Upload
celine
View
47
Download
0
Embed Size (px)
DESCRIPTION
Advanced Java Programming. Security. Agenda. About Security Application Security Java Security from the Ground Up Standalone Java Application Techniques. About Security. Common Security Threats Three concepts of CIA security model Definition of security. Common Security Threats. - PowerPoint PPT Presentation
Citation preview
Advanced Java Programming
Security
2
About Security Application Security Java Security from the Ground Up Standalone Java Application Techniques
Agenda
3
Common Security ThreatsThree concepts of CIA security modelDefinition of security
About Security
4
Identity interceptionSteal your identity and use it as their own
MasqueradingGrab your identity and use it elsewhere with the intention of perpetrating fraud
Replay attackCapture your request and replay that request
Data interception and manipulationRead your data (such as credit card info)
Common Security Threats
5
RepudiationDeny your/his completed transaction
Denial of ServiceTerminate the service
Common Security Threats
Three concepts of CIA security model
7
CIA Triad
8
Three concepts of CIA security model
Confidentiality information must not be disclosed to any unauthorized
person Integrity
authorized actions (unauthorized data changes) separation and protection for resources error detection and correction (data corruption)
Availability presence of objects or service in a usable form capacity to meet service needs adequate timeliness of a service
9
Definition of security
Detect Detect how, when and where intrusion has taken place
Protect Manage people and the Information System in an
effective manner so as to protect against unauthorized usage
10
Definition of security
React react to an intrusion ensure that penetration does not happen again. vulnerability is eliminated
Recover recover all data and programs from a breach in security
11
Application Security - Not just technology; it’s a process… -
System-level Security Vs.
Application-level Security
Operating System
JVM
Java/J2EE APIs
Application code Application
Level{
System Level{
12
System-level Security Vs. Application-level Security
Defeating System-level security may not provide attackers with appropriate access to the application-level data, logic, or methods that they seek
Attacker
Sy
ste
m-
lev
el
s
ecu
rity
Ap
plic
ati
on
-le
ve
l
Se
curi
ty
E
nte
rpri
se
Da
ta
13
System-level Security Vs. Application-level Security
(cont.) Work together to build a secure system/application
combination
Attacker
Sy
ste
m-
lev
el
s
ecu
rity
Ap
plic
ati
on
-le
ve
l
Se
curi
ty
E
nte
rpri
se
Da
ta
Attacker
14
System-level Security Vs. Application-level Security (cont.)
It is more efficient to push some security responsibilities up to the application level instead of handling them at the operating-system level
OS (Solaris)
JVM (Solaris)
Java/J2EE APIs
Application code
OS (IBM AIX)
JVM (IBM AIX)
Java/J2EE APIs
Application code
OS (MS Window)
JVM (MS Window)
Java/J2EE APIs
Application code
15
Java Security from the Ground Up
Java Language Safety Features Java Security Model Java Security Architecture
16
Java Language Safety Features
Objects have access levels: private: Accessible by defining class package (default): Accessible by classes in the same
package protected: Same as package, with addition of access by
any subclass public: Accessible by any class
17
Java Language Safety Features
Access methods are strictly adhered to No pointers (no access to arbitrary memory and
automatic garbage collection) “final” methods or variables cannot be changed Variables MUST be initialized before use Array bounds are enforced Strict object casting rules
18
Java Security Enforcement
19
Java Security Enforcement
Enforcement happens at different times Compile time enforcement Class load time enforcement Runtime enforcement
20
Compile Time Enforcement
Java Source
Java Compiler Bytecode
Class Loader Bytecode
Verifier
Java Virtual Machine
Runtime
21
Compile Time Enforcement
Validate language syntaxEnforce method and variable access rulesEnforce variable initializationEnforce some casting operations
22
Class Load Time Enforcement Java Source
Java Compiler Bytecode
Class Loader Bytecode
Verifier
Java Virtual Machine
Runtime
23
Class Load Time Enforcement
Bytecode verificationVerifies class file formatAccesses objects as correct typeFinal classes are not subclassedFinal methods are not overriddenEvery class has a single superclass Verify that casting legality checks are in place
24
Class Load Time Enforcement
No operand stack overflowsAll field and method accesses are legalMethod calls use correct number & types of arguments
25
Runtime Enforcement
Java Compiler
Java Source
BytecodeClass Loader Bytecode
Verifier
Java Virtual Machine
Runtime
Java Compiler
26
Runtime Enforcement
Array bounds checkingThrows ArrayIndexOutOfBoundsException
Object castingThrows ClassCastException
Security ManagerThrows SecurityExceptionDepends on the Access Controller
27
Java Security Model
Sandbox – a strictly defined arena where they cannot affect other system resources. It provides virtually no flexibility.
28
Java Security Model (cont.)
What does this code do?
Using java security mechanisms
Applets are restricted to the sandbox by default: Can only phone home and create pop-up window
with warning Cannot read/write/delete local files, run another
program, connecting to a server other than its home server, …
More permissions can be granted with Security policy file Code signing
What happens when executing ? Use caution when executing Applets as Applications
public class BadApplet extends Applet{ public void init(){ try { Runtime.getRuntime().exec(“rmdir
foo”); } catch (Exception e) { System.out.println(e); } } public static void main(String args[]) { BadApplet a = new BadApplet(); a.init(); } }
1. Exception thrown if run in an Applet container
2. Exception thrown if run as an application using Applet security
Java –Djava.security.manager BadApplet
3. OK if run as an application Java BadApplet
Security Policy Files Consist of a sequence of grant entries.
Each gives some specific permissions to applets from a specific location and/or signed by a specific person
A grant entry has the following general form:grant signedBy “name”, codeBase “file source”{ permission1; permission2; …}
signedBy part omitted if signatures not required for this entry. codeBase part omitted if the entry applies to code from all sources
Security Policy Files codeBase examples:
grant codeBase “http://www.cs.ust.hk/~liao/comp201/”{ } //premission entry for all classes under the directory grant codeBase “http://www.cs.ust.hk/~liao/comp201/tmp.jar”{ }
// permission entry for tmp.jar
grant codeBase “file:C:/dir/tmp” { }grant codeBase “file:/C:/dir/tmp” { }grant codeBase “file://C:/dir/tmp” { }/* permission entry for tmp on local machine */
Note: Forward slash even for the Windows OSCode signing will be discussed later.
Security Policy Files General form for permissions:
permission className tagetName, actionList;className must be fully qualified.
Examples: permission java.io.FilePermission "D:\\-","read, write"; // permission to read and write all files in D drive
permission java.awt.AWTPermission "showWindowWithoutWarningBanner";
// permission to create pop-up window without warning
permission java.net.SocketPermission “*:8000-8999", “connect";
//permission to connect to any host via port 8000 - 8999.
Security Policy Files Permission classes:
java.io.FilePermission java.awt.AWTPermission java.net.SocketPermissionjava.net.NetPermissionjava.util.PropertyPermissionjava.lang.RuntimePermissionjava.security.AllPermission….
See page 712 for details
Security Policy Files java.io.FilePermission
Targets:File a fileDirectory a directoryDirectory/* all files in the directory* all files in current directoryDirectory/- all files in this and all its subdirectories- all files in current directory and all its subs<<ALL FILES>> all files in the file system
In Windows OS, use \\ as file separator Actions
read, write, delete, execute
Security Policy Files java.net.SocketPermission
Targets: (hostRange:portRange)HostName or IPAddreses a single hostlocalhost or empty local host*.domainSuffix all hosts whose domain names end
with the suffix . E.g. *.com* all hosts
:n single port:n1-n2 all ports in the range
Actions:accept, connect, listen
Security Policy Files An example policy filegrant codeBase
"http://www.cs.ust.hk/~liao/comp201/codes/secu/awt/" { permission java.awt.AWTPermission
"showWindowWithoutWarningBanner";};
grant codeBase "http://www.cs.ust.hk/~liao/comp201/codes/secu/file/" {
permission java.awt.AWTPermission "showWindowWithoutWarningBanner";
permission java.io.FilePermission "<<ALL FILES>>", "read, write";
};
grant codeBase "http://www.cs.ust.hk/~liao/comp201/codes/secu/socket/" {
permission java.net.SocketPermission "*", "connect";};
Security Policy Files policytool: a utility for creating policy files
Security Policy FilesLocation of policy file: On client machine Method 1:
${user.home}/.java.policy
On XP: C:\Documents and Settings\liao\.java.policy${java.home}/lib/security/java.policy on my machine: C:\Program Files\j2sdk1.4.0\jre\lib\security
Method 2: place a policy file on the internet or on local machine, add to the master security properties file: ${java.home}/jre/lib/security/java.security
the a link to the policy file. E.g.: policy.url.3=http://www.cs.ust.hk/~liao/comp201/codes/secu/applet.policy
Manage the policy file at a single location. Good for intranet.
Permission Granting Examples AWT Permission example: (check code page)
Normally, pop-up windows created by applets come with warning banners.
However, the pop-up window created by the applet from
http://www.cs.ust.hk/~liao/comp201/codes/secu/awt/
has no warning banner if one includes the following entry into thepolicy filegrant codeBase "http://www.cs.ust.hk/~liao/comp201/codes/secu/awt/" { permission java.awt.AWTPermission
"showWindowWithoutWarningBanner"; };
Permission Granting Examples File Permission example:
Normally, applets cannot read and write local files. However, FileIOApplet from
http://www.cs.ust.hk/~liao/comp201/codes/secu/file/ can read and write local files if one includes the following grant entry
in the policy file: grant codeBase "http://www.cs.ust.hk/~liao/comp201/codes/secu/file/" { permission java.io.FilePermission “<<ALL FILES>> ",
"read,write"; permission java.awt.AWTPermission
"showWindowWithoutWarningBanner"; };
Permission Granting Examples Socket Permission example:
Normally, applets cannot connect to a server other than its home server.
However, SocketApplet from
http://www.cs.ust.hk/~liao/comp201/codes/secu/socket/
can connect to other http servers if one includes the following grant entry in the policy file:
grant codeBase “http://www.cs.ust.hk/~liao/comp201/codes/secu/socket/” { permission java.net.SocketPermission "*", "connect"; };
In your paper try to explain the contents following permission policy file
Outline Using java security mechanisms
Security policy files Code signing
Public Private Key Encryption
Bob
Alice
Code Signing Developer
Generates a certificate, which contains a pair of keys, a public key and a private key.
Send the public key to its users. Sign applets with the private key.
Client Gets public key from the developer Adds the public key to his/her own public key collection Modify its own security policy file to give more permissions to
applets signed by THE developer.
Code Signing /Developer
Java comes with the keytool program for managing keystore – database of certificates.
To generate a keystore liao.store and generate a pair of keys with alias liao use the command:keytool –genkey –keystore liao.store –alias liao
A dialog follows and liao.store created.
Keep liao.store at a safe location!
Enter keystore password: 123456 What is your first and last name? [Unknown]: Renlan LiaoWhat is the name of your organizational unit? [Unknown]: Computer ScienceWhat is the name of your organization? [Unknown]: Hong Kong University of Science and TechnologyWhat is the name of your City or Locality? [Unknown]: Hong KongWhat is the name of your State or Province? [Unknown]: Hong KongWhat is the two-letter country code for this unit? [Unknown]: CNIs <CN=Renlan Liao, OU=Computer Science, O=Hong Kong University of
Science and Technology, L=Hong Kong, ST=Hong Kong, C=CN> correct? [no]: yes
Enter key password for <Renlan>
(RETURN if same as keystore password):
Code Signing /Developer
Export the public key to a certificate file and sent it to user.keytool –export –keystore liao.store –alias liao –file liao.cert
What is inside?D:\Users\public_html\COMP201\codes\secu>keytool -printcert -
file liao.certOwner: CN=Renlan Liao, OU=Computer Science, O=Hong Kong University of
Science and Technology, L=Hong Kong, ST=Hong Kong, C=cnIssuer: CN=Renlan Liao, OU=Computer Science, O=Hong Kong University
of Science and Technology, L=Hong Kong, ST=Hong Kong, C=cnSerial number: 40a08a25Valid from: Tue May 11 16:09:09 GMT+08:00 2004 until: Mon Aug 09
16:09:09 GMT+08:00 2004Certificate fingerprints: MD5: A0:60:35:22:28:42:3B:18:77:12:EB:43:13:B1:D7:C6 SHA1: 9:34:84:4C:F0:32:B5:B1:17:55:3B:0C:03:FC:87:FE:EC:69:A0:6F
Code Signing /Developer
Sign applets
Create a jar filejar cvf MyApplet.jar *.class
Run the jarsigner tooljarsigner –keystore Liao.store MyApplet.jar Liao
Keystore containing private key
Alias of private key
Code Signing /Developer
Add public key received to his/her store of public keyskeytool –import –keystore certs.store –alias liao –file liao.cert
Include location of public key store to policy fileKeystore “keystoreURL”, “keystoreType”;
Ex: keystore “file:C:\Windows\cert.store”, "JKS";
keystore "http://www.cs.ust.hk/~liao/comp201/codes/secu/certs.store", "JKS";
JKS: type of keystore generated by keytool
Code Signing /Client
Add signedBy “alias” to grant clauses in policy file
grant signedBy “liao" { permission java.awt.AWTPermission "showWindowWithoutWarningBanner"; };
What if client’s policy file does not grant permissions to signed applets Browser will ask for permissions when loading the applets Example: http://www.cs.ust.hk/~liao/comp201/codes/secu/sign2/
Code Signing /User
Security packages in Java Separate packages that are included as part of
JDK: JCE - Java Cryptography classes JAAS - Java Authentication and Authorization Services Java GSS API - Java Generic Security Services API Java Certification Path API JSSE - Java Secure Sockets Extension
JCE
JCE covers encryption and decryption
– symmetric bulk encryption, such as DES, RC2, and IDEA – Symmetric stream encryption, such as RC4– Asymmetric encryption, such as RSA– Password-based encryption (PBE)
key agreement Message Authentication Code (MAC)
JAAS can be used for two purposes:1. for authentication of users, to reliably and securely determine who is
currently executing Java code, regardless of whether the code is running as an application, an applet, a bean, or a servlet; and
2. for authorization of users to ensure they have the access control rights (permissions) required to do the actions performed.
JAAS authentication is performed in a pluggable fashion Permits Java applications to remain independent from underlying
authentication technologies.
The implementation is specified in a login configuration file
JavaTM Authentication and Authorization Service (JASS)
It is an important topic but , Unfortunately, I have to skip it because it needs a solid background in Security .