59
Advanced Java Programming Security

Advanced Java Programming

  • Upload
    celine

  • View
    47

  • Download
    0

Embed Size (px)

DESCRIPTION

Advanced Java Programming. Security. Agenda. About Security Application Security Java Security from the Ground Up Standalone Java Application Techniques. About Security. Common Security Threats Three concepts of CIA security model Definition of security. Common Security Threats. - PowerPoint PPT Presentation

Citation preview

Page 1: Advanced Java  Programming

Advanced Java Programming

Security

Page 2: Advanced Java  Programming

2

About Security Application Security Java Security from the Ground Up Standalone Java Application Techniques

Agenda

Page 3: Advanced Java  Programming

3

Common Security ThreatsThree concepts of CIA security modelDefinition of security

About Security

Page 4: Advanced Java  Programming

4

Identity interceptionSteal your identity and use it as their own

MasqueradingGrab your identity and use it elsewhere with the intention of perpetrating fraud

Replay attackCapture your request and replay that request

Data interception and manipulationRead your data (such as credit card info)

Common Security Threats

Page 5: Advanced Java  Programming

5

RepudiationDeny your/his completed transaction

Denial of ServiceTerminate the service

Common Security Threats

Page 6: Advanced Java  Programming

Three concepts of CIA security model

Page 7: Advanced Java  Programming

7

CIA Triad

Page 8: Advanced Java  Programming

8

Three concepts of CIA security model

Confidentiality information must not be disclosed to any unauthorized

person Integrity

authorized actions (unauthorized data changes) separation and protection for resources error detection and correction (data corruption)

Availability presence of objects or service in a usable form capacity to meet service needs adequate timeliness of a service

Page 9: Advanced Java  Programming

9

Definition of security

Detect Detect how, when and where intrusion has taken place

Protect Manage people and the Information System in an

effective manner so as to protect against unauthorized usage

Page 10: Advanced Java  Programming

10

Definition of security

React react to an intrusion ensure that penetration does not happen again. vulnerability is eliminated

Recover recover all data and programs from a breach in security

Page 11: Advanced Java  Programming

11

Application Security - Not just technology; it’s a process… -

System-level Security Vs.

Application-level Security

Operating System

JVM

Java/J2EE APIs

Application code Application

Level{

System Level{

Page 12: Advanced Java  Programming

12

System-level Security Vs. Application-level Security

Defeating System-level security may not provide attackers with appropriate access to the application-level data, logic, or methods that they seek

Attacker

Sy

ste

m-

lev

el

s

ecu

rity

Ap

plic

ati

on

-le

ve

l

Se

curi

ty

E

nte

rpri

se

Da

ta

Page 13: Advanced Java  Programming

13

System-level Security Vs. Application-level Security

(cont.) Work together to build a secure system/application

combination

Attacker

Sy

ste

m-

lev

el

s

ecu

rity

Ap

plic

ati

on

-le

ve

l

Se

curi

ty

E

nte

rpri

se

Da

ta

Attacker

Page 14: Advanced Java  Programming

14

System-level Security Vs. Application-level Security (cont.)

It is more efficient to push some security responsibilities up to the application level instead of handling them at the operating-system level

OS (Solaris)

JVM (Solaris)

Java/J2EE APIs

Application code

OS (IBM AIX)

JVM (IBM AIX)

Java/J2EE APIs

Application code

OS (MS Window)

JVM (MS Window)

Java/J2EE APIs

Application code

Page 15: Advanced Java  Programming

15

Java Security from the Ground Up

Java Language Safety Features Java Security Model Java Security Architecture

Page 16: Advanced Java  Programming

16

Java Language Safety Features

Objects have access levels: private: Accessible by defining class package (default): Accessible by classes in the same

package protected: Same as package, with addition of access by

any subclass public: Accessible by any class

Page 17: Advanced Java  Programming

17

Java Language Safety Features

Access methods are strictly adhered to No pointers (no access to arbitrary memory and

automatic garbage collection) “final” methods or variables cannot be changed Variables MUST be initialized before use Array bounds are enforced Strict object casting rules

Page 18: Advanced Java  Programming

18

Java Security Enforcement

Page 19: Advanced Java  Programming

19

Java Security Enforcement

Enforcement happens at different times Compile time enforcement Class load time enforcement Runtime enforcement

Page 20: Advanced Java  Programming

20

Compile Time Enforcement

Java Source

Java Compiler Bytecode

Class Loader Bytecode

Verifier

Java Virtual Machine

Runtime

Page 21: Advanced Java  Programming

21

Compile Time Enforcement

Validate language syntaxEnforce method and variable access rulesEnforce variable initializationEnforce some casting operations

Page 22: Advanced Java  Programming

22

Class Load Time Enforcement Java Source

Java Compiler Bytecode

Class Loader Bytecode

Verifier

Java Virtual Machine

Runtime

Page 23: Advanced Java  Programming

23

Class Load Time Enforcement

Bytecode verificationVerifies class file formatAccesses objects as correct typeFinal classes are not subclassedFinal methods are not overriddenEvery class has a single superclass Verify that casting legality checks are in place

Page 24: Advanced Java  Programming

24

Class Load Time Enforcement

No operand stack overflowsAll field and method accesses are legalMethod calls use correct number & types of arguments

Page 25: Advanced Java  Programming

25

Runtime Enforcement

Java Compiler

Java Source

BytecodeClass Loader Bytecode

Verifier

Java Virtual Machine

Runtime

Java Compiler

Page 26: Advanced Java  Programming

26

Runtime Enforcement

Array bounds checkingThrows ArrayIndexOutOfBoundsException

Object castingThrows ClassCastException

Security ManagerThrows SecurityExceptionDepends on the Access Controller

Page 27: Advanced Java  Programming

27

Java Security Model

Sandbox – a strictly defined arena where they cannot affect other system resources. It provides virtually no flexibility.

Page 28: Advanced Java  Programming

28

Java Security Model (cont.)

Page 29: Advanced Java  Programming

What does this code do?

Page 30: Advanced Java  Programming

Using java security mechanisms

Applets are restricted to the sandbox by default: Can only phone home and create pop-up window

with warning Cannot read/write/delete local files, run another

program, connecting to a server other than its home server, …

More permissions can be granted with Security policy file Code signing

Page 31: Advanced Java  Programming

What happens when executing ? Use caution when executing Applets as Applications

public class BadApplet extends Applet{ public void init(){ try { Runtime.getRuntime().exec(“rmdir

foo”); } catch (Exception e) { System.out.println(e); } } public static void main(String args[]) { BadApplet a = new BadApplet(); a.init(); } }

1. Exception thrown if run in an Applet container

2. Exception thrown if run as an application using Applet security

Java –Djava.security.manager BadApplet

3. OK if run as an application Java BadApplet

Page 32: Advanced Java  Programming

Security Policy Files Consist of a sequence of grant entries.

Each gives some specific permissions to applets from a specific location and/or signed by a specific person

A grant entry has the following general form:grant signedBy “name”, codeBase “file source”{ permission1; permission2; …}

signedBy part omitted if signatures not required for this entry. codeBase part omitted if the entry applies to code from all sources

Page 33: Advanced Java  Programming

Security Policy Files codeBase examples:

grant codeBase “http://www.cs.ust.hk/~liao/comp201/”{ } //premission entry for all classes under the directory grant codeBase “http://www.cs.ust.hk/~liao/comp201/tmp.jar”{ }

// permission entry for tmp.jar

grant codeBase “file:C:/dir/tmp” { }grant codeBase “file:/C:/dir/tmp” { }grant codeBase “file://C:/dir/tmp” { }/* permission entry for tmp on local machine */

Note: Forward slash even for the Windows OSCode signing will be discussed later.

Page 34: Advanced Java  Programming

Security Policy Files General form for permissions:

permission className tagetName, actionList;className must be fully qualified.

Examples: permission java.io.FilePermission "D:\\-","read, write"; // permission to read and write all files in D drive

permission java.awt.AWTPermission "showWindowWithoutWarningBanner";

// permission to create pop-up window without warning

permission java.net.SocketPermission “*:8000-8999", “connect";

//permission to connect to any host via port 8000 - 8999.

Page 35: Advanced Java  Programming

Security Policy Files Permission classes:

java.io.FilePermission java.awt.AWTPermission java.net.SocketPermissionjava.net.NetPermissionjava.util.PropertyPermissionjava.lang.RuntimePermissionjava.security.AllPermission….

See page 712 for details

Page 36: Advanced Java  Programming

Security Policy Files java.io.FilePermission

Targets:File a fileDirectory a directoryDirectory/* all files in the directory* all files in current directoryDirectory/- all files in this and all its subdirectories- all files in current directory and all its subs<<ALL FILES>> all files in the file system

In Windows OS, use \\ as file separator Actions

read, write, delete, execute

Page 37: Advanced Java  Programming

Security Policy Files java.net.SocketPermission

Targets: (hostRange:portRange)HostName or IPAddreses a single hostlocalhost or empty local host*.domainSuffix all hosts whose domain names end

with the suffix . E.g. *.com* all hosts

:n single port:n1-n2 all ports in the range

Actions:accept, connect, listen

Page 38: Advanced Java  Programming

Security Policy Files An example policy filegrant codeBase

"http://www.cs.ust.hk/~liao/comp201/codes/secu/awt/" { permission java.awt.AWTPermission

"showWindowWithoutWarningBanner";};

grant codeBase "http://www.cs.ust.hk/~liao/comp201/codes/secu/file/" {

permission java.awt.AWTPermission "showWindowWithoutWarningBanner";

permission java.io.FilePermission "<<ALL FILES>>", "read, write";

};

grant codeBase "http://www.cs.ust.hk/~liao/comp201/codes/secu/socket/" {

permission java.net.SocketPermission "*", "connect";};

Page 39: Advanced Java  Programming

Security Policy Files policytool: a utility for creating policy files

Page 40: Advanced Java  Programming

Security Policy FilesLocation of policy file: On client machine Method 1:

${user.home}/.java.policy

On XP: C:\Documents and Settings\liao\.java.policy${java.home}/lib/security/java.policy on my machine: C:\Program Files\j2sdk1.4.0\jre\lib\security

Method 2: place a policy file on the internet or on local machine, add to the master security properties file: ${java.home}/jre/lib/security/java.security

the a link to the policy file. E.g.: policy.url.3=http://www.cs.ust.hk/~liao/comp201/codes/secu/applet.policy

Manage the policy file at a single location. Good for intranet.

Page 41: Advanced Java  Programming

Permission Granting Examples AWT Permission example: (check code page)

Normally, pop-up windows created by applets come with warning banners.

However, the pop-up window created by the applet from

http://www.cs.ust.hk/~liao/comp201/codes/secu/awt/

has no warning banner if one includes the following entry into thepolicy filegrant codeBase "http://www.cs.ust.hk/~liao/comp201/codes/secu/awt/" { permission java.awt.AWTPermission

"showWindowWithoutWarningBanner"; };

Page 42: Advanced Java  Programming

Permission Granting Examples File Permission example:

Normally, applets cannot read and write local files. However, FileIOApplet from

http://www.cs.ust.hk/~liao/comp201/codes/secu/file/ can read and write local files if one includes the following grant entry

in the policy file: grant codeBase "http://www.cs.ust.hk/~liao/comp201/codes/secu/file/" { permission java.io.FilePermission “<<ALL FILES>> ",

"read,write"; permission java.awt.AWTPermission

"showWindowWithoutWarningBanner"; };

Page 43: Advanced Java  Programming

Permission Granting Examples Socket Permission example:

Normally, applets cannot connect to a server other than its home server.

However, SocketApplet from

http://www.cs.ust.hk/~liao/comp201/codes/secu/socket/

can connect to other http servers if one includes the following grant entry in the policy file:

grant codeBase “http://www.cs.ust.hk/~liao/comp201/codes/secu/socket/” { permission java.net.SocketPermission "*", "connect"; };

Page 44: Advanced Java  Programming

In your paper try to explain the contents following permission policy file

Page 45: Advanced Java  Programming
Page 46: Advanced Java  Programming
Page 47: Advanced Java  Programming

Outline Using java security mechanisms

Security policy files Code signing

Page 48: Advanced Java  Programming

Public Private Key Encryption

Bob

Alice

Page 49: Advanced Java  Programming
Page 50: Advanced Java  Programming

Code Signing Developer

Generates a certificate, which contains a pair of keys, a public key and a private key.

Send the public key to its users. Sign applets with the private key.

Client Gets public key from the developer Adds the public key to his/her own public key collection Modify its own security policy file to give more permissions to

applets signed by THE developer.

Page 51: Advanced Java  Programming

Code Signing /Developer

Java comes with the keytool program for managing keystore – database of certificates.

To generate a keystore liao.store and generate a pair of keys with alias liao use the command:keytool –genkey –keystore liao.store –alias liao

A dialog follows and liao.store created.

Keep liao.store at a safe location!

Page 52: Advanced Java  Programming

Enter keystore password: 123456 What is your first and last name? [Unknown]: Renlan LiaoWhat is the name of your organizational unit? [Unknown]: Computer ScienceWhat is the name of your organization? [Unknown]: Hong Kong University of Science and TechnologyWhat is the name of your City or Locality? [Unknown]: Hong KongWhat is the name of your State or Province? [Unknown]: Hong KongWhat is the two-letter country code for this unit? [Unknown]: CNIs <CN=Renlan Liao, OU=Computer Science, O=Hong Kong University of

Science and Technology, L=Hong Kong, ST=Hong Kong, C=CN> correct? [no]: yes

Enter key password for <Renlan>

(RETURN if same as keystore password):

Code Signing /Developer

Page 53: Advanced Java  Programming

Export the public key to a certificate file and sent it to user.keytool –export –keystore liao.store –alias liao –file liao.cert

What is inside?D:\Users\public_html\COMP201\codes\secu>keytool -printcert -

file liao.certOwner: CN=Renlan Liao, OU=Computer Science, O=Hong Kong University of

Science and Technology, L=Hong Kong, ST=Hong Kong, C=cnIssuer: CN=Renlan Liao, OU=Computer Science, O=Hong Kong University

of Science and Technology, L=Hong Kong, ST=Hong Kong, C=cnSerial number: 40a08a25Valid from: Tue May 11 16:09:09 GMT+08:00 2004 until: Mon Aug 09

16:09:09 GMT+08:00 2004Certificate fingerprints: MD5: A0:60:35:22:28:42:3B:18:77:12:EB:43:13:B1:D7:C6 SHA1: 9:34:84:4C:F0:32:B5:B1:17:55:3B:0C:03:FC:87:FE:EC:69:A0:6F

Code Signing /Developer

Page 54: Advanced Java  Programming

Sign applets

Create a jar filejar cvf MyApplet.jar *.class

Run the jarsigner tooljarsigner –keystore Liao.store MyApplet.jar Liao

Keystore containing private key

Alias of private key

Code Signing /Developer

Page 55: Advanced Java  Programming

Add public key received to his/her store of public keyskeytool –import –keystore certs.store –alias liao –file liao.cert

Include location of public key store to policy fileKeystore “keystoreURL”, “keystoreType”;

Ex: keystore “file:C:\Windows\cert.store”, "JKS";

keystore "http://www.cs.ust.hk/~liao/comp201/codes/secu/certs.store", "JKS";

JKS: type of keystore generated by keytool

Code Signing /Client

Page 56: Advanced Java  Programming

Add signedBy “alias” to grant clauses in policy file

grant signedBy “liao" { permission java.awt.AWTPermission "showWindowWithoutWarningBanner"; };

What if client’s policy file does not grant permissions to signed applets Browser will ask for permissions when loading the applets Example: http://www.cs.ust.hk/~liao/comp201/codes/secu/sign2/

Code Signing /User

Page 57: Advanced Java  Programming

Security packages in Java Separate packages that are included as part of

JDK: JCE - Java Cryptography classes JAAS - Java Authentication and Authorization Services Java GSS API - Java Generic Security Services API Java Certification Path API JSSE - Java Secure Sockets Extension

Page 58: Advanced Java  Programming

JCE

JCE covers encryption and decryption

– symmetric bulk encryption, such as DES, RC2, and IDEA – Symmetric stream encryption, such as RC4– Asymmetric encryption, such as RSA– Password-based encryption (PBE)

key agreement Message Authentication Code (MAC)

Page 59: Advanced Java  Programming

JAAS can be used for two purposes:1. for authentication of users, to reliably and securely determine who is

currently executing Java code, regardless of whether the code is running as an application, an applet, a bean, or a servlet; and

2. for authorization of users to ensure they have the access control rights (permissions) required to do the actions performed.

JAAS authentication is performed in a pluggable  fashion Permits Java applications to remain independent from underlying

authentication technologies. 

The implementation is specified in a login configuration file

 JavaTM Authentication and Authorization Service (JASS)

It is an important topic but , Unfortunately, I have to skip it because it needs a solid background in Security .