                     2. Can instantly and completely stop
        program execution (or prevent                                            program execution (or prevent
        action)                                                                  action) limited
     3. Has no other effect on the program                                    3. Has no other effect on the program
        or system                                                                or system
                                 Can we build this?
            Probably not unless we can build a time machine...

UVa CS216 Spring 2006 - Lecture 19: Java Security                   9    UVa CS216 Spring 2006 - Lecture 19: Java Security                     10




                   Operating Systems                                                   Java Security Manager
 • Provide reference monitors for most
   security-critical resources                                             • (Non-Ideal) Reference monitor
      – When a program opens a file in Unix or
                                                                                – Limits how Java executions can
        Windows, the OS checks that the principal
        running the program can open that file                                    manipulate system resources
 • Doesn’t allow different policies for                                    • User/host application creates a
   different programs                                                        subclass of SecurityManager to define
 • No flexibility over what is monitored                                     a policy
      – OS decides for everyone
      – Hence, can’t monitor inexpensive
        operations
UVa CS216 Spring 2006 - Lecture 19: Java Security                  11    UVa CS216 Spring 2006 - Lecture 19: Java Security                     12




                                                                                                                                                     2
         JavaVM Policy Enforcment                                                HotJava’s Policy (JDK 1.1.7)
                                                    [JDK 1.0 – JDK 1.1]
     From java.io.File:                                                        public class AppletSecurity
       public boolean delete() {                                                  extends SecurityManager {
        SecurityManager security =                                                ...
           System.getSecurityManager();
                                                                                  public synchronized
        if (security != null) {           checkDelete throws a
                                          SecurityExecption if the
           security.checkDelete(path); delete would violate the policy
                                                                                  void checkDelete(String file)
        }                                 (re-thrown by delete)                   throws Security Exception {
        if (isDirectory()) return rmdir0();                                         checkWrite(file);
        else return delete0();                                                   }
      }                What could go seriously wrong with this?!               }
UVa CS216 Spring 2006 - Lecture 19: Java Security                     13   UVa CS216 Spring 2006 - Lecture 19: Java Security     14




         AppletSecurity.checkWrite                                                                             inApplet
                         (some exception handling code removed)

                                                                                    boolean inApplet() {
     public synchronized void checkWrite(String file) {
       if (inApplet()) {                                                               return inClassLoader();
         if (!initACL) initializeACLs();                                            }
         String realPath =
            (new File(file)).getCanonicalPath();

               for (int i = writeACL.length ; i-- > 0 ;) {
                                                                                  Inherited from
                  if (realPath.startsWith(writeACL[i])) return;                     java.lang.SecurityManager:
               }                                                                  protected boolean inClassLoader() {
               throw new AppletSecurityException
                         ("checkwrite", file, realPath);                              return
           }                                                                            currentClassLoader() != null;
     }
                  Note: no checking if not inApplet!                              }
                  Very important this does the right thing.
UVa CS216 Spring 2006 - Lecture 19: Java Security                     15   UVa CS216 Spring 2006 - Lecture 19: Java Security     16




                   currentClassLoader                                                                              Recap
     /**
                                                                               • java.io.File.delete                 calls
         Returns an object describing the most                                                           before deleting
                                                                                   SecurityManager.checkDelete
         recent class loader executing on the stack.
                                                                               • HotJava overrides SecurityManager with
                                                                                 AppletSecurity to set policy
         Returns the class loader of the most recent                           • AppletSecurity.checkDelete calls
         occurrence on the stack of a method from a                                AppletSecurity.checkWrite
         class defined using a class loader; returns                           • AppletSecurity.checkWrite checks if any
         null if there is no occurrence on the stack of                          method on stack has a ClassLoader
         a method from a class defined using a class
         loader.                                                               • If not no checks; if it does, checks ACL list
   */

   protected native ClassLoader currentClassLoader();
UVa CS216 Spring 2006 - Lecture 19: Java Security                     17   UVa CS216 Spring 2006 - Lecture 19: Java Security     18




                                                                                                                                      3
                  JDK 1.0 Trust Model                                                      JDK Evolution

    • When JavaVM loads a class from the                           • JDK 1.1: Signed classes from
      CLASSPATH, it has no associated                                elsewhere and have no associated
      ClassLoader (can do anything)                                  ClassLoader
    • When JavaVM loads a class from                               • JDK 1.2:
      elsewhere (e.g., the web), it has an                              – Different classes can have different
      associated ClassLoader                                              policies based on ClassLoader
                                                                        – Explict enable/disable/check privileges
                                                                        – SecurityManager is now AccessController

UVa CS216 Spring 2006 - Lecture 19: Java Security         19   UVa CS216 Spring 2006 - Lecture 19: Java Security                     20




                 What can go wrong?                                           Example Vulnerability
 • Java API doesn’t call right
   SecurityManager checks (63 calls in                             • Object Creation involves three steps:
   java.*)                                                                 new – create new object reference
       – Font loading bug, synchronization                                 dup – duplicate reference
 • ClassLoader is tricked into loading                                     invokespecial <> – calls constructor
   external class as internal
 • Bug in Bytecode Verifier can be                                new #14 <Class java.lang.StringBuffer>
   exploited to circumvent SecurityManager                        dup
 • Policy is too weak (allows damaging                            invokespecial #15 <Method java.lang.StringBuffer()>
   behavior)
UVa CS216 Spring 2006 - Lecture 19: Java Security         21   UVa CS216 Spring 2006 - Lecture 19: Java Security                     22




                Object Initialization
                                                                 Verifier (should be) Conservative
              Vulnerability [lsd-pl.net]
 class LSDbug extends SecurityClassLoader {                                                    JVML programs
    public LSDbug() {
       try {                            this is used, but
          LSDbug(5);                    not property                                         Safe programs
       } catch (SecurityException e) { initialized!
         this.loadClass(…);             Bytecode verifier
       }                                (old version) didn’t                                   Verifiable programs
     }                                  make correct
     public LSDbug (int x) {            checks
       super(); // throws Security Exception
                                                                                                                       (Slide from Nate
     }}                                                                                                              Paul’s ACSAC talk)
UVa CS216 Spring 2006 - Lecture 19: Java Security         23   UVa CS216 Spring 2006 - Lecture 19: Java Security                     24




                                                                                                                                          4
      Complexity Increases Risk                                                                                Vulnerabilities in JavaVM
                                                                                                               45
                               JVML programs




                                                                                   Vulnerabilities Reported
                                                                                                               40
                                                                                                               35
                                                                                                               30
                            Safe programs
                                                                                                               25
                                                                                                               20

                           Verifiable programs                                                                 15
                                                                                                               10
                                                                                                               5
                                                                                                               0
                                                                                                                    0   1   2   3    4     5    6       7   8   9
                                                    Bug     (Slide from Nate
                                                                                    July 1996                               Years Since First Release
                                                          Paul’s ACSAC talk)                                                                                July 2005
UVa CS216 Spring 2006 - Lecture 19: Java Security                         25   UVa CS216 Spring 2006 - Lecture 19: Java Security                                    26




                                                                                              Summary:
                      Where are They?
                                                                                      Low-level vs. Policy Security
    Verification                                                     12           • Low-level Code Safety:
    API bugs                                                         10                                       – Type safety, memory safety, control flow
                                                                                                                safety
    Class loading                                                     8
                                                                                                              – Needed to prevent malcode from
    Other or unknown                                                  2                                         circumventing any policy mechanism
    Missing policy checks                                             3           • Policy Security:
    Configuration                                                     4                                       – Control access and use of resources
    DoS attacks (crash, consumption)                                  5                                         (files, network, display, etc.)
                                                                                                              – Enforced by Java class
     several of these were because of jsr complexity                                                          – Hard part is deciding on a good policy
UVa CS216 Spring 2006 - Lecture 19: Java Security                         27   UVa CS216 Spring 2006 - Lecture 19: Java Security                                    28




                                      Charge
    • PS6 due Monday
         – Questions 8-10 are open ended
         – Lots of improvements possible, but
           don’t need to find everything
         – Token prize for best solutions to #8 and
           #10 (and title of Byte Code Wizard!)
    • Next class:
         – How a hair dryer can break all this
         – Starting with x86 assembly
UVa CS216 Spring 2006 - Lecture 19: Java Security                         29




                                                                                                                                                                         5